05-24-2019 06:52 AM
Hi to all,
i wonder if you can help me in the following:
I have two cisco PSNs. Both of them are configured as profiling nodes and both of them have activated the following three probes:
1. SNMP Query Probe
2. DNS Probe
3. DHCP Probe
4. Radius Probe
In addition on the Cisco routers that act as DHCP servers i have configured ip helper addressess that point to the two PSNs.
The problem is that not even one endpoint has been profiled via the DHCP probe , most of them have been profiled through SNMP and some of them through Radius Probe.
Please not that the DHCP clients are not 802.1x clients, simple endpoints that come in the network as simple DHCP clients.
Is there any possibility that the Cisco DHCP servers that runs on the various 6500s suppress the ip helper messages because of the fact that the DHCP server is itself?
I also suspected ip forward-protocol but at least for bootp the ip forward protocol is on.
Any ideas?
Thanks,
Ditter
Solved! Go to Solution.
05-29-2019 12:40 PM - edited 05-29-2019 12:43 PM
Something to ask the switching group. You can rely on dhcp span if needed. What about ip helper on the L3 SVI on the downstream? Setup a DHCP server instead of using the network infrastructure and send it to that instead? A microsoft DHCP server perhaps?
05-24-2019 09:28 AM
05-24-2019 01:18 PM
thanks for your answer.
Not all my switches support device sensor , i have many cat 4500 that do not support the sensor command.
05-27-2019 02:50 AM
It seems that no bootps packets reach ISE PSNs.
I am suspecting the DHCP server which is the cisco router itself.
Is there any possibility that as Csico router is the DHCP server itself does not forward the same DHCP requests to the ISE PSNs although ip helper-address is configured and no firewall exists between the dhcp clients vlan and the ISE vlan ??
Ditter
05-27-2019 04:19 AM
I did some more settings with external DHCP Server and ISE successfully gets the dhcp packets.
So i am convinced that when the Cat6500 acts as a DHCP server does not forward DHCP packets to ISE.
although forward protocol is ON for bootps and ip helper-address is correctly configured.
Is it bug or a feature of Cat6500?
;-)
05-29-2019 12:40 PM - edited 05-29-2019 12:43 PM
Something to ask the switching group. You can rely on dhcp span if needed. What about ip helper on the L3 SVI on the downstream? Setup a DHCP server instead of using the network infrastructure and send it to that instead? A microsoft DHCP server perhaps?
05-29-2019 11:39 PM
Hi Jason,
As i have three Cat6500 that act as DHCP servers (each one of them in a different VTP Domain) i wouldn't prefer to use SPAN sessions.
But what do you mean to use ip helper on the L3 SVI on the downstream?
I already use ip helper addresses in the SVIs on the Cat6500s side (where the DHCP server reside).
Do you suggest something different?
Lastly, as i have already done some testing with external linux vm acting as a DHCP server and ISE PSNs started to get the DHCP messages, i am considering of permanently enabling external DHCP services on linux vms and canceling the DHCP services on the 6500s.
Thanks for your support,
Ditter
05-30-2019 03:24 AM
05-30-2019 02:49 PM
Hi Ditter,
The 6500 won't send DHCP broadcast (start of DORA) to ip helper addresses because itself is the DHCP server. To profile devices using DHCP you will need to either:
Hope this answers your question.
Adrian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: