in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 11-29-2016 12:59 AM by timaz. 16 replies.
Page 1 of 2 (17 items) 1 2 Next >
Sort Posts: Previous Next
  • 08-12-2016 1:52 AM

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    a question regarding helper-address

    Hi;

     

    In the case we have a PC connected to IP phone and the phone is connected to the switch port and we have ISE in place to authenticate phone with "mab" and then the PC with whatever else, where do we need to forward the broadcast messages with "helper-address" command on the gateway? documents have stated that we need to forward the initial phone messages toward ISE, so ISE can do the Change of the Authentication process. but because phones need to obtain configuration files from the TFTP server (that is the same as CUCM in my lab), do we need to forward them toward the TFTP/CUCM as well as to the ISE?

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    Filed under: ,
    • Post Points: 50
  • 08-12-2016 1:22 PM In reply to

    Re: a question regarding helper-address

    we dont need to forward them towards tftp/cucm. Helper address is for DHCP packets, if ip phones are are getting IPS from DHCP servers then forward to dhcp server and ise. but no need to forward towards tftp/cucm.

     

    HTH

    • Post Points: 5
  • 08-15-2016 7:31 PM In reply to

    Re: a question regarding helper-address

    that's good question!  my first reaction is that u do.... worth of testing if u don't need it

    • Post Points: 5
  • 08-21-2016 5:31 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,545

    Re: a question regarding helper-address

    Hello Timaz,

    These are two different things, right?

    • The helper-address job is to "help" get a dhcp address from the DHCP server.
    • MAB is authenticaion via AAA and authentication server address

    The DHCP server will provide the tftp-server-address with option 66 along with the dhcp address, gateway, dns, etc. After the device gets its IP address, then it can communicate with the tftp server for its config files (normal routing).

    • Post Points: 20
  • 08-21-2016 11:30 PM In reply to

    Re: a question regarding helper-address

    In ISE  context, DHCP Packets are used to profile the device in question. But again it depends upon profile probes configured. If DHCP probes are configured then we need to send DHCP packets to ISE nodes.

    Best Regards,

    • Post Points: 20
  • 10-05-2016 4:34 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    Hi all again;

     

    I was busy and couldn't check the forum for a while. but now I'm here to continue from where I left. 

    actually I want to test a scenario where the PC is connected to a Cisco Phone and phone is connected to a switch port. my goal is initially authenticating the phone through MAB and then configure the CoA on switch and ISE so the ISE recognizes the phone (profile it) and push the switch port to be placed into a voice vlan. then at the final I want to authenticate the PC. 

    at the first step I created a separate vlan (vlan 500 in my case) for voice vlan on the switch directly connected to the phone and configured a DHCP pool on the switch to service the requests coming from the phone. this vlan just exists on the switch. 

    I have some questions regarding this topology. 

     

    1. after turning on the phone, it will be initially member of the data vlan. so we need to use the "helper-address" command on the data vlan SVI on the switch. am I right? (the default gateway of the data vlan is on the another device, rather than the switch).

    2. what is the correct configuration on the switch port to set the data and voice vlans? do we need to use the explicitelly configured commands on the switch port for this? 

     

    regards;

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 20
  • 10-05-2016 9:58 AM In reply to

    • DennisD
    • Top 25 Contributor
    • Joined on 02-26-2010
    • Northern Virginia
    • Elite
    • Points 10,065

    Re: a question regarding helper-address

    timaz:

    1. after turning on the phone, it will be initially member of the data vlan. so we need to use the "helper-address" command on the data vlan SVI on the switch. am I right? (the default gateway of the data vlan is on the another device, rather than the switch).

    configure helper address on the layer 3 vlan interface wherever that is

    2. what is the correct configuration on the switch port to set the data and voice vlans? do we need to use the explicitelly configured commands on the switch port for this? 

    Sample data/voice configuration on an access port doing mab:

    switchport access vlan xxx
    switchport mode access
    switchport voice vlan yyy
    authentication event server dead action authorize 
    authentication event server alive action reinitialize 
    authentication host-mode multi-auth
    authentication port-control auto
    authentication timer inactivity 300
    mab

     

    • Post Points: 20
  • 10-13-2016 5:25 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    Hi;

    I'm getting this error on the switch:

     

    %PM-4-ERR_DISABLE: security-violation error detected on Gi0/8, putting Gi0/8 in err-disable state

    %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet0/8, new MAC address (38ed.1855.787c) is seen.AuditSessionID  000000000000001B016E5E5F

     

    as I said, the PC is connected to the phone and phone is connected to the switch g0/8 port. as soon as enabling the switch port, the PC is put into the data vlan, but after switch learns the phone's MAC, I get the error above and the port goes disabled. my configuration on g0/8 is as follows:

     

    interface GigabitEthernet0/8

     switchport mode access

     switchport voice vlan 500

     authentication host-mode multi-domain

     authentication port-control auto

     mab

     dot1x pae authenticator

     spanning-tree portfast

     

    any idea?

