NAC L2 OOB and DHCP problem

Unanswered Question
Jan 30th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:Standardowy; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I have a problem with assignment a IP address from DHCP server to a user.

I added VLAN mapping and IP address to a Managed Subnet from access VLAN subnet.

User sends request for a IP address through CAS eth1 interface.

CAS eth0 interface get replays from DHCP server on interface eth0 but do not forward to a user through eth1.

I tested using tcpdump on eth1 and eth0. I see the user MAC address requesting for a IP address on eth1 and replays from DHCP sending to this user MAC address on eth0 interface.

I don’t know where is the problem.

If VLAN mapping are incorrect configured then eth0 interface do not get replays from DHCP.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Wed, 02/03/2010 - 20:47


Post a network diagram of your layout with vlan and ip information.



Faisal Sehbai Sat, 02/06/2010 - 21:33


Your 3560 in the picture; What code is it running?

Also I'm sure you're aware of it, but running CCA in VM isn't really supported so for labs and/or forum support it's kosher, but if you call in TAC with this setup, you'd have a tough time getting support for it!


wkamil123 Sat, 02/06/2010 - 23:44


The 3560 IOS version 122-35.SE5.

This NAC it's for testing in labs only. I don't have purchased support for it.

So, I want to simulate a network to deploy the CCA for one of my client.

I had CCA in 4.1.8 version, maybe this is a problem?


Faisal Sehbai Sun, 02/07/2010 - 12:55


4.1.8 is fine. How do you have your NICs defined in the VM for the CAS? Are they physically two NICs or two VMNets?


wkamil123 Sun, 02/07/2010 - 23:13


Two NIC of CAS are bridged to two physical NICs.


Faisal Sehbai Mon, 02/08/2010 - 14:43


Do port-span captures on both of the switchports where your CAS trusted and untrusted are plugged in. If you're only using tcpdump on the CAS, that won't work because of the way click routing works.

Setup up both ports for spanning, and capture on another machine, and see whether the DHCP reply makes its to to the trusted interface. If yes, is it making it out the untrusted interface?


wkamil123 Tue, 02/09/2010 - 00:35


Thank's for your replay.

I'm installed VM Server 2.0 on workstation using Windows 7, so I identify that maybe windows firewall blocking traffic.

I turned off it and the PC get IP address from DHCP server but on the sixth time the problem come back.

I think that when I changed or bounce port on the switch through CAS. Then the MAC address table on the switch it's aged out after 300 second (default value).

What else I notice that when I connected the PC to switch port and are sending request for IP. The port on the switch connected to the CAS untrusted interface is blinking green and amber. This port has many CRC errors.

The speed and duplex for this port is in auto mode.



This Discussion