Wireless Access

Hello,

 

I need to forward dhcp request in multiple vlan on remote clearpass (for classification). 

I have 2540, 2930F switch.

I setup ip helper and static ip on my switch in my different vlan. For the moment all the dhcp request is forward on default gateway of the switch. I need to specify gateway by vlan (ip of firewall in these vlans).

 

I try pbr on 2930 but it doesn't work (and pbr isn't possible on 2540). Firewall already dhcp server on these vlan so it can't be the dhcp relay

 

Is there a solution ? 

Thanks you very much

Greetings!

 

Is the ClearPass server reachable via the switch's current default gateway? Are you seeing the forwarded DHCP requests in ClearPass, or are they simply not reaching the ClearPass server to begin with?

 

If there are no basic reachability issues, I'm a bit unclear as to why you would need to add additional gateways to the switch — ClearPass itself is not responding to the DHCP requests, so there should be no need to ensure that they are all being forwarded on their original VLANs.

Can you ping clearpass from your edgeswitch? Clearpass must be pingable from your edgeswitch so you now that there is a route to that segment on the edge.

 

My 2930 dhcp config normally like this.

 

vlan 4
   ip address 10.1.4.1 255.255.255.0
   ip helper-address "dchp-server"
   ip helper-address "vrrp address of clearpass"
   exit

 

Which version of ClearPass do you run? In 6.7.x profling is default enabled. I remember that in 6.5 you have to turn on profiling first in Administrator > Server settings before your receive the DHCP discovers.

Thanks for your answer.
The problem is firewall block the requests because they don't come from the right vlan (all requests come via vlan of the switch default gateway). The firewall is gateway for all vlan. So i need the switch send the request on ip of firewall in the right vlan.

Sorry if i'm not clear

Télécharger Outlook pour Android

Do you have a schema ?

 

the DHCP relay use the IP address of the vlan (where there is the DHCP offer...)

 

you don't use your 2930F for routing ? (and there is no ip routing enable ?)

When you look at my example... A client is looking voor DHCP in vlan 4. When reache the vlan 4 interface there is a DHCP-Helper configured to reach clearpass or DHCP server in another vlan. Then the DHCP request is going out through the vlan that it routed to the DCHP server vlan.

 

So this is the same outging vlan interface on your edgeswitch when you ping from your edgeswitch to the clearpass server. So the outging vlan for the DHCP helper request is nothing go out from vlan 4 (the clients vlan) .

 

You have to allow outging DHCP-Request from outging your switch interface (mostly the DFGW on your edgeswitch without routing enabled) to both IP addresses of your Clearpass nodes.

Hi,

See attachment a schema. My switch doesn't route, firewall does. So dhcp relay it's ok for vlan 30. All firewall rules are ok. When i do a trace on firewall a see the dhcp request for all these vlans but all come from vlan 30 ( because i guess it's default gateway of the switch). I need switch forward dhcp request of vlan 20 to 10.20.10.254, vlan 10 to 10.10.10.254 and no to 10.30.10.254 

Do you have look the DHCP packet ? what it is say for DHCP Relay stuff ?

 

With it is not the gateway (firewall) the DHCP ip helper ?

Because firewall is already the dhcp server. I saw packets block by firewall. It's normal the firewall saw the packets come from wrong interface

---

@SebKyos wrote:
Because firewall is already the dhcp server. I saw packets block by firewall. It's normal the firewall saw the packets come from wrong interface

---

yes because following the default gw of switch...

 

it will be more easy to directly configure the ip helper on your firewall... (the GW of each vlan...)

Yes i will do that. Move dhcp on other server and do dhcp relay on firewall. I post this thread just to see if there was another solution that i didn't think.
Thanks for you time and help.

Télécharger Outlook pour Android