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 35
  • 10-13-2016 11:59 AM In reply to

    • DennisD
    • Top 25 Contributor
    • Joined on 02-26-2010
    • Northern Virginia
    • Elite
    • Points 10,065

    Re: a question regarding helper-address

    Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

    • Post Points: 35
  • 10-14-2016 4:04 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    DennisD:

    Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

     

    I'm using the default vlan (vlan 1) as data vlan. also I removed the "dot1x pae authenticator" and the same error appeared on the screen. even this time it didn't show me the username/password screen on my PC monitor. 

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 5
  • 10-14-2016 6:14 AM In reply to

    Re: a question regarding helper-address

    This is not correct; on most platforms, after you enable authentication on the port with "authentication port-control auto", this command shows up on the port configuration, otherwise you'll have to put it manually, as this enables dot1x on the port; command tells the switch its role in the authentication process, being the authenticator :dot1x PortAutheneticationEnable authenticator".

    DennisD:

    Try removing  dot1x pae authenticator, I believe that disables multi-host authentication

    Also, side not I do not see where you have specifically identified a data vlan.   Unless you are looking for it to default to vlan 1

     

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 10-14-2016 6:20 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    cristian.matei:
    This is not correct; on most platforms, after you enable authentication on the port with "authentication port-control auto", this command shows up on the port configuration, otherwise you'll have to put it manually, as this enables dot1x on the port; command tells the switch its role in the authentication process, being the authenticator :dot1x PortAutheneticationEnable authenticator".

     

    Hi Cristian. 

     

    so what might be the cause of the "security violation" error on the switch? 

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 5
  • 10-14-2016 6:21 AM In reply to

    Re: a question regarding helper-address

    As you run in multi-domain mode, which is correct based on the fact that you have a phone and a PC behind it; in this mode, the switch allws one MAC address in the data domain and one MAC address in the voice domain; the problem is that the phone boots up, sends untagged frames which the switch associates it with the data vlan, the phone learns about the voice domain from CDP packets from the switch and starts sending tagged frames with the voice vlan tag; at this point the switch has one MAC address in both the data vlan and the domain vlan (the ones of the phone), after which the PC shows up, the switch sees a new MAC address in the data domain and violation occurs, with default action being shutdown/errdisable, just like in the case of port-security. As you run MAB or dot1x on the port, port-security as built-in and the switch allows different number of MAC address in data and voice domain based on the host-mode you run into. 

    To fix the problem, configure "authentication violation replace" so that the switch will delete the MAC address of the phone from the data vlan; in real-life scenarios you don't run into this problem as the phone is always connected, so the switch only learns it in the voice domain.

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 10-17-2016 3:59 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    cristian.matei:

    As you run in multi-domain mode, which is correct based on the fact that you have a phone and a PC behind it; in this mode, the switch allws one MAC address in the data domain and one MAC address in the voice domain; the problem is that the phone boots up, sends untagged frames which the switch associates it with the data vlan, the phone learns about the voice domain from CDP packets from the switch and starts sending tagged frames with the voice vlan tag; at this point the switch has one MAC address in both the data vlan and the domain vlan (the ones of the phone), after which the PC shows up, the switch sees a new MAC address in the data domain and violation occurs, with default action being shutdown/errdisable, just like in the case of port-security. As you run MAB or dot1x on the port, port-security as built-in and the switch allows different number of MAC address in data and voice domain based on the host-mode you run into. To fix the problem, configure "authentication violation replace" so that the switch will delete the MAC address of the phone from the data vlan; in real-life scenarios you don't run into this problem as the phone is always connected, so the switch only learns it in the voice domain.

     

    Hi;

    after I turned on the servers again, nothing works, even phones are unregistered. for the sake of clarity, I explain my simple topology in which I have a 3560 switch. port g0/8 is connected to the phone and phone is connected to a PC. other ports on the switch are members of default vlan 1, that is our data vlan. ISE (10.1.150.152) and CUCM (10.1.150.150) are inside vlan 1 too and I changed their default gateway to points to the switch with IP of 10.1.1.154/16). I created a separate vlan for the voice vlan (vlan 500) and then added a vlan500 interface with the IP of 192.168.250.2/24 and finally configured the switch to be default gateway for both vlan 1 and vlan 500. also I turned IP routing on the switch on and enabled DHCP server service on the switch and configured a pool to as you'll see below. the reachability is OK and the ping with the vlan500 as source interface toward the ISE and CUCM completed successfuly. 

    the RADIUS livelog page on the ISE shows both authentication and dACL download was successful. 

