Re: FMC DHCP Server no lease

ralpho2 · ‎12-05-2025

Hello Together,

I configured on Cisco FMC 7.6 the DHCP Server for one Sub-Interface because we have to route this VLAN on the Firewall.

I add the VLAN tag and configured the switch also for this Vlan. Problem is I cannot get a lease. I saw on Cisco ISE authentifcation and VLAN access was ok but with an APIPA Address.

I added first to FMC Policy an any any Rule for testing. But same Problem. What do I forgot? Or must this be an special Access Rule?I greatly appreciate any advice.

Regards

Ralph

balaji.bandi · ‎12-05-2025

Cisco FMC 7.6 the DHCP Server for one Sub-Interface because we have to route this VLAN on the Firewall.

this was not clear, you enabled DHCP server on FTD to allocated IP for the clients ?

check the guide :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html#toc-hId-1845908946

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ralpho2 · ‎12-08-2025

hello BB. I would like to add the DHCP only for one sub interface for example we had Department "Finance" and would protect it from all other VLAN. So we routed Finance vlan 50 on the Firewall and I chose a new Interface add a subinterface (for the future) and on this Interface I would add the DHCP Server with lease 192.168.1.10-192.168.1.250. It let me activate it but I could not get any lease from id. Client end up always int APIPA Address (169.254.X.X:). I know the guide, but I asume it should work?

Cristian Matei · ‎12-08-2025

Hi,

Please paste the output of the following from FTD: "show running-config interface THE_SUBINTERFACE", "show running-config dhcpd", "show running-config dhcprelay", as well as the output of following commands from the switch connected to the FTD: "show spanning-tree vlan THE_VLAN_WITH_DHCP_CLIENT", "show running-config | sec interface THE_INTERFACE_FACING_FTD", "show running-config | sec interface THE_INTERFACE_FACING_DHCP_CLIENT, "show vlan brief", "show ip dhcp snooping".

Thanks,

Cristian.

ralpho2 · ‎12-08-2025

Hi Cristian, herby the out of the commands. On some I do not get an output. Maybe I did something wrong.

show running-config interface Ethernet 1/9.50
!
interface Ethernet1/9.50
vlan 50
nameif Develop_50
security-level 0
ip address 192.168.50.1 255.255.255.0

show running-config dhcpd
dhcpd dns 192.168.250.20 192.168.250.4
dhcpd lease 28800
dhcpd domain xxxxx
!
dhcpd address 192.168.52.20-192.168.52.225 guest
!
dhcpd address 192.168.75.10-192.168.75.200 ap_75
dhcpd enable ap_75
!
dhcpd address 192.168.50.20-192.168.50.150 Develop_50
dhcpd enable Develop_50
!

Switch-001#sho spanning-tree vlan 50

VLAN0050
Spanning tree enabled protocol rstp
Root ID Priority 50
Address ac19.2e04.2120
Cost 1000
Port 3049 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32793 (priority 32768 sys-id-ext 50)
Address 8d38.1831.4f80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/0/5 Desg FWD 20000 128.5 P2p Edge
Te1/0/7 Desg FWD 20000 128.7 P2p Edge
Te1/0/8 Desg FWD 20000 128.8 P2p Edge
Te2/0/5 Desg FWD 20000 128.101 P2p Edge
Te2/0/8 Desg FWD 8000 128.104 P2p
Po1 Root FWD 1000 128.3049 P2p

Switch-001#sho run | sec int te1/0/5 -> no output

Switch-001#sho vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Te1/0/1, Te1/0/22, Te1/0/23
Te1/0/24, Twe1/1/2, Ap1/0/1
Te2/0/1, Te2/0/7, Te2/0/22
Te2/0/23, Te2/0/24, Twe2/1/2
Ap2/0/1
2 Serversysteme active Te1/0/17, Te1/0/18, Te1/0/19
Te1/0/20, Te2/0/17, Te2/0/18
Te2/0/19, Te2/0/20
4 ClientVLAN active
8 Transfernet-FW. active Te1/0/2, Te2/0/2
9 MPLS active
10 Production active
11 ISCSI1 active
12 ISCSI2 active
13 NFS-Connect active
15 Transfer-SDWAN active Te1/0/6, Te1/0/21, Te2/0/6
Te2/0/21
40 Printer active
50 Development active Te1/0/5, Te2/0/5
60 mobile_Devices active
75 Cisco_APs active Te1/0/4, Te2/0/4

200 VFR active
201 VoIP active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

Switch-001#show ip dhcp snooping
Switch DHCP snooping is disabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
Proxy bridge is configured on following VLANs:
none
Proxy bridge is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: 8d38.1831.4f80 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ -------

ralpho2 · ‎12-08-2025

VLAN 50 facing the Problem

Cristian Matei · ‎12-08-2025

Hi,

Your DHCP config on the FTD is correct. Which port on the switch is connected to the FTD and which port on the switch is connected to the DHCP client? Can you paste the entire configuration of these two ports?

I see you're mentioning something about ISE, so this would mean you have MAB/802.1x enabled on the port, in which case, depending on your port configuration DHCP assignment might happen after MAB/802.1x authentication. Let's see the port configurations first.

As an initial test, can you remove all MAB/802.1x related configurations from the port where DHCP client is attached and see if you get an IPv4 address via DHCP from FTD?

As to the question, which option is better, to have a centralized DHCP server (have FTD as DHCP relay) or local DHCP server (have FTD as DHCP server), both would work, in general it's recommended to have all your DHCP pools done the same way, for consistency and thus easier network design, simplified operations and troubleshooting path. Which one to choose, you've got to weigh in the pros and cons:

1. Centralized DHCP server has all the pros, except one con, if the DHCP relay (in your case the FTD) looses IPv4 connectivity to the DHCP server, no new DHCP clients will be assigned IPv4 addresses and existing ones will fail DHCP renewal, so this is sort of network downtime

2. Localized DHCP server (FTD being DHCP server) has the pros and cons flipped, meaning as a pro, DHCP clients will always get an IPv4 address as long as FTD is up and running, while as cons, you have a sort of operational compexity as you have to deal with multiple localized DHCP Servers (even if today you only have one such case, more will appear in future this is always the case).

Thanks,

Cristian.

ralpho2 · ‎12-09-2025

Cristian, sorry I missed your answer. I will post the missing Information soon. Many Thanks for your Time I appreciate it and all the others also

ralpho2 · ‎12-10-2025

here are the Information

Core Switch VLAN Interface:!
interface Vlan50
description Development
no ip address
end

Port on Switch to Firewall

interface TenGigabitEthernet1/0/5
description develop-vlan50
switchport trunk allowed vlan 50
switchport mode trunk
device-tracking attach-policy MERAKI_POLICY
end

port on access switch for the Device/Laptop:

description Authentifizierung
switchport mode access
switchport nonegotiate
authentication control-direction in
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 30
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout server-timeout 2
dot1x timeout tx-period 2
dot1x timeout supp-timeout 2
dot1x timeout start-period 2
dot1x max-start 5
spanning-tree portfast edge

I see on ISE Authentification passed succesful for VLAN 50 but ends up in APIPA Address 169.254.x.x

Cristian Matei · ‎12-10-2025

Hi,

Recommended order of troubleshooting:

1. I see you have device-tracking / SISF policy applied on your switchport towards FTD (where DHCP server resides). Do you actually use this functionality for a scope/reason, or it's just hanging in there? If it's just hanging in there remove it, based on configuration it might interfere with DHCP process; if it's needed, paste the output of "show device-tracking policy MERAKI_POLICY".

2. If you need / use the tracking policy, temporarily remove the configuration from the port, temporarily configure the port where device/laptop is configured with "authentication port-control force-authorized" and "switchport access vlan 50". Confirm you now get IPv4 info from DHCP server located on FTD.

3. Now, we need to make it work alongside with 802.1x being enabled on the port. Configure the port where device/laptop is configured with "authentication port-control auto" and "no switchport access vlan 50". At the point you're back with your initial config. Since your port is not statically configured in VLAN 50, it mens your ISE authorization policy assigns VLAN 50. Can you confirm that and which other authorisations you're pushing from ISE? After your laptop is authenticated/authorized by ISE, paste the output of "show authentication sessions interface INTERFACE_ID details" and "show authentication sessions interface INTERFACE_ID policy".

Something not directly related to your presented challenge, however why do you use "authentication host-mode multi-auth" on your port, do you have multiple logical / physical devices attached to this port? If yes, keep the config as is, if not, change it to "authentication host-mode single-host".

Thanks,

Cristian.

Aref Alsouqi · ‎12-08-2025

I am not fully clear of where you have the DHCP server. Is it running on the FTD or somewhere behind the FTD? if it's running on the FTD and enabled on the subinterface VLAN 50 then I would check the following:

- Ensure that the finance switch port was placed into VLAN 50 after client is authenticated
- Ensure VLAN 50 is allowed on the trunk link connected to the firewall where the subinterface is activated
- Ensure VLAN 50 subinterface on the firewall is configured with an IP and it's enabled

However, if the DHCP server is sitting somewhere behind the FTD then you would need to configure DHCP relay agent on the FTD and select the subinterface of VLAN 50 and also configure the external DHCP server and select the segment interface where the DHCP server is connected to.

ralpho2 · ‎12-08-2025

Hello Aref, it is running on the FTD (FMC configured). This was the first try, if it won´t run I will configure a DHCP-Relay. But normaly I tought it should easy going, but it wasn´t. What do you recommend use FTD as DHCP or configure a Relay?

Aref Alsouqi · ‎12-09-2025

My gut feeling is that VLAN 50 is not allowed on the trunk link between the switch and the FTD. Could you please check that? you can use the command "show interface trunk" on the switch and check the allowed VLANs on the trunk link going to the FTD. Also, one thing you could do for troubleshooting would be creating an SVI of VLAN 50 on the switch and try to ping the FTD VLAN 50 subinterface. If that works then the trunk link would be good, if not, the issue would be on the trunk link, most likely would be that VLAN 50 is not allowed.

With regard to the DHCP server recommendations, it's been my experience that the DHCP services should be hosted on a proper DHCP server, a common example of this would be Windows servers because they provide you with all the feature sets that you might need. However, if you want to provide IP addresses to an untrusted segment such as guest then my recommendation would be to have the scopes configured on the firewall.