LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

November 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS November 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: filter/dhcp
From:	"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Thu, 16 Nov 2006 13:10:59 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (104 lines)

Oh, now it is very clear.  
Its because the CAS is a virtual gateway.  When the CAS is a virtual
gateway, it expects all the machines on its managed subnets to be on the
untrusted side.  That is why broadcasts get across and unicasts do not.


In the manual, we have indicated that there should be nothing (that
users want to get to) on the CAS's subnet on the trusted side when the
CAS is a virtual gateway.

My suggestions are as follows - either re-address the CAS or the DHCP
server so that the DHCP server is no longer on the same subnet as the
CAS. 

-Rajesh.

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of William Doyle
Sent: Thursday, November 16, 2006 6:50 AM
To: [log in to unmask]
Subject: Re: filter/dhcp

No. 1 CAS in virtual gateway mode. The 2 instances represent the
trusted/untrusted interfaces.

Bill

> User is going through 2 CASs to get to DHCP server?
>
> -Rajesh.
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators 
> [mailto:[log in to unmask]] On Behalf Of William Doyle
> Sent: Wednesday, November 15, 2006 8:50 AM
> To: [log in to unmask]
> Subject: Re: filter/dhcp
>
> Sorry,
>
> The topology is DHCP server <--> CAS <--> router <--> CAS <---> user
>
> The DHCP server is on the same subnet as the CAS.
>
> The router has helper addresses and without a filter the machine can 
> release/renew no problem.
>
> I applied the filter (which redirected properly) and released the 
> address, this release is logged in the DHCP server.
>
> The renewal failed and there is no log of a request on the server.
>
> Bill
>
>
>
> At 10:41 AM 11/14/2006, Rajesh Nair (rajnair) wrote:
>>Bill,
>>
>>The network topology that fails is not very clear from your email.
>>
>>Is it DHCP Server <--> Router/L3 switch <--> CAS <--> Router/L3 switch

>><--> User ?
>>
>>If so, do you have helper addresses defined on the router near the
> user?
>>Also, do you have DHCP relay enabled on the CAS?  Do you see requests 
>>coming into the DHCP server?  Into the CAS (/var/log/dhcplog)?
>>
>>-Rajesh.
>>
>>-----Original Message-----
>>From: Cisco Clean Access Users and Administrators 
>>[mailto:[log in to unmask]] On Behalf Of William Doyle
>>Sent: Tuesday, November 14, 2006 9:23 AM
>>To: [log in to unmask]
>>Subject: filter/dhcp
>>
>>Good Day,
>>
>>I'm hoping the solution to this is one of those embarassingly obvious 
>>one s.
>>
>>I created a role for copyright violators and allow all IP traffic to a

>>DN S server, a DHCP server and a web server with a message regarding 
>>their violation. I then created a filter of the violators MAC and 
>>assign them t o the copyright role.
>>
>>I tested it on the same subnet as the DHCP server and everything was 
>>fine .
>>However, it is not possible to obtain or renew an address across a 
>>router .
>>
>>Without filtering DHCP is OK.
>>
>>Thanks,
>>
>>Bill Doyle
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU