cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9636
Views
70
Helpful
25
Replies

configure dhcp relay / ip helper address need help

amralrazzaz
Level 5
Level 5

i have Cisco ASA5516-X and core switch SW3850 and the all dhcp pools are placing on the switch for each vlan 

now i need to configure ip helper address ( dhcp relay agent) and remove the local dhcp services so i can get the ip parameters from main data center

from ASA i cant configure the dhcp relay agent i dont know why ? 

ill attach the switch configuration and the diagram , is there any option to place the help address on switch ?

the gateways are on firewall but i cant configure helper address ?

SW3850#SHOW RUN
Building configuration...

Current configuration : 23864 bytes
!
! Last configuration change at 01:40:40 UTC Wed Jul 22 2020 by MOCAS01S
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW3850
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 32768 informational
logging rate-limit 10
logging console warnings
enable secret 
!

no aaa new-model
switch 1 provision ws-c3850-48p
ip routing
!
ip domain-name -------
ip device tracking
i
!
ip dhcp pool Wifi-guest
network 10.233.175.0 255.255.255.0
default-router 10.233.175.1
domain-name xxxxxx
dns-server 10.38.4.171 8.8.8.8
!
ip dhcp pool Wifi-Office
network 10.233.178.0 255.255.255.0
default-router 10.233.178.1
domain-name xxxxx
dns-server 10.38.4.171 8.8.8.8
!
ip dhcp pool FACE-client
network 10.233.168.0 255.255.255.0
default-router 10.233.168.1
domain-name GDS.LOCAL
dns-server 10.38.4.171 8.8.8.8
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-3157014277
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3157014277
revocation-check none
rsakeypair TP-self-signed-3157014277
!
!
crypto pki certificate chain TP-self-signed-3157014277
certificate self-signed 01
3082025C 308201C5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313537 30313432 3737301E 170D3138 30383136 31333138
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31353730
31343237 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1F9 C7698BC1 3AFDC008 31ADBB05 78A6EF69 D3B47768 28298B8E 18546E9D
26E8B008 3A117377 88172C05 857ACBF2 242EB76E BC55B244 11E2D672 9D264931
0E167DC4 458916EB CB6AA9AC FE851298 47A13ABC 0A740037 0D61DB27 FA959FEB
FAD4F28C F5270B51 967B6F15 4CA19859 70D3E073 96A4406D E4593240 9D0E353A
FF3F0203 010001A3 81833081 80300F06 03551D13 0101FF04 05300301 01FF302D
0603551D 11042630 24822253 57333835 302D4D4F 43415330 31532E6D 6F636173
3031732E 6E6D732E 6C6F6361 6C301F06 03551D23 04183016 8014B2C5 3206DF68
A2071990 F0101513 904AB9A6 1024301D 0603551D 0E041604 14B2C532 06DF68A2
071990F0 10151390 4AB9A610 24300D06 092A8648 86F70D01 01040500 03818100
51C8698B CCBF09B0 41BE570E D0662A15 5FE18C49 573E3DE4 09F0DB4E E87C3917
FCF4DB44 CB51DFCC 70053CB4 F10CFD21 C22C3DC9 E29BB6D3 8C7CE78A EA051E4D
5EFAF022 E6CF9D7B 67207416 1FB2F8F4 08EE8003 D9BA012D 363BC267 31F8680B
6B2B27A4 EC8069EA 4ED4E47B 17642618 DD279CA3 A2EEB96A 83319288 862F77F5
quit
!
!
!
!
!
diagnostic bootup level minimal
identity policy webauth-global-inactive
inactivity-timer 3600
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
!
redundancy
mode sso
!
!
ip ssh time-out 90
ip ssh version 2
ip scp server enable
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
interface Port-channel1
description FTD PO1
switchport trunk native vlan 250
switchport mode trunk
switchport nonegotiate
logging event trunk-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast trunk
!
interface Port-channel2
description FTD PO2
switchport trunk native vlan 250
switchport mode trunk
switchport nonegotiate
logging event trunk-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast trunk
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
description connected_WLC
switchport mode trunk
!
interface GigabitEthernet1/0/2
description connected_AP_Campina
switchport trunk native vlan 250
switchport mode trunk
!
interface GigabitEthernet1/0/3
description to_Firepower_LAN_Filaire
switchport access vlan 2
switchport mode access
!
interface GigabitEthernet1/0/4
description to_Clients-Wifi_firepower
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
description to_guest_firepower
switchport access vlan 912
switchport mode access
!
interface GigabitEthernet1/0/6
description mgmt_Firepower
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/7
description mgmt_WLC
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/8
description mgmt
switchport access vlan 250
switchport mode access
!
interface GigabitEthernet1/0/9
description PRINTER
switchport access vlan 9
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 9
switchport mode access
!
interface GigabitEthernet1/0/11
description Access-Printer-SP-4510
switchport access vlan 9
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/14
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/15
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/16
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/17
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/18
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/19
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/20
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/21
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/22
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/23
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/24
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/25
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/26
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/27
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/28
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/29
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/30
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/31
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/32
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/33
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/34
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/35
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/36
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/37
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/38
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/39
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/40
description Access Interface
switchport access vlan 2
switchport mode access
switchport voice vlan 200
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
!
interface GigabitEthernet1/0/46
!
interface GigabitEthernet1/0/47
switchport access vlan 2
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/0/48
description Access_to_server_HP
switchport access vlan 2
switchport mode access
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no snmp trap link-status
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
spanning-tree guard root
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface TenGigabitEthernet1/1/3
!
interface TenGigabitEthernet1/1/4
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description FACE-client
ip address 10.233.168.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan9
description PRINTER
ip address 10.233.171.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan12
description BADGE
ip address 10.233.172.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan20
description Wifi-Office
ip address 10.233.178.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan50
description SERVER
ip address 10.233.170.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan60
ip address 10.233.190.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan200
description VOICE
ip address 10.233.169.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan201
description wan
ip address 10.233.180.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan230
description CCTV
ip address 10.233.173.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan250
description mgmt
ip address 10.233.191.254 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan912
description WIFI_GUEST
ip address 10.233.175.254 255.255.255.0
no ip redirects
no ip unreachables
!
no ip http server
ip http secure-server
!
!
logging trap notifications
logging source-interface Vlan250
logging 10.189.8.10

amr alrazzaz
25 Replies 25

Now you have changed the addressing-
Do you have a route to 10.50.161.183?
Is that dhcp scope active on that host?
Is the fw allowing udp through?

 

i able to ping and reach the dhcp servers yes

my all pools for different vlans already added there and i have another remote location i have tested and it working fine 

Is the fw allowing udp through?  this one im not sure

 

and my question also is shall i have  to do any additional configurations like nat or something i dont know actually ... i back again every thing to normal again because my laptop cannot get ip from DHCP SERVER 

 

do u need more information about the full configurations i have ? i can provide 

amr alrazzaz

Hello


@amralrazzaz wrote:

if u look into design u will see that its connected to firewall and this is for the management ips to connect to switch and also each vlan is connected to its own gateway interface on ASA ..... check please the diagram


I missed this part, so you have the asa performing the inter-vlan routing, which would indeed work if you had specific interfaces interconnected between the 3850 even with ip routing enabled on that 3850 switch.

So only what i can see negating dhcp now is the ASA, - Are you running NAT?

I see you have address for vlan 20 on a physical interface with a security level of 0 surely this should be 100 and have vlan 20 assigned to it and the same format should be applied for all the other vlan interfaces on the asa and have another interface connection to the outside wan interface where you new dhcp scopes resides.

interface GigabitEthernetx/x
nameif outside
security level 0
ip address x.x.x.x

interface GigabitEthernet1/5
nameif vlan20
vlan 20
security level 100
ip address 10.233.178.1 255.255.255.0

interface GigabitEthernet1/x

nameif vlan30
vlan 30
security level 100
ip address 10.233.17x.1 255.255.255.0

.....etc..for other vlans..

Then you should be able to enable rely on the asa also for these vlans
dhcprelay server 10.50.161.183  outside
dhcprelay enable vlan20
dhcprelay enable vlan30

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thanks for clarifications but my issue is my asa i cant enter to enable mode and cli is only for show commands as i know

i dont know why im not able to configure asa from cli

i can send u screenshots of my fmc gui version and it doesnot contain dhcp relay agent and thats why im looking for the switch if i can have any chance to make any solution 

amr alrazzaz

Hello

how are you connecting to the fw?

does it have firepower module?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

1- i cant enter to enable or exec mode ( before i can but maybe after changed the admin password from the firepower gui (fmc) i think some privilege were disappeared for this user 

so is there any way to get the enable mode or to create new user with full privilege ? 

or maybe the configurations only sone via gui only not cli im not sure

 

2- as im not able to enter to enable mode to configure ip helper address on asa ftd so im able to access via web normally but i dont know how to add the dhcp  servers or dhcp relay agent 

so what is the steps to add the helper address or on asa it called dhcp relay agent ?? where should i add ?

