Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5055
Views
1
Helpful
3
Replies

ISE Profiling: DHCP (IP Helper)

Go to solution
david.wisnoski
Level 1
Level 1

‎10-18-2017 02:04 PM

I've added "ip helper-address <ISE-PSN-IP>" to the interface vlans to which I want to relay DHCP information to ISE.

I'm running ISE on a VM (VMware ESXi, 5.5.0) and currently the Management vmnic's VLAN ID is configured as "None (0)." I'm currently not seeing dhcp information arriving into ISE and am thinking that the vmnic's VLAN ID configuration needs to change to "All (4095)" to allow tagged dhcp packets to be received into ISE.


Right now with the setting of "None (0)," I'm thinking that tagged packets are being dropped and by updating the configuration setting to "All (4095)" that dhcp packets will be received by ISE for it to properly profile endpoints.

Would this be a correct understanding?

If I do change this setting, will the other guestOS' (VMs) remain functional that are using the same vmnic?

1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-18-2017 03:20 PM

The DHCP forwarding is a unicast forwarded packet.  There is no tagging involved.  Remember DHCP forwarding only worked with a clients initial broadcast DHCP request.  DHCP renewals are unicast packets to the DHCP.  ISE will never see those from DHCP forwarding.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
paul
Level 10
Level 10

‎10-18-2017 03:20 PM

The DHCP forwarding is a unicast forwarded packet.  There is no tagging involved.  Remember DHCP forwarding only worked with a clients initial broadcast DHCP request.  DHCP renewals are unicast packets to the DHCP.  ISE will never see those from DHCP forwarding.

0 Helpful

Go to solution
david.wisnoski
Level 1
Level 1
In response to paul

‎10-18-2017 04:00 PM

I have a tap right in front of the vm's management port and see the tagged dhcp forwarded frames. vlan 76 DHCP Discover, Offer, Request, Ack are being received into the vm, but they're not being processed by ISE to use for profiling.

tcpdump-v2.PNG

Perhaps I have something configured incorrectly on the L3 switch?

I just used the "ip helper-address <ISE-PSN-IP>" and assumed that this would forward all DHCP traffic to ISE-PSN-IP.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to david.wisnoski

‎10-18-2017 04:37 PM

Much of that DHCP is local broadcasts on a VLAN that is on the trunk link going to the VM environment.  The IP helper-address command is all you need.  The only packets intercepted by the IP helper command are broadcasted DHCP packets on the VLAN the IP helper command is running on.  Those would be the DHCP Discover and the DHCP Request packets.  The DHCP Request packet is only a broadcast the very first time the system gets a DHCP address.  If the system stays on the network the DHCP Request will happen when the client is renewing its DHCP lease and it will be a Unicast packet to the DHCP server that gave the client the IP address.

If you have IP Helpers on the client VLANs you will see DHCP Discovers and Requests for new IP addresses unicasted to the ISE PSN IP addresses.

0 Helpful
Customers Also Viewed These Support Documents