10-18-2017 02:04 PM
I've added "ip helper-address <ISE-PSN-IP>" to the interface vlans to which I want to relay DHCP information to ISE.
I'm running ISE on a VM (VMware ESXi, 5.5.0) and currently the Management vmnic's VLAN ID is configured as "None (0)." I'm currently not seeing dhcp information arriving into ISE and am thinking that the vmnic's VLAN ID configuration needs to change to "All (4095)" to allow tagged dhcp packets to be received into ISE.
Right now with the setting of "None (0)," I'm thinking that tagged packets are being dropped and by updating the configuration setting to "All (4095)" that dhcp packets will be received by ISE for it to properly profile endpoints.
Would this be a correct understanding?
If I do change this setting, will the other guestOS' (VMs) remain functional that are using the same vmnic?
Solved! Go to Solution.
10-18-2017 03:20 PM
The DHCP forwarding is a unicast forwarded packet. There is no tagging involved. Remember DHCP forwarding only worked with a clients initial broadcast DHCP request. DHCP renewals are unicast packets to the DHCP. ISE will never see those from DHCP forwarding.
10-18-2017 03:20 PM
The DHCP forwarding is a unicast forwarded packet. There is no tagging involved. Remember DHCP forwarding only worked with a clients initial broadcast DHCP request. DHCP renewals are unicast packets to the DHCP. ISE will never see those from DHCP forwarding.
10-18-2017 04:00 PM
I have a tap right in front of the vm's management port and see the tagged dhcp forwarded frames. vlan 76 DHCP Discover, Offer, Request, Ack are being received into the vm, but they're not being processed by ISE to use for profiling.
Perhaps I have something configured incorrectly on the L3 switch?
I just used the "ip helper-address <ISE-PSN-IP>" and assumed that this would forward all DHCP traffic to ISE-PSN-IP.
10-18-2017 04:37 PM
Much of that DHCP is local broadcasts on a VLAN that is on the trunk link going to the VM environment. The IP helper-address command is all you need. The only packets intercepted by the IP helper command are broadcasted DHCP packets on the VLAN the IP helper command is running on. Those would be the DHCP Discover and the DHCP Request packets. The DHCP Request packet is only a broadcast the very first time the system gets a DHCP address. If the system stays on the network the DHCP Request will happen when the client is renewing its DHCP lease and it will be a Unicast packet to the DHCP server that gave the client the IP address.
If you have IP Helpers on the client VLANs you will see DHCP Discovers and Requests for new IP addresses unicasted to the ISE PSN IP addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide