https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3864978#M472786 <P>Hi Jason,</P><P>&nbsp;</P><P>As i have three Cat6500 that act as DHCP servers (each one of them in a different VTP Domain) i wouldn't&nbsp; prefer to use SPAN sessions.</P><P>&nbsp;</P><P>But what do you mean to use ip helper on the L3 SVI on the downstream?&nbsp;</P><P>I already use ip helper addresses in the SVIs on the Cat6500s side (where the DHCP server reside).</P><P>Do you suggest something different?</P><P>&nbsp;</P><P>Lastly, as i have already done some testing with external linux vm acting as a DHCP server and ISE PSNs started to get the DHCP messages, i am considering of permanently enabling external DHCP services on linux vms and canceling the DHCP services on the 6500s.</P><P>&nbsp;</P><P>Thanks for your support,</P><P>Ditter</P> Thu, 30 May 2019 06:39:03 GMT Ditter 2019-05-30T06:39:03Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862357#M472690 <P>Hi to all,</P><P>&nbsp;</P><P>i wonder if you can help me in the following:</P><P>&nbsp;</P><P>I have two cisco PSNs.&nbsp; Both of them are configured as profiling nodes&nbsp; and both of them have activated the following three probes:</P><P>&nbsp;</P><P>1. SNMP Query Probe</P><P>2. DNS Probe</P><P>3. DHCP Probe</P><P>4. Radius Probe</P><P>&nbsp;</P><P>In addition on the Cisco routers that act as DHCP servers i have configured ip helper addressess that point to the two PSNs.</P><P>&nbsp;</P><P>The problem is that not even one endpoint has been profiled via the DHCP probe , most of them have&nbsp; been profiled through SNMP and some of them through Radius Probe.</P><P>&nbsp;</P><P>Please not that the DHCP clients are not 802.1x clients, simple endpoints that come in the network as simple DHCP clients.</P><P>&nbsp;</P><P>Is there any possibility that the Cisco DHCP servers that runs on the various 6500s suppress the ip helper messages because of the fact that the DHCP server is itself?</P><P>&nbsp;</P><P>I also suspected ip forward-protocol but at least for bootp the ip forward protocol is on.</P><P>&nbsp;</P><P>Any ideas?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Ditter</P> Fri, 24 May 2019 13:52:24 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862357#M472690 Ditter 2019-05-24T13:52:24Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862517#M472691 Are your devices configured to act as a sensor? Should be something along these lines:<BR />#device-sensor notify all-changes<BR />#device-sensor filter-spec dhcp include list dhcpLIST<BR />#device-sensor filter-list dhcp list dhcpLIST<BR />##option name host-name<BR />##option (? will show you the attribute list)<BR /><BR />Good luck &amp; HTH! Fri, 24 May 2019 16:28:09 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862517#M472691 Mike.Cifelli 2019-05-24T16:28:09Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862635#M472692 <P>thanks for your answer.</P><P>&nbsp;</P><P>Not all my switches support device sensor , i have many cat 4500 that do not support the sensor command.</P> Fri, 24 May 2019 20:18:35 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3862635#M472692 Ditter 2019-05-24T20:18:35Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3863239#M472737 <P>It seems that no bootps packets reach ISE PSNs.&nbsp;</P><P>&nbsp;</P><P>I am suspecting the DHCP server which is the cisco router itself.</P><P>&nbsp;</P><P>Is there any possibility that as Csico router is the DHCP server itself does not forward the same DHCP requests to the ISE PSNs although ip helper-address is configured and no firewall exists between the dhcp clients vlan and the ISE vlan ??</P><P>&nbsp;</P><P>Ditter</P> Mon, 27 May 2019 09:50:11 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3863239#M472737 Ditter 2019-05-27T09:50:11Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3863287#M472738 <P>I did some more settings with external DHCP Server and ISE successfully gets the dhcp packets.</P><P>&nbsp;</P><P>So i am convinced that when the Cat6500 acts as a DHCP server does not forward DHCP packets to ISE.</P><P>although forward protocol is ON for bootps and ip helper-address is correctly configured.</P><P>&nbsp;</P><P>Is it bug or a feature of Cat6500?</P><P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 27 May 2019 11:19:54 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3863287#M472738 Ditter 2019-05-27T11:19:54Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3864699#M472739 <P>Something to ask the switching group. You can rely on dhcp span if needed. What about ip helper on the L3 SVI on the downstream? Setup a DHCP server instead of using the network infrastructure and send it to that instead? A microsoft DHCP server perhaps?</P> Wed, 29 May 2019 19:43:01 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3864699#M472739 Jason Kunst 2019-05-29T19:43:01Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3864978#M472786 <P>Hi Jason,</P><P>&nbsp;</P><P>As i have three Cat6500 that act as DHCP servers (each one of them in a different VTP Domain) i wouldn't&nbsp; prefer to use SPAN sessions.</P><P>&nbsp;</P><P>But what do you mean to use ip helper on the L3 SVI on the downstream?&nbsp;</P><P>I already use ip helper addresses in the SVIs on the Cat6500s side (where the DHCP server reside).</P><P>Do you suggest something different?</P><P>&nbsp;</P><P>Lastly, as i have already done some testing with external linux vm acting as a DHCP server and ISE PSNs started to get the DHCP messages, i am considering of permanently enabling external DHCP services on linux vms and canceling the DHCP services on the 6500s.</P><P>&nbsp;</P><P>Thanks for your support,</P><P>Ditter</P> Thu, 30 May 2019 06:39:03 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3864978#M472786 Ditter 2019-05-30T06:39:03Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3865080#M472787 The external server as you found is the way to go. You have tried the other viable options and they are not working<BR /> Thu, 30 May 2019 10:24:01 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3865080#M472787 Jason Kunst 2019-05-30T10:24:01Z https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3865452#M472788 <P>Hi Ditter,</P><P>&nbsp;</P><P>The 6500 won't send DHCP broadcast (start of DORA) to ip helper addresses because itself is the DHCP server.&nbsp; To profile devices using DHCP you will need to either:</P><OL><LI>&nbsp;Remove local DHCP services and migrate to another one e.g. Microsoft DHCP or other.</LI><LI>Leverage SPAN ports for DHCP however it may be inconvenient to run up PSN (virtual) all over your campus/network to ingest SPAN information.&nbsp;&nbsp;</LI></OL><P>Hope this answers your question.</P><P>Adrian</P> Thu, 30 May 2019 21:49:54 GMT https://community.cisco.com/t5/network-access-control/dhcp-probe-does-not-work/m-p/3865452#M472788 adriansoh 2019-05-30T21:49:54Z