     

    Policy Server: cisco-ise

    Event 5200 Authentication succeeded

    Username: 38:ED:18:55:78:7C

    User Type: Host

    Endpoint Id: 38:ED:18:55:78:7C

    Calling Station Id: 38-ED-18-55-78-7C

    Endpoint Profile: Cisco-Device

    Authentication Identity Store: Internal Endpoints

    Identity Group: Profiled

    Audit Session Id: 000000000000000E00F073B6

    Authentication Method: mab

    Authentication Protocol: Lookup

    Service Type: Call Check

    Network Device: Cisco-3560

    NAS IPv4 Address: 10.1.1.154

    NAS Port Id:  GigabitEthernet0/8

    NAS Port Type: Ethernet

    Authorization Profile: TIMAZ_AUTHO-PROFILE1

     

    epm logging revealed the following output:

     

     %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

     %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD_REQUEST

     %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT APPLY

     %EPM-6-AAA: POLICY xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32| EVENT DOWNLOAD-SUCCESS

     %EPM-6-IPEVENT: IP 0.0.0.0 MAC 38ed.1855.787c| AuditSessionID 000000000000000F00F8A536| EVENT IP-WAIT

     

    the result is phone couldn't get the IP address from the DHCP pool on the switch and cannot register to the CUCM. I got empty output after issuing the "sh ip dhcp binding" and "sh ip device tracking all" commands on the switch. here is my consolidated config on the switch in the case if you think it is necessary to take a look at. 

     

    aaa new-model

    aaa group server radius RADIUS_GROUP

     server-private 10.1.150.152 key cisco

    !

    aaa authentication login default group RADIUS_GROUP local

    aaa authentication login CONSOLE_AUTHEN local

    aaa authentication dot1x default group RADIUS_GROUP

    aaa authorization network default group RADIUS_GROUP 

    !

    aaa server radius dynamic-author

     client 10.1.150.152 server-key cisco

    !

    ip routing

    ip dhcp database ftp://10.1.3.221/DHCPDB

    ip dhcp excluded-address 192.168.250.1 192.168.250.220

    !

    ip dhcp pool TEST_PoOL

     network 192.168.250.0 255.255.255.0

     option 150 ip 10.1.150.150 

     domain-name eb.com.tr

     dns-server 10.1.1.30 

     default-router 192.168.250.2 

     lease 0 5

    !

    epm logging

    !

    interface GigabitEthernet0/8

     switchport mode access

     switchport voice vlan 500

     authentication host-mode multi-domain

     authentication port-control auto

     authentication violation replace

     mab

     dot1x pae authenticator

     spanning-tree portfast

    !

    interface Vlan1

     ip address 10.1.1.154 255.255.0.0

    !         

    interface Vlan500

     ip address 192.168.250.2 255.255.255.0

     ip helper-address 10.1.150.150

    !

    ip default-gateway 10.1.1.1

     

    even "sh ip access-list" command on the switch shows that "deny ip any any" dACL has been downloaded onto the switch: 

     

    Switch(config)#do sh ip access

    Extended IP access list CISCO-CWA-URL-REDIRECT-ACL

        100 deny udp any any eq domain

        101 deny tcp any any eq domain

        102 deny udp any eq bootps any

        103 deny udp any any eq bootpc

        104 deny udp any eq bootpc any

        105 permit tcp any any eq www

    Extended IP access list preauth_ipv4_acl (per-user)

        10 permit udp any any eq domain

        20 permit tcp any any eq domain

        30 permit udp any eq bootps any

        40 permit udp any any eq bootpc

        50 permit udp any eq bootpc any

        60 deny ip any any

    Extended IP access list xACSACLx-IP-DENY_ALL_TRAFFIC-56161e32 (per-user)

        1 deny ip any any

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 5
  • 11-10-2016 4:57 AM In reply to

    • timaz
    • Top 75 Contributor
    • Joined on 07-04-2009
    • turkey, ankara
    • Elite
    • Points 6,985

    Re: a question regarding helper-address

    hi guys; hope u are doing well. would u mind, please taking a look at this simple topology of mine. I've missed a thing but i don't know what. 

     

    sw is default gateway for both of vlan 500 and vlan 1. the IP on switch are shown above. the switch is configured as dhcp server to assign IPs to phones in vlan 500. ip phone 2 is connected to g0/7 and I strickly put the g0/7 to "access vlan 500". this phone was able to register to cucm, get IP from switch and its MAC was appeared on the sw mac address table of vlan 500. but my phone number 1 that is connected to g0/8 of the switch cannot get IP from dhcp server (that is configured on the same switch) and phone caanot register itself on the cucm. analysing the RADIUS logs on the ISE shows that the MAC address of the phone has passed the MAB authentication on the ISE and dACL has been downloaded onto the switch to deny any ip traffic untill CoA is received. the command output on switch looks like this:

     

    Switch(config-if)#do sh authe sess

    Interface    MAC Address    Method  Domain  Status Fg Session ID

    Gi0/8        38ed.1855.787c mab     DATA    Auth      000000000000002201594FA5

    Session count = 1 

     

    as shown above, the mac address of the phone has been recognized by the switch but put into the data (default vlan 1) vlan rather than the voice vlan 500. the configuration on the g0/8 is as the same of my previous post in this thread. 

    the interesting part is that my pc that is connected to the phone port, can authenticate to the ISE and as expected, is put into data valn 1 by switch. 

    and I got nothing after issuing the "sh ip device tracking all" command. could you give me a hand on resolving this?

    Timaz Mohsenzadeh

    TCPuniverse.com

    Ciscoworlds@gmail.com

    • Post Points: 20
Page 1 of 2 (17 items) 1 2 Next >
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved