cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1889
Views
0
Helpful
8
Replies

What will happen to 802.1x switches if there is no "ip helper-address <ISE IP>"?

getaway51
Level 2
Level 2

Hi,

 

DO i nd to add "ip helper-address <ISE server IP>" in each vlan refer to ISE server? Wht will happen if i dont add this ip-helper command to every vlan in the switch 802.1x activated? 

What is the function and will it interrupt my switch existing ip helper-address?

 

Next, I'll configure the my Layer 3 configuration. I also include an ip helper-address to the ISE server (10.1.100.21) so ISE can collect additional DHCP profiling information:

interface vlan 10
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 50
ip address 10.1.50.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 70
ip address 10.1.70.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

interface vlan 100
ip address 10.1.100.1 255.255.255.0
ip helper-address 10.1.100.21
no shut

1 Accepted Solution

Accepted Solutions

It's just for visibility/info purposes.  For you to see what type of devices are on your network.  If you don't have a lot of "Unknown" devices, then you are good.

View solution in original post

8 Replies 8

#Mat
Level 6
Level 6

Hi, ip helper-address send a copy of client's dhcp request to ISE. If you don't add the line, you will not be able to profile by dhcp packet in those vlans.

 

But you can use others probes to solve this weakness.

 

Regards

.

Hi,

 

Do you mean that the endpoints of those devices in auth ISE via MAB will not have any "endpoint profile"?

So far those endpoint devices like Avaya voip, cisco voip phones, printers hv its profiled stated in ISE, even though i didnt configure ip helper-address <ISE> in all vlans. May i knw in layman term and authentication(ALLOW/DENY), wht will happen if i didnt input this cmd?

The ip helper is not necessary.  It will not impact authentication at all and also will not impact DHCP at all.  When a switch has ip helper addresses on a VLAN interface, it just sends the DHCP Discover packets to each of the IP addresses listed and the first one to respond sets the IP information.  ISE never responds.  It just collects the information for profiling.  If you are using DHCP Snooping and have device sensor configured, then you get the DHCP information that way.  And that is preferred over the ip helper command.

If you have enough profiling information already, then you don't need to add the ip helpers.

Hi,

 

Many thanks for yr layman explanation. easier to understand.

Based on yr statement-"If you have enough profiling information already, then you don't need to add the ip helper"

May I knw how to verify if I have enough profiling info in the ISE? 

They keeps telling me i need to include the "ip helper-address <ISE IP>" in each vlan interface.

I have 2 options.

 

1)Add another cmd-"ip helper-address <ISE IP>" in each vlan interfaces

int vlan 28

ip helper address <dns server>-currently refer to a MS DHCP server

"ip helper-address <ISE IP>"-2nd line

When i add this cmd-"ip helper-address <ISE IP>" into each vlan interfaces, will it automatically goes to second line? Does it means both ip helper-address cmds will run at the same time? any primary/secondary? which dhcp will the device refer to? 

 

2)Verify tht I dont nd to add "ip helper-address <ISE IP>" in each vlan interface due to 

ISE dont need it as it already hv enough profiling info. How to verify this? 

1.  When you have multiple "ip helper-address" commands on an interface, the switch will send the DHCP packets to all of the helpers.  So in your case, it would send to both MS DHCP and ISE.  ISE will never respond so it doesn't cause any issues.  It is just a copy for profiling purposes.  MS DHCP will respond to assign addresses.  And yes, if you already have one statement there, the next ones will be added after.  But again, it doesn't matter because the device will send the DHCP requests to all of the helpers.

2.  If you have devices that you need to authenticate with MAB and ISE is able to profile them correctly today, then you don't need more profiling information.  For example, if you want to authenticate Cisco IP Phones with MAB and ISE already identifies them as Cisco IP Phones, then you are good.  But if ISE is showing them as "Unknown", then you will need to give ISE more information so it can profile them correctly.

Hi,

You are great explanation in layman term. Again one last question, wht will
happen if ise cant profile it correctly?
Is it just for info purposes? Btw ep mac address grp already allow in the
auth rules.

Hi,

Wht will happen to the ep if not able to profile by dhcp? Consider the mac
address of ep devices already added as Allow authentication

It's just for visibility/info purposes.  For you to see what type of devices are on your network.  If you don't have a lot of "Unknown" devices, then you are good.