Conflicting uses of "ip dhcp-server" -- design flaw?

Discussion in 'Cisco' started by kenw@kmsi.net, Aug 14, 2005.

  1. Guest

    I have a 1841 I'm trying to configure as a VPN server to access a Windows
    domain-based network from the Internet.

    The key points:

    1) the WAN Ethernet interface _must_ be configured as a DHCP client of the
    ISP. They do not assign true statics.

    2) I'd much prefer that my VPN clients receive their settings via the DHCP
    server on the Windows domain controller on the LAN.

    I can do one or the other, but not both. The reason boils down to having
    to use "ip dhcp-server" to specify the LAN DHCP server for the VPN, and
    when I do that, the WAN Ethernet interface cannot receive its assignment
    from the ISP.

    I've been talking to Cisco support, but the people I'm getting seem to have
    trouble understanding the problem, let alone resolving it. They say things
    like IOS can't do point 2, which I've done for years.

    A bit more detail:

    Configuring a DHCP server for _serving_ my VPN clients:

    ip dhcp-server x.x.x.x
    interface Virtual-Template1
    peer default ip address dhcp

    COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my ISP:

    ip dhcp-server y.y.y.y
    interface FastEthernet0/1
    ip address dhcp

    Unfortunately, it appears it never occurred to Cisco's developers that a
    router might play both roles. The command "ip dhcp-server" has two uses
    which conflict with each other.

    I've looked at helper-address stuff, but it appears to be quite
    inappropriate.

    Anybody got any ideas for a workaround?

    /kenw
    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
    , Aug 14, 2005
    #1
    1. Advertising

  2. Guest Guest

    It can and it has. I do not know which of my colleages told you that but
    maybe he was tripping in our world of cases.

    1) You do not have to specify the second dhcp server address for the
    ethernet interface to be able to get its ip.

    2) add this...


    resource-pool disable ip address-pool dhcp-proxy-client (this will do the
    proxy for your windows server)3) let me know if worked (of course i'll be
    not here until tomorrow hehe)4) if didn't work i will need an sniffer
    capture (in .cap format) fro the ethernet (wan side) and ethernet (lan
    side)when the negotiation is in proceeding. let us know...........
    <> wrote:

    > I have a 1841 I'm trying to configure as a VPN server to access a
    > Windows domain-based network from the Internet.
    >
    > The key points:
    >
    > 1) the WAN Ethernet interface _must_ be configured as a DHCP client
    > of the ISP. They do not assign true statics.
    >
    > 2) I'd much prefer that my VPN clients receive their settings via the
    > DHCP server on the Windows domain controller on the LAN.
    >
    > I can do one or the other, but not both. The reason boils down to
    > having to use "ip dhcp-server" to specify the LAN DHCP server for the
    > VPN, and when I do that, the WAN Ethernet interface cannot receive
    > its assignment from the ISP.
    >
    > I've been talking to Cisco support, but the people I'm getting seem
    > to have trouble understanding the problem, let alone resolving it.
    > They say things like IOS can't do point 2, which I've done for years.
    >
    > A bit more detail:
    >
    > Configuring a DHCP server for _serving_ my VPN clients:
    >
    > ip dhcp-server x.x.x.x
    > interface Virtual-Template1
    > peer default ip address dhcp
    >
    > COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my
    > ISP:
    >
    > ip dhcp-server y.y.y.y
    > interface FastEthernet0/1
    > ip address dhcp
    >
    > Unfortunately, it appears it never occurred to Cisco's developers
    > that a router might play both roles. The command "ip dhcp-server"
    > has two uses which conflict with each other.
    >
    > I've looked at helper-address stuff, but it appears to be quite
    > inappropriate.
    >
    > Anybody got any ideas for a workaround?
    >
    > /kenw
    > Ken Wallewein
    > K&M Systems Integration
    > Phone (403)274-7848
    > Fax (403)275-4535
    >
    > www.kmsi.net


    --


    2nd Law of Thermodynamics: Chaos will Reign.

