cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2166
Views
10
Helpful
8
Replies

DHCP Probe does not work

Ditter
Level 3
Level 3

Hi to all,

 

i wonder if you can help me in the following:

 

I have two cisco PSNs.  Both of them are configured as profiling nodes  and both of them have activated the following three probes:

 

1. SNMP Query Probe

2. DNS Probe

3. DHCP Probe

4. Radius Probe

 

In addition on the Cisco routers that act as DHCP servers i have configured ip helper addressess that point to the two PSNs.

 

The problem is that not even one endpoint has been profiled via the DHCP probe , most of them have  been profiled through SNMP and some of them through Radius Probe.

 

Please not that the DHCP clients are not 802.1x clients, simple endpoints that come in the network as simple DHCP clients.

 

Is there any possibility that the Cisco DHCP servers that runs on the various 6500s suppress the ip helper messages because of the fact that the DHCP server is itself?

 

I also suspected ip forward-protocol but at least for bootp the ip forward protocol is on.

 

Any ideas?

 

Thanks,

 

Ditter

1 Accepted Solution

Accepted Solutions

Something to ask the switching group. You can rely on dhcp span if needed. What about ip helper on the L3 SVI on the downstream? Setup a DHCP server instead of using the network infrastructure and send it to that instead? A microsoft DHCP server perhaps?

View solution in original post

8 Replies 8

Mike.Cifelli
VIP Alumni
VIP Alumni
Are your devices configured to act as a sensor? Should be something along these lines:
#device-sensor notify all-changes
#device-sensor filter-spec dhcp include list dhcpLIST
#device-sensor filter-list dhcp list dhcpLIST
##option name host-name
##option (? will show you the attribute list)

Good luck & HTH!

thanks for your answer.

 

Not all my switches support device sensor , i have many cat 4500 that do not support the sensor command.

It seems that no bootps packets reach ISE PSNs. 

 

I am suspecting the DHCP server which is the cisco router itself.

 

Is there any possibility that as Csico router is the DHCP server itself does not forward the same DHCP requests to the ISE PSNs although ip helper-address is configured and no firewall exists between the dhcp clients vlan and the ISE vlan ??

 

Ditter

I did some more settings with external DHCP Server and ISE successfully gets the dhcp packets.

 

So i am convinced that when the Cat6500 acts as a DHCP server does not forward DHCP packets to ISE.

although forward protocol is ON for bootps and ip helper-address is correctly configured.

 

Is it bug or a feature of Cat6500?

;-)

Something to ask the switching group. You can rely on dhcp span if needed. What about ip helper on the L3 SVI on the downstream? Setup a DHCP server instead of using the network infrastructure and send it to that instead? A microsoft DHCP server perhaps?

Hi Jason,

 

As i have three Cat6500 that act as DHCP servers (each one of them in a different VTP Domain) i wouldn't  prefer to use SPAN sessions.

 

But what do you mean to use ip helper on the L3 SVI on the downstream? 

I already use ip helper addresses in the SVIs on the Cat6500s side (where the DHCP server reside).

Do you suggest something different?

 

Lastly, as i have already done some testing with external linux vm acting as a DHCP server and ISE PSNs started to get the DHCP messages, i am considering of permanently enabling external DHCP services on linux vms and canceling the DHCP services on the 6500s.

 

Thanks for your support,

Ditter

The external server as you found is the way to go. You have tried the other viable options and they are not working

adriansoh
Level 1
Level 1

Hi Ditter,

 

The 6500 won't send DHCP broadcast (start of DORA) to ip helper addresses because itself is the DHCP server.  To profile devices using DHCP you will need to either:

  1.  Remove local DHCP services and migrate to another one e.g. Microsoft DHCP or other.
  2. Leverage SPAN ports for DHCP however it may be inconvenient to run up PSN (virtual) all over your campus/network to ingest SPAN information.  

Hope this answers your question.

Adrian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: