We have the core switch as a dhcp server but we have deployed Cisco ISE and we need to send the ip helper address configuration to the cisco ISE to understand the attributes for the dhcp.
But the same is not happening we dont see any dhcp probes going towards the ise. We have checked the connectivity and firewall rules its allowed for all the traffic and nothing is getting blocked.
so you want to send just the options part of the DHCP request to the ISE, and get the rest from the DHCP server on the core switch ? I am not sure if that is possible...try and configure 'ip directed-broadcast' on the interface(s) on which you have configured the helper addresses...
I find the original post somewhat confusing. It says that " we need to send the ip helper address configuration to the cisco ISE". Sending the configuration is one thing and sending DHCP packets is a different thing. Perhaps the original poster can provide some clarification about what they are trying to do?
One other comment is that ip directed-broadcast works on the interface receiving the directed broadcast and not on the interface sending the directed broadcast.
A couple questions:
1. Do you have ISE IP address configured as one of the IP helper addresses. If distributed deployment, it's the PSN IP address
2. Do you have DHCP probe enabled in ISE profiling configuration
If you have a Device-Sensor capable switch, you don't need to use the IP helper/DHCP probe, as the DHCP attributes would be carried in the Radius Accounting packets
Just got a reply from cisco tac that if your core switch is a dhcp server then ip helper address wont send dhcp probe information to the cisco ise server.
so it seems its not possible in that case. If you want to send ip helper address then you need to have a svi on an access switch and have ip helper address in that.
Thanks for the support.
Thank you for the update. I had not been aware of the restriction on helper address that the switch would not forward DHCP requests if the switch was configured as a DHCP server. I suspect I am not the only one who is surprised to learn this. A well deserved +5 for this insight.
Please find the bullet form
Ability to support cases where DHCP server is the Layer 3 access switch. A switch will not forward/relay DHCP packets if it is the DHCP server.
This is the link for your reference if you need it in future.
If required to use DHCP attributes then you need to use DHCP snooping as a feature to send all the data through using radius for profiling.
If my existing switch already has ip helper-address config, adding another line of "ip helper address <ISE server>" will interrupt the switch dhcp operation?
Btw i can already see my switch IP in ISE without putting in the 802.1x config. Will it still need this "ip helper address <ISE server>" command? will it affect the 802.1x operation of auth?
Ip helper command is for dhcp profiling which is requied for profiling devices or if you mab based authentication using profiling for ip phones or any other devices
Dot1x is a different than profiling.
Secondly ip helper just convert broadcast to uni cast request to those servers listed below.
Do you mean tht setting ip helper-address <ISE IP> in the switch has gt nothing to do with 802.1x/MAB auth allow and deny?
In MAB , i manually add the mac address into specific mab grp tht ALLOW for auth.
The cmd will just help the ISE to profile the device, but will not affect ISE authentication?
Without ip helper-address <ISE IP>, 802.1x will still work in terms of ALLOW/DENY endpoints, are these correct?