    ///////////////////
    --Anthrax--
    //////////////////



    Posted Via Usenet.com Premium Usenet Newsgroup Services
    ----------------------------------------------------------
    ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
    ----------------------------------------------------------
    http://www.usenet.com
    Guest, Aug 14, 2005
    #2
    1. Advertising

  3. Guest

    Well, it'd be nice to know how to reach someone at Cisco who knows what
    he's talking about. It's frustrating when I get that kind of answer. I
    guess they can't have CCIEs manning the phones, but the escalation could be
    a lot more effective.

    Had a problem with your "resource-pool disable" -- this router doesn't
    recognize "resource-pool". Guess that means it's permanently disabled,
    eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a), which is what
    the router was shipped with. The configuration does list a "resource
    policy" line with no options. Digging through the docs isn't very
    illuminating, and certainly doesn't lead to anything appropriate for a
    single-router site.

    Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
    interface sends DHCP requests but ignores the responses. As soon as I
    removed it, the interface picked up an address. Once I added "ip
    address-pool dhcp-proxy-client" and tried a VPN connection, the VPN picked
    up an appropriate address from the LAN DHCP-server. WAN DHCP still works
    fine.

    Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
    interface, with source IP address of the router's LAN interface. Looks
    like that command caused the router to proxy-forward the query on both WAN
    and LAN interfaces. Not at all clear from the docs I read.

    This reinforces my impression that Cisco documentation is chronically,
    miserably unclear. I'm beginning to wonder whether IOS is just a monster
    nobody can grasp. The various aspects of DHCP are spread all over, with
    little interconnection, and no reference at all to the kind of issue I
    encountered.

    And it looks like a bit of filtering is in order: I'm running NAT, so
    there's no way that inside source address should have gone outside.

    Thanks for your help!

    /kenw



    <Anthrax> wrote:

    >It can and it has. I do not know which of my colleages told you that but
    >maybe he was tripping in our world of cases.
    >
    >1) You do not have to specify the second dhcp server address for the
    >ethernet interface to be able to get its ip.
    >
    >2) add this...
    >
    >
    >resource-pool disable ip address-pool dhcp-proxy-client (this will do the
    >proxy for your windows server)3) let me know if worked (of course i'll be
    >not here until tomorrow hehe)4) if didn't work i will need an sniffer
    >capture (in .cap format) fro the ethernet (wan side) and ethernet (lan
    >side)when the negotiation is in proceeding. let us know...........
    > <> wrote:
    >
    >> I have a 1841 I'm trying to configure as a VPN server to access a
    >> Windows domain-based network from the Internet.
    >>
    >> The key points:
    >>
    >> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
    >> of the ISP. They do not assign true statics.
    >>
    >> 2) I'd much prefer that my VPN clients receive their settings via the
    >> DHCP server on the Windows domain controller on the LAN.
    >>
    >> I can do one or the other, but not both. The reason boils down to
    >> having to use "ip dhcp-server" to specify the LAN DHCP server for the
    >> VPN, and when I do that, the WAN Ethernet interface cannot receive
    >> its assignment from the ISP.
    >>
    >> I've been talking to Cisco support, but the people I'm getting seem
    >> to have trouble understanding the problem, let alone resolving it.
    >> They say things like IOS can't do point 2, which I've done for years.
    >>
    >> A bit more detail:
    >>
    >> Configuring a DHCP server for _serving_ my VPN clients:
    >>
    >> ip dhcp-server x.x.x.x
    >> interface Virtual-Template1
    >> peer default ip address dhcp
    >>
    >> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of my
    >> ISP:
    >>
    >> ip dhcp-server y.y.y.y
    >> interface FastEthernet0/1
    >> ip address dhcp
    >>
    >> Unfortunately, it appears it never occurred to Cisco's developers
    >> that a router might play both roles. The command "ip dhcp-server"
    >> has two uses which conflict with each other.
    >>
    >> I've looked at helper-address stuff, but it appears to be quite
    >> inappropriate.
    >>
    >> Anybody got any ideas for a workaround?
    >>
    >> /kenw
    >> Ken Wallewein
    >> K&M Systems Integration
    >> Phone (403)274-7848
    >> Fax (403)275-4535
    >>
    >> www.kmsi.net