 

i already have 2 dhcp server and i dont know how via FMC (firepower GUI) to add them so i can get the dhcp parameters from main data center not from local dhcp service

 

note:

> show version
-------------------[ CampinaFTD ]-------------------
Model : Cisco ASA5516-X Threat Defense (75) Version 6.2.3.3 (Build 76)
UUID : 992fa59e-01 35-11e8-a180-9f33b9f2f505
Rules update version : 2019-02-07-001-vrt
VDB version : 308
----------------------------------------------------

also that what i have access(options allow to me) and no enable mode 

 

>
aaa-server Specify a AAA server
app-agent Configure appagent features
asdm Disconnect a specific ASDM session
asp Configure ASP parameters
blocks Set block diagnostic parameters
capture Capture inbound and outbound packets on one or more inter faces
capture-traffic Display traffic or save to specified file
cd Change current directory
clear Reset functions
cluster Cluster exec mode commands
configure Change to Configuration mode
copy Copy from one file to another
cpu general CPU stats collection tools
crashinfo Crash information
crypto Execute crypto Commands
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
dns Update FQDN IP addresses
downgrade Downgrade the file system and reboot
eject Eject a device
eotool Change to Enterprise Object Tool Mode
erase Erase a filesystem
exit Exit this CLI session
expert Invoke a shell
failover Perform failover operation in Exec mode
file Change to File Mode
format Format a filesystem
fsck Filesystem check
help Interactive help for commands
history Display the current session's command line history
kill Terminate a telnet session
ldapsearch Test LDAP configuration
logging Configure flash file name to save logging buffer
logout Logout of the current CLI session
memory Memory tools
mkdir Create new directory
more Display the contents of a file
no Negate a command or set its defaults
nslookup Look up an IP address or host name with the DNS servers
packet-tracer trace packets in F1 data path
perfmon Change or view performance monitoring options
pigtail Tail log files for debugging (pigtail)
ping Test connectivity from specified interface to an IP addre ss
pmtool Change to PMTool Mode
pwd Display current working directory
reboot Reboot the sensor
redundant-interface Redundant interface
rename Rename a file
rmdir Remove existing directory
sftunnel-status Show sftunnel status
show Show running system information
shun Manages the filtering of packets from undesired hosts
shutdown Shutdown the sensor
system Change to System Mode
tail-logs Tails the logs selected by the user
test Test subsystems, memory, interfaces, and configurations
traceroute Find route to remote network
undebug Disable debugging functions (see also 'debug')
verify Verify a file
vpn-sessiondb Configure the VPN Session Manager
webvpn-cache Remove cached object
write Write running configuration to memory, network, or termin al

>

amr alrazzaz

Hello

Have a looks at this link it should assit you- here


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thanks a lot  for the link but i went through this link before and my issue that i cant find relay agent on my ftd version i have shared before plus the screen shots of what i have now and it doesn’t exist 

so shall i have to purchase new fmc image or no hope to manage the heper on switch rather than asa?!!

amr alrazzaz

Hello
I cannot see how you can proceed, Either way you need to configure the ASA to allow this broadcast traffic


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

this is what i have now on dhcp tab and i dont find dhcp relay agent .., please check attached pic

 

is there any way to have the gateways on switch so i can add the helper address ?

- can i enter to enable and config more on cli so i can configure dhcp servers?

- can i manage this on switch coz i have full features not like asa dont have relay agent ?

Either way you need to configure the ASA to allow this broadcast traffic (how?)

- do u need to share with u the full config file for both asa and switch ?

- if i cant manage on switch so how to solve issue of enable and config mode from cli and dhcp relay agent option on asa ?

amr alrazzaz

Hello
The FW is inpath between the new dhcp server and the core switch so unless you can access the ASA to allow udp bootps/bootpc traffic I cannot see how you can proceed and you would do this by enabling dhcp relay on the ASA which you cannot seem to do.

The only the other way I guess would be to allow it via an access-list policy on the ASA though I’m not so sure even this would work, which would go something like below from the cli but again you need to be able to access and configure the FW:

access-list 100 extended permit udp host <DHCP_server> interface vlan20 eq bootps
access-list 100 extended permit udp host <DHCP_server> interface vlan30 eq bootps
access-group 100 in interface outside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

There are several things to deal with here:

- firepower FTD does most of its configuration using GUI. The cli for FTD is quite limited and does not have an enable mode.

- the original post had several DHCP pools configured. Am I correct in understanding that those pools have been removed from the configuration?

- there is mention of DHCP server(s). Can you tell us more about it(them)?

- I get the impression that the DHCP server(s) are somewhere in the enterprise network and the path to get to them from the switch is not through the ASA. Is that correct?

- if the path to the server(s) is not through the ASA then it is a powerful reason why the intervlan routing should be done by the switch and not by the ASA. And so a reason why the switch should be the default gateway rather than the ASA.

HTH

Rick