topic Re: Cant configure FTD2100 DHCP Server to /23 in Network Security

Cant configure FTD2100 DHCP Server to /23

jbates5873 — Thu, 16 Feb 2023 03:04:39 GMT

Hi all,

I am trying to do a deployment that needs to use a /23 subnet. And unless im missing something super simple, it seems that the DHCP server cant do any more than a /24.

I have the interface set like below

results in this error

Looking at the CIDR breakout, my range should fall within the correct ranges.

Am i missing something here? or is there some hidden setting? If i drop the DHCP range to be < 255 ips, its all good. but fails as soon as i go over. even though the interface is set to /23

Thanks

Jasin

Re: Cant configure FTD2100 DHCP Server to /23

Sheraz.Salim — Thu, 16 Feb 2023 09:04:09 GMT

This is a FTD software limitation (even same apply with ASA code too). you can not exceed more than 256 host ip address. it has to be lower than 255 ip addresses.

unless otherwise you use a External DHCP server.

Re: Cant configure FTD2100 DHCP Server to /23

Marius Gunnerud — Thu, 16 Feb 2023 10:56:20 GMT

Just to add to what @Sheraz.Salim has said, Here is a link to documentation stating this limitation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-system.html#task_5E428B7B30F9436ABF3BD93608A5D1C5

Quote:

"Address Pool—The range of IP addresses from lowest to highest that the server is allowed to provide to clients that request an address. Specify the start and end address for the pool, separated by a hyphen. For example, 10.100.10.12-10.100.10.250.

The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address.

The size of the address pool is limited to 256 addresses per pool on the threat defense device. If the address pool range is larger than 253 addresses, the netmask of the threat defense interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0."

Re: Cant configure FTD2100 DHCP Server to /23

jbates5873 — Thu, 16 Feb 2023 10:59:30 GMT

Thanks, but thats what I don't get, as I'm using a class a network (I think) 10.x.x.x/23

But it seems that it can't be done. Sigh. I will have to find another solution.

Re: Cant configure FTD2100 DHCP Server to /23

Sheraz.Salim — Thu, 16 Feb 2023 11:36:00 GMT

(preference 1)dont you have any external Server. or (preference 2) you can use the switch or router if you like for the DHCP server.

but thats what I don't get, as I'm using a class a network (I think) 10.x.x.x/23

as @Marius Gunnerud noted from the documentation The size of the address pool is limited to 256 addresses per pool on the threat defense device. If the address pool range is larger than 253 addresses, the netmask of the threat defense interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0."

in other words it a limitation on the appliances (software).

Re: Cant configure FTD2100 DHCP Server to /23

jbates5873 — Thu, 16 Feb 2023 22:34:55 GMT

Yes, i will have to go with preference 2 in this case.

Thanks all.