Thank you for the reply
We do see the client make a DHCP request.
In the remote office, I see the DHCP server identifier as the Windows DHCP server IP
When the client roams to the home office, I see the DHCP server identifier as the WLC virtual IP
the client is requesting its' prior remote office IP after roaming to the home office
This happens for multiple client types (win 10, iphone). We're not yet making much progress with TAC.
We were wondering if using the same wlan was causing problems, as this wlan is using the same WLC interface.
... View more
I have a hunch that people have run into this sort of thing before. (TAC case open, but curious if somebody here just knows the answer)
APs at our Home Office are in Local Mode APs at our Remote Offices are in Flex Mode
When clients roam from a remote office to the home office, they retain their Remote Office IP address. This results in them associating to the Home Office wireless, but not having any connectivity until they perform an ipconfig /release & /renew. This is happening for multiple client types (Windows, apple ios, Android)
Client are connecting to the same WLAN with Flexconnect local switching enabled.
... View more
I'm having trouble finding documentation specific to the 3504 WLC. But here are the available options for the other WLCs: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HA_SSO_DG/High_Availability_DG.html#pgfId-78132
... View more
I was browsing the communities this morning to see if there had been anybody to install patch 10 yet. Sorry to hear this, you'll have to let us know what you figure out after engaging TAC.
Also, you may get more visibility posting here instead - https://community.cisco.com/t5/identity-services-engine-ise/bd-p/5301j-disc-ise
... View more
Hello all,
Is anybody successfully using 'log' at the end of their ACEs within a DACL?
We've been running dot1x for quite some time now. I'm beginning to alter my policies to push a 'permit ip any any log' dacl to specific hosts. I'm finding that on almost every switch in our environment, no logging is sent to the switch's log buffer for hits on that dacl.
The exception, is a 4500 (Sup 7L-E) running v03.06.08.E. This behavior is not listed in any release notes as new functionality, and I cannot find when it became a supported feature. I've opened a TAC case, and there's an associated bug ID (CSCvj79680). I've also come across a community post from 2 years ago with the same issue: https://community.cisco.com/t5/policy-and-access/dacl-logging-in-ise/td-p/2894112
Just looking for any information out there I may not know about. Also trying to get a little more traction behind this issue in hopes it'll get on dev road maps to fix. The more we actively work to push DACLs, the more limitations we've found along the way.
Example output from the aforementioned 4500 switch:
729008: Jul 19 13:27:12.393 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(1312) -> 8.8.8.8(53), 1 packet
729009: Jul 19 13:28:11.953 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(24296) -> 8.8.8.8(53), 1 packet
729010: Jul 19 13:28:21.959 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(55324) -> 8.8.8.8(53), 1 packet
729011: Jul 19 13:30:12.392 EDT: %SEC-6-IPACCESSLOGP: list NACL_xACSACLx-IP-mersive_dacl-5b3ba851 denied udp 172.16.60.22(7806) -> 8.8.8.8(53), 1 packet
... View more
Another option, would be to use two WLANs with the same SSID (ie. WLAN1: FlexConnect WLAN2: mDNS). Currently the WLC prevents you from doing that.
... View more
.jpg "VIP Engager"){kind=icon}
.jpg "Hall of Fame Master"){kind=icon}
