cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2221
Views
15
Helpful
5
Replies

Cant configure FTD2100 DHCP Server to /23

jbates5873
Level 1
Level 1

Hi all,

I am trying to do a deployment that needs to use a /23 subnet. And unless im missing something super simple, it seems that the DHCP server cant do any more than a /24.

I have the interface set like below

jbates5873_0-1676515934743.png

 

results in this error

jbates5873_1-1676516430998.png

 

Looking at the CIDR breakout, my range should fall within the correct ranges.

jbates5873_2-1676516550023.png

 

 

Am i missing something here? or is there some hidden setting? If i drop the DHCP range to be < 255 ips, its all good. but fails as soon as i go over. even though the interface is set to /23

Thanks

Jasin

 

2 Accepted Solutions

Accepted Solutions

Sheraz.Salim
VIP Alumni
VIP Alumni

This is a FTD software limitation (even same apply with ASA code too). you can not exceed more than 256 host ip address. it has to be lower than 255 ip addresses.

unless otherwise you use a External DHCP server.

please do not forget to rate.

View solution in original post

Just to add to what @Sheraz.Salim has said,  Here is a link to documentation stating this limitation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-system.html#task_5E428B7B30F9436ABF3BD93608A5D1C5

Quote:

  • "Address Pool—The range of IP addresses from lowest to highest that the server is allowed to provide to clients that request an address. Specify the start and end address for the pool, separated by a hyphen. For example, 10.100.10.12-10.100.10.250.

    The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address.

    The size of the address pool is limited to 256 addresses per pool on the threat defense device. If the address pool range is larger than 253 addresses, the netmask of the threat defense interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0."

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Sheraz.Salim
VIP Alumni
VIP Alumni

This is a FTD software limitation (even same apply with ASA code too). you can not exceed more than 256 host ip address. it has to be lower than 255 ip addresses.

unless otherwise you use a External DHCP server.

please do not forget to rate.

Just to add to what @Sheraz.Salim has said,  Here is a link to documentation stating this limitation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-system.html#task_5E428B7B30F9436ABF3BD93608A5D1C5

Quote:

  • "Address Pool—The range of IP addresses from lowest to highest that the server is allowed to provide to clients that request an address. Specify the start and end address for the pool, separated by a hyphen. For example, 10.100.10.12-10.100.10.250.

    The range of IP addresses must be on the same subnet as the selected interface and cannot include: the IP address of the interface itself, the broadcast address, or the subnet network address.

    The size of the address pool is limited to 256 addresses per pool on the threat defense device. If the address pool range is larger than 253 addresses, the netmask of the threat defense interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0."

--
Please remember to select a correct answer and rate helpful posts

Thanks, but thats what I don't get, as I'm using a class a network (I think) 10.x.x.x/23

But it seems that it can't be done. Sigh. I will have to find another solution.

(preference 1)dont you have any external Server. or (preference 2) you can use the switch or router if you like for the DHCP server.

 

 

but thats what I don't get, as I'm using a class a network (I think) 10.x.x.x/23

as @Marius Gunnerud  noted from the documentation The size of the address pool is limited to 256 addresses per pool on the threat defense device. If the address pool range is larger than 253 addresses, the netmask of the threat defense interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0."

 

in other words it a limitation on the appliances (software). 

please do not forget to rate.

Yes, i will have to go with preference 2 in this case.

Thanks all.

Review Cisco Networking for a $25 gift card