    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
    , Aug 14, 2005
    #3
  4. Guest Guest

    Well, i have to say that i understand your frustration. The problem is not
    that all of us are CCIEs or not, techonolgies (in side of cisco) are a world
    literally, everyone is soo much specialized (needed for the job) that
    sometimes knowledge for some other areas are overlooked.

    from our docs...


    http://www.cisco.com/en/US/products...erence_chapter09186a00804a955c.html#wp1195367


    " Defaults
    The IP limited broadcast address of 255.255.255.255 is used for transactions
    if no DHCP server is specified. This default allows automatic detection of
    DHCP servers."

    It is "expected" that your interface will try to get an ip address from the
    dhcp server specified (since you had specified with that command). As the
    coding goes once you add the ip address-pool dhcp-proxy-client, the proxy
    client status will be added only to all async interfaces (and not to the
    ethernet and that' the reason why is droped). Share your thoughts!



    P.S. If you don't mind i would like you to comment that clsalaza helped you
    on this. The feedback is important for *me*.




    <> wrote:

    > Well, it'd be nice to know how to reach someone at Cisco who knows
    > what he's talking about. It's frustrating when I get that kind of
    > answer. I guess they can't have CCIEs manning the phones, but the
    > escalation could be a lot more effective.
    >
    > Had a problem with your "resource-pool disable" -- this router doesn't
    > recognize "resource-pool". Guess that means it's permanently
    > disabled, eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a),
    > which is what the router was shipped with. The configuration does
    > list a "resource policy" line with no options. Digging through the
    > docs isn't very illuminating, and certainly doesn't lead to anything
    > appropriate for a single-router site.
    >
    > Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
    > interface sends DHCP requests but ignores the responses. As soon as I
    > removed it, the interface picked up an address. Once I added "ip
    > address-pool dhcp-proxy-client" and tried a VPN connection, the VPN
    > picked up an appropriate address from the LAN DHCP-server. WAN DHCP
    > still works fine.
    >
    > Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
    > interface, with source IP address of the router's LAN interface.
    > Looks like that command caused the router to proxy-forward the query
    > on both WAN and LAN interfaces. Not at all clear from the docs I
    > read.
    >
    > This reinforces my impression that Cisco documentation is chronically,
    > miserably unclear. I'm beginning to wonder whether IOS is just a
    > monster nobody can grasp. The various aspects of DHCP are spread all
    > over, with little interconnection, and no reference at all to the
    > kind of issue I encountered.
    >
    > And it looks like a bit of filtering is in order: I'm running NAT, so
    > there's no way that inside source address should have gone outside.
    >
    > Thanks for your help!
    >
    > /kenw
    >
    >
    >
    > <Anthrax> wrote:
    >
    >> It can and it has. I do not know which of my colleages told you that
    >> but maybe he was tripping in our world of cases.
    >>
    >> 1) You do not have to specify the second dhcp server address for the
    >> ethernet interface to be able to get its ip.
    >>
    >> 2) add this...
    >>
    >>
    >> resource-pool disable ip address-pool dhcp-proxy-client (this will
    >> do the proxy for your windows server)3) let me know if worked (of
    >> course i'll be not here until tomorrow hehe)4) if didn't work i will
    >> need an sniffer capture (in .cap format) fro the ethernet (wan side)
    >> and ethernet (lan side)when the negotiation is in proceeding. let us
    >> know........... <> wrote:
    >>
    >>> I have a 1841 I'm trying to configure as a VPN server to access a
    >>> Windows domain-based network from the Internet.
    >>>
    >>> The key points:
    >>>
    >>> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
    >>> of the ISP. They do not assign true statics.
    >>>
    >>> 2) I'd much prefer that my VPN clients receive their settings via
    >>> the DHCP server on the Windows domain controller on the LAN.
    >>>
    >>> I can do one or the other, but not both. The reason boils down to
    >>> having to use "ip dhcp-server" to specify the LAN DHCP server for
    >>> the VPN, and when I do that, the WAN Ethernet interface cannot
    >>> receive its assignment from the ISP.
    >>>
    >>> I've been talking to Cisco support, but the people I'm getting seem
    >>> to have trouble understanding the problem, let alone resolving it.
    >>> They say things like IOS can't do point 2, which I've done for
    >>> years.
    >>>
    >>> A bit more detail:
    >>>
    >>> Configuring a DHCP server for _serving_ my VPN clients:
    >>>
    >>> ip dhcp-server x.x.x.x
    >>> interface Virtual-Template1
    >>> peer default ip address dhcp
    >>>
    >>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
    >>> my ISP:
    >>>
    >>> ip dhcp-server y.y.y.y
    >>> interface FastEthernet0/1
    >>> ip address dhcp
    >>>
    >>> Unfortunately, it appears it never occurred to Cisco's developers
    >>> that a router might play both roles. The command "ip dhcp-server"
    >>> has two uses which conflict with each other.
    >>>
    >>> I've looked at helper-address stuff, but it appears to be quite
    >>> inappropriate.
    >>>
    >>> Anybody got any ideas for a workaround?
    >>>
    >>> /kenw
    >>> Ken Wallewein
    >>> K&M Systems Integration
    >>> Phone (403)274-7848
    >>> Fax (403)275-4535
    >>>
    >>> www.kmsi.net

