Wired Intelligent Edge (Campus Switching and Routing)

Reply
Occasional Contributor I

Aruba Switch : one gateway by vlan

Hello,

 

I need to forward dhcp request in multiple vlan on remote clearpass (for classification). 

I have 2540, 2930F switch.

I setup ip helper and static ip on my switch in my different vlan. For the moment all the dhcp request is forward on default gateway of the switch. I need to specify gateway by vlan (ip of firewall in these vlans).

 

I try pbr on 2930 but it doesn't work (and pbr isn't possible on 2540). Firewall already dhcp server on these vlan so it can't be the dhcp relay

 

Is there a solution ? 

Thanks you very much

MVP Expert

Re: Aruba Switch : one gateway by vlan

Greetings!

 

Is the ClearPass server reachable via the switch's current default gateway? Are you seeing the forwarded DHCP requests in ClearPass, or are they simply not reaching the ClearPass server to begin with?

 

If there are no basic reachability issues, I'm a bit unclear as to why you would need to add additional gateways to the switch — ClearPass itself is not responding to the DHCP requests, so there should be no need to ensure that they are all being forwarded on their original VLANs.



Matt Fern
Technical Marketing Engineer, Wired Intelligent Edge

Aruba, a Hewlett Packard Enterprise company

8000 FOOTHILLS BLVD  |  ROSEVILLE, CA 95747
T: 916.540.1759  |  E: mfern@hpe.com   |   Matt @ Twitter
MVP
MVP

Re: Aruba Switch : one gateway by vlan

Can you ping clearpass from your edgeswitch? Clearpass must be pingable from your edgeswitch so you now that there is a route to that segment on the edge.

 

My 2930 dhcp config normally like this.

 

vlan 4
   ip address 10.1.4.1 255.255.255.0
   ip helper-address "dchp-server"
   ip helper-address "vrrp address of clearpass"
   exit

 

Which version of ClearPass do you run? In 6.7.x profling is default enabled. I remember that in 6.5 you have to turn on profiling first in Administrator > Server settings before your receive the DHCP discovers.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Occasional Contributor I

Re: Aruba Switch : one gateway by vlan

Thanks for your answer.
The problem is firewall block the requests because they don't come from the right vlan (all requests come via vlan of the switch default gateway). The firewall is gateway for all vlan. So i need the switch send the request on ip of firewall in the right vlan.

Sorry if i'm not clear

Télécharger Outlook pour Android

MVP Expert

Re: Aruba Switch : one gateway by vlan

Do you have a schema ?

 

the DHCP relay use the IP address of the vlan (where there is the DHCP offer...)

 

you don't use your 2930F for routing ? (and there is no ip routing enable ?)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP
MVP

Re: Aruba Switch : one gateway by vlan

When you look at my example... A client is looking voor DHCP in vlan 4. When reache the vlan 4 interface there is a DHCP-Helper configured to reach clearpass or DHCP server in another vlan. Then the DHCP request is going out through the vlan that it routed to the DCHP server vlan.

 

So this is the same outging vlan interface on your edgeswitch when you ping from your edgeswitch to the clearpass server. So the outging vlan for the DHCP helper request is nothing go out from vlan 4 (the clients vlan) .

 

You have to allow outging DHCP-Request from outging your switch interface (mostly the DFGW on your edgeswitch without routing enabled) to both IP addresses of your Clearpass nodes.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Occasional Contributor I

Re: Aruba Switch : one gateway by vlan

Hi,

See attachment a schema. My switch doesn't route, firewall does. So dhcp relay it's ok for vlan 30. All firewall rules are ok. When i do a trace on firewall a see the dhcp request for all these vlans but all come from vlan 30 ( because i guess it's default gateway of the switch). I need switch forward dhcp request of vlan 20 to 10.20.10.254, vlan 10 to 10.10.10.254 and no to 10.30.10.254 

image.png

MVP Expert

Re: Aruba Switch : one gateway by vlan

Do you have look the DHCP packet ? what it is say for DHCP Relay stuff ?

 

With it is not the gateway (firewall) the DHCP ip helper ?




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Occasional Contributor I

Re: Aruba Switch : one gateway by vlan

Because firewall is already the dhcp server. I saw packets block by firewall. It's normal the firewall saw the packets come from wrong interface
MVP Expert

Re: Aruba Switch : one gateway by vlan


@SebKyos wrote:
Because firewall is already the dhcp server. I saw packets block by firewall. It's normal the firewall saw the packets come from wrong interface

yes because following the default gw of switch...

 

it will be more easy to directly configure the ip helper on your firewall... (the GW of each vlan...)




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: