Spanning-Tree Question

[deanwebb]

Doing NAC stuff... for devices that aren't compliant, we move them to a remediation VLAN. NAC system has full CLI/SNMP RW access to the switches in question.

On the USA switch, all is well.
On the EURO switch, NAC says that it has assigned the device to the remediation VLAN, the switch shows the port in the remediation VLAN, but the device does not get an IP address in the desired range.

Differences between access switches: none, they are the same.

Differences between distribution switches: USA includes the VLAN in spanning-tree (it has a range that includes the VLAN number) and EURO specifies each VLAN in spanning-tree, but does NOT include the VLAN number for the remediation VLAN.

Could that be affecting why the switchports are changed to the correct VLAN, but do not receive a new IP address in that VLAN?

[SimonV]

If you haven't manually defined a STP root bridge it will take the lowest MAC.  But still, it shouldn't cause DHCP to fail.  Are you running DHCP snooping? Did you configure IP Helpers on your remediation VLAN SVI? Are there any access lists on the SVI?

[deanwebb]

If you haven't manually defined a STP root bridge it will take the lowest MAC.  But still, it shouldn't cause DHCP to fail.  Are you running DHCP snooping? Did you configure IP Helpers on your remediation VLAN SVI? Are there any access lists on the SVI?

Thanks, SimonV. We do have IP helpers configured, and that's my next area to check... and I notice that the ones for other VLANs in EURO are different than the ones I have set for the remediation VLAN, but that the USA ones all match up with each other.

I'm thinking we need different helper addresses, maybe the ones the other VLANs on that switch use...

[deanwebb]

... and just got word that we want to use the EURO DHCP servers in EURO, mmmkay?

Nice of them to let me know that *after* I send the code out for the NAC remediation. But, now I know, each region has its own DHCP servers. That's handy information that I can use in real life!