    > Ken Wallewein
    > K&M Systems Integration
    > Phone (403)274-7848
    > Fax (403)275-4535
    >
    > www.kmsi.net


    --


    2nd Law of Thermodynamics: Chaos will Reign.

    ///////////////////
    --Anthrax--
    //////////////////



    Posted Via Usenet.com Premium Usenet Newsgroup Services
    ----------------------------------------------------------
    ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
    ----------------------------------------------------------
    http://www.usenet.com
    Guest, Aug 14, 2005
    #4
  5. Guest

    Interesting. You make it all sound so reasonable. But...

    The docs mention using "no peer default ip address" to prevent using dhcp
    proxy on a specific interface. Don't seem to be able to apply it to the
    WAN Ethernet interface. Kinda dumb. I really only want to use dhcp proxy
    on my WAN, and I know the server's address, but it I use it with
    dhcp-server, everything breaks. I'd rather not have my VPN clients
    advertising on the Internet for their settings. I stil think I should be
    able to specify a dhcp-server in a virtual-template. I can specify a
    helper-address, but that's not the same thing.

    Guess I can apply an outbound access rule.

    BTW, I'm configuring security and firewall stuff. Know of any "best
    practices" docs for CBAC "ip inspect" etc? Is it better to "ip inspect"
    everything, or as little as possible, disregarding load/performance
    concerns?

    And thanks, I certainly will mention your help!

    /kenw


    <Anthrax> wrote:
    >
    >Well, i have to say that i understand your frustration. The problem is not
    >that all of us are CCIEs or not, techonolgies (in side of cisco) are a world
    >literally, everyone is soo much specialized (needed for the job) that
    >sometimes knowledge for some other areas are overlooked.
    >
    >from our docs...
    >
    >
    >http://www.cisco.com/en/US/products...erence_chapter09186a00804a955c.html#wp1195367
    >
    >
    >" Defaults
    >The IP limited broadcast address of 255.255.255.255 is used for transactions
    >if no DHCP server is specified. This default allows automatic detection of
    >DHCP servers."
    >
    >It is "expected" that your interface will try to get an ip address from the
    >dhcp server specified (since you had specified with that command). As the
    >coding goes once you add the ip address-pool dhcp-proxy-client, the proxy
    >client status will be added only to all async interfaces (and not to the
    >ethernet and that' the reason why is droped). Share your thoughts!
    >
    >
    >
    >P.S. If you don't mind i would like you to comment that clsalaza helped you
    >on this. The feedback is important for *me*.
    >
    >
    >
    >
    > <> wrote:
    >
    >> Well, it'd be nice to know how to reach someone at Cisco who knows
    >> what he's talking about. It's frustrating when I get that kind of
    >> answer. I guess they can't have CCIEs manning the phones, but the
    >> escalation could be a lot more effective.
    >>
    >> Had a problem with your "resource-pool disable" -- this router doesn't
    >> recognize "resource-pool". Guess that means it's permanently
    >> disabled, eh?. I'm running C1841-ADVSECURITYK9-M, Version 12.4(1a),
    >> which is what the router was shipped with. The configuration does
    >> list a "resource policy" line with no options. Digging through the
    >> docs isn't very illuminating, and certainly doesn't lead to anything
    >> appropriate for a single-router site.
    >>
    >> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
    >> interface sends DHCP requests but ignores the responses. As soon as I
    >> removed it, the interface picked up an address. Once I added "ip
    >> address-pool dhcp-proxy-client" and tried a VPN connection, the VPN
    >> picked up an appropriate address from the LAN DHCP-server. WAN DHCP
    >> still works fine.
    >>
    >> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
    >> interface, with source IP address of the router's LAN interface.
    >> Looks like that command caused the router to proxy-forward the query
    >> on both WAN and LAN interfaces. Not at all clear from the docs I
    >> read.
    >>
    >> This reinforces my impression that Cisco documentation is chronically,
    >> miserably unclear. I'm beginning to wonder whether IOS is just a
    >> monster nobody can grasp. The various aspects of DHCP are spread all
    >> over, with little interconnection, and no reference at all to the
    >> kind of issue I encountered.
    >>
    >> And it looks like a bit of filtering is in order: I'm running NAT, so
    >> there's no way that inside source address should have gone outside.
    >>
    >> Thanks for your help!
    >>
    >> /kenw
    >>
    >>
    >>
    >> <Anthrax> wrote:
    >>
    >>> It can and it has. I do not know which of my colleages told you that
    >>> but maybe he was tripping in our world of cases.
    >>>
    >>> 1) You do not have to specify the second dhcp server address for the
    >>> ethernet interface to be able to get its ip.
    >>>
    >>> 2) add this...
    >>>
    >>>
    >>> resource-pool disable ip address-pool dhcp-proxy-client (this will
    >>> do the proxy for your windows server)3) let me know if worked (of
    >>> course i'll be not here until tomorrow hehe)4) if didn't work i will
    >>> need an sniffer capture (in .cap format) fro the ethernet (wan side)
    >>> and ethernet (lan side)when the negotiation is in proceeding. let us
    >>> know........... <> wrote:
    >>>
    >>>> I have a 1841 I'm trying to configure as a VPN server to access a
    >>>> Windows domain-based network from the Internet.
    >>>>
    >>>> The key points:
    >>>>
    >>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP client
    >>>> of the ISP. They do not assign true statics.
    >>>>
    >>>> 2) I'd much prefer that my VPN clients receive their settings via
    >>>> the DHCP server on the Windows domain controller on the LAN.
    >>>>
    >>>> I can do one or the other, but not both. The reason boils down to
    >>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
    >>>> the VPN, and when I do that, the WAN Ethernet interface cannot
    >>>> receive its assignment from the ISP.
    >>>>
    >>>> I've been talking to Cisco support, but the people I'm getting seem
    >>>> to have trouble understanding the problem, let alone resolving it.
    >>>> They say things like IOS can't do point 2, which I've done for
    >>>> years.
    >>>>
    >>>> A bit more detail:
    >>>>
    >>>> Configuring a DHCP server for _serving_ my VPN clients:
    >>>>
    >>>> ip dhcp-server x.x.x.x
    >>>> interface Virtual-Template1
    >>>> peer default ip address dhcp
    >>>>
    >>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
    >>>> my ISP:
    >>>>
    >>>> ip dhcp-server y.y.y.y
    >>>> interface FastEthernet0/1
    >>>> ip address dhcp
    >>>>
    >>>> Unfortunately, it appears it never occurred to Cisco's developers
    >>>> that a router might play both roles. The command "ip dhcp-server"
    >>>> has two uses which conflict with each other.
    >>>>
    >>>> I've looked at helper-address stuff, but it appears to be quite
    >>>> inappropriate.
    >>>>
    >>>> Anybody got any ideas for a workaround?
    >>>>
    >>>> /kenw
    >>>> Ken Wallewein
    >>>> K&M Systems Integration
    >>>> Phone (403)274-7848
    >>>> Fax (403)275-4535
    >>>>
    >>>> www.kmsi.net

    >> Ken Wallewein
    >> K&M Systems Integration
    >> Phone (403)274-7848
    >> Fax (403)275-4535
    >>
    >> www.kmsi.net

    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
    , Aug 15, 2005
    #5
  6. Guest

    wrote:

    >I really only want to use dhcp proxy on my WAN, and I know the server's address,

    ^^^

    Ooops! I meant LAN, of course!

    /kenw
    Ken Wallewein
    K&M Systems Integration
    Phone (403)274-7848
    Fax (403)275-4535

    www.kmsi.net
    , Aug 15, 2005
    #6
  7. Guest Guest

    The DHCP process runs as a whole in the router/switch. If a dhcp server is
    assigned via the ip dhcp server command and the server is reachable via the
    routing table or directed connected interface and a the router/switch
    interface is running as a client it will try to get it's ip address via that
    server and any server that answers its query via broadcast in the interafce
    itself. Since there was an specification of the dhcp server, the client
    gives priority to its answer and gets that ip (if there was any). When the
    proxy client service is initialized the router will assume that there's a
    proxy in place for some interfaces (all async and still forwarding the
    others but with no same priority the answer will be taken) ergo the ethernet
    client is run gets both answers (if same time or around) and will get first
    the address that comes from the interface itself. This is actually what the
    developement team intended for the router/switch image otherwise is an
    access server AS and not a router/swicth. Interesting is however that this
    is not the first time that the products features tend to overlap. Regarding
    your questions of what's better if inspect everything or less, well balance
    is the key. the more tight the security is in your network the more useless,
    the more relaxed the more functional and dangerous. The milestone is inspect
    the applications and context critical in a security aspect. dissapointed of
    not absolute answer? well, implementing security is nothing trivial and the
    answer stills the same balance, for you to know exactly what you need to
    inspect you need to understand first what the organization expects from
    security and what apps they need to be secured.

    Always follow SAFE for ECN.

    here are some of my favorites to understand what can be achieve and
    explaining the importance of balance.. enjoy..........

    some new acquisition that really amuses..

    http://newsroom.cisco.com/dlls/tln/.../index.html?Show=boston_busch&Connection=fast

    the whole page

    http://newsroom.cisco.com/dlls/tln/content/best_practice_sharing.html

    defense in depth
    http://www.cisco.com/en/US/about/ac...out_cisco_packet_feature0900aecd800e0154.html



    <> wrote:

    > Interesting. You make it all sound so reasonable. But...
    >
    > The docs mention using "no peer default ip address" to prevent using
    > dhcp proxy on a specific interface. Don't seem to be able to apply
    > it to the WAN Ethernet interface. Kinda dumb. I really only want to
    > use dhcp proxy on my WAN, and I know the server's address, but it I
    > use it with dhcp-server, everything breaks. I'd rather not have my
    > VPN clients advertising on the Internet for their settings. I stil
    > think I should be able to specify a dhcp-server in a
    > virtual-template. I can specify a helper-address, but that's not the
    > same thing.
    >
    > Guess I can apply an outbound access rule.
    >
    > BTW, I'm configuring security and firewall stuff. Know of any "best
    > practices" docs for CBAC "ip inspect" etc? Is it better to "ip
    > inspect" everything, or as little as possible, disregarding
    > load/performance concerns?
    >
    > And thanks, I certainly will mention your help!
    >
    > /kenw
    >
    >
    > <Anthrax> wrote:
    >>
    >> Well, i have to say that i understand your frustration. The problem
    >> is not that all of us are CCIEs or not, techonolgies (in side of
    >> cisco) are a world literally, everyone is soo much specialized
    >> (needed for the job) that sometimes knowledge for some other areas
    >> are overlooked.
    >>
    >> from our docs...
    >>
    >>
    >> http://www.cisco.com/en/US/products...erence_chapter09186a00804a955c.html#wp1195367
    >>
    >>
    >> " Defaults
    >> The IP limited broadcast address of 255.255.255.255 is used for
    >> transactions if no DHCP server is specified. This default allows
    >> automatic detection of DHCP servers."
    >>
    >> It is "expected" that your interface will try to get an ip address
    >> from the dhcp server specified (since you had specified with that
    >> command). As the coding goes once you add the ip address-pool
    >> dhcp-proxy-client, the proxy client status will be added only to all
    >> async interfaces (and not to the ethernet and that' the reason why
    >> is droped). Share your thoughts!
    >>
    >>
    >>
    >> P.S. If you don't mind i would like you to comment that clsalaza
    >> helped you on this. The feedback is important for *me*.
    >>
    >>
    >>
    >>
    >> <> wrote:
    >>
    >>> Well, it'd be nice to know how to reach someone at Cisco who knows
    >>> what he's talking about. It's frustrating when I get that kind of
    >>> answer. I guess they can't have CCIEs manning the phones, but the
    >>> escalation could be a lot more effective.
    >>>
    >>> Had a problem with your "resource-pool disable" -- this router
    >>> doesn't recognize "resource-pool". Guess that means it's
    >>> permanently disabled, eh?. I'm running C1841-ADVSECURITYK9-M,
    >>> Version 12.4(1a), which is what the router was shipped with. The
    >>> configuration does list a "resource policy" line with no options.
    >>> Digging through the docs isn't very illuminating, and certainly
    >>> doesn't lead to anything appropriate for a single-router site.
    >>>
    >>> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
    >>> interface sends DHCP requests but ignores the responses. As soon
    >>> as I removed it, the interface picked up an address. Once I added
    >>> "ip address-pool dhcp-proxy-client" and tried a VPN connection, the
    >>> VPN picked up an appropriate address from the LAN DHCP-server. WAN
    >>> DHCP still works fine.
    >>>
    >>> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
    >>> interface, with source IP address of the router's LAN interface.
    >>> Looks like that command caused the router to proxy-forward the query
    >>> on both WAN and LAN interfaces. Not at all clear from the docs I
    >>> read.
    >>>
    >>> This reinforces my impression that Cisco documentation is
    >>> chronically, miserably unclear. I'm beginning to wonder whether
    >>> IOS is just a monster nobody can grasp. The various aspects of
    >>> DHCP are spread all over, with little interconnection, and no
    >>> reference at all to the kind of issue I encountered.
    >>>
    >>> And it looks like a bit of filtering is in order: I'm running NAT,
    >>> so there's no way that inside source address should have gone
    >>> outside.
    >>>
    >>> Thanks for your help!
    >>>
    >>> /kenw
    >>>
    >>>
    >>>
    >>> <Anthrax> wrote:
    >>>
    >>>> It can and it has. I do not know which of my colleages told you
    >>>> that but maybe he was tripping in our world of cases.
    >>>>
    >>>> 1) You do not have to specify the second dhcp server address for
    >>>> the ethernet interface to be able to get its ip.
    >>>>
    >>>> 2) add this...
    >>>>
    >>>>
    >>>> resource-pool disable ip address-pool dhcp-proxy-client (this will
    >>>> do the proxy for your windows server)3) let me know if worked (of
    >>>> course i'll be not here until tomorrow hehe)4) if didn't work i
    >>>> will need an sniffer capture (in .cap format) fro the ethernet
    >>>> (wan side) and ethernet (lan side)when the negotiation is in
    >>>> proceeding. let us know........... <>
    >>>> wrote:
    >>>>
    >>>>> I have a 1841 I'm trying to configure as a VPN server to access a
    >>>>> Windows domain-based network from the Internet.
    >>>>>
    >>>>> The key points:
    >>>>>
    >>>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP
    >>>>> client of the ISP. They do not assign true statics.
    >>>>>
    >>>>> 2) I'd much prefer that my VPN clients receive their settings via
    >>>>> the DHCP server on the Windows domain controller on the LAN.
    >>>>>
    >>>>> I can do one or the other, but not both. The reason boils down to
    >>>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
    >>>>> the VPN, and when I do that, the WAN Ethernet interface cannot
    >>>>> receive its assignment from the ISP.
    >>>>>
    >>>>> I've been talking to Cisco support, but the people I'm getting
    >>>>> seem to have trouble understanding the problem, let alone
    >>>>> resolving it. They say things like IOS can't do point 2, which
    >>>>> I've done for years.
    >>>>>
    >>>>> A bit more detail:
    >>>>>
    >>>>> Configuring a DHCP server for _serving_ my VPN clients:
    >>>>>
    >>>>> ip dhcp-server x.x.x.x
    >>>>> interface Virtual-Template1
    >>>>> peer default ip address dhcp
    >>>>>
    >>>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
    >>>>> my ISP:
    >>>>>
    >>>>> ip dhcp-server y.y.y.y
    >>>>> interface FastEthernet0/1
    >>>>> ip address dhcp
    >>>>>
    >>>>> Unfortunately, it appears it never occurred to Cisco's developers
    >>>>> that a router might play both roles. The command "ip dhcp-server"
    >>>>> has two uses which conflict with each other.
    >>>>>
    >>>>> I've looked at helper-address stuff, but it appears to be quite
    >>>>> inappropriate.
    >>>>>
    >>>>> Anybody got any ideas for a workaround?
    >>>>>
    >>>>> /kenw
    >>>>> Ken Wallewein
    >>>>> K&M Systems Integration
    >>>>> Phone (403)274-7848
    >>>>> Fax (403)275-4535
    >>>>>
    >>>>> www.kmsi.net
    >>> Ken Wallewein
    >>> K&M Systems Integration
    >>> Phone (403)274-7848
    >>> Fax (403)275-4535
    >>>
    >>> www.kmsi.net

    > Ken Wallewein
    > K&M Systems Integration
    > Phone (403)274-7848
    > Fax (403)275-4535
    >
    > www.kmsi.net


    --


    2nd Law of Thermodynamics: Chaos will Reign.

    ///////////////////
    --Anthrax--
    //////////////////



    Posted Via Usenet.com Premium Usenet Newsgroup Services
    ----------------------------------------------------------
    ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
    ----------------------------------------------------------
    http://www.usenet.com
    Guest, Aug 15, 2005
    #7
  8. On Sun, 14 Aug 2005 18:24:07 GMT, wrote:

    ~ Well, it'd be nice to know how to reach someone at Cisco who knows what
    ~ he's talking about. It's frustrating when I get that kind of answer. I
    ~ guess they can't have CCIEs manning the phones, but the escalation could be
    ~ a lot more effective.

    If you're not getting satisfactory technical support from TAC,
    then I'd recommend that you escalate your case.

    Regards,

    Aaron

    ---


    http://www.cisco.com/kobayashi/news_training/tac_overview.html#howcaniescalate

    How can I escalate a service request?

    If you feel that progress on your service request or the quality
    of service is not satisfactory, Cisco encourages you to escalate
    your request to the appropriate level of Cisco management. You
    can do this by asking for the TAC Duty Manager. The TAC Duty Manager
    will take ownership of the problem and provide you with updates.

    The Cisco TAC Duty Manager can be contacted using the telephone numbers at: www.cisco.com/techsupport/contacts.
    Aaron Leonard, Aug 15, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. NNTP
    Replies:
    1
    Views:
    760
    Robert B. Phillips II
    Sep 14, 2004
  2. TomTom
    Replies:
    2
    Views:
    797
    TomTom
    Oct 9, 2004
  3. Au79
    Replies:
    0
    Views:
    466
  4. Replies:
    5
    Views:
    390
    Baloo
    Feb 16, 2008
  5. William Brown

    Critical Design Flaw Found in WD Caviar Green HDDs

    William Brown, Apr 21, 2011, in forum: NZ Computing
    Replies:
    2
    Views:
    475
    Msgr Seusster
    Apr 21, 2011
Loading...

Share This Page