topic 9800 Series Internal Guest DHCP in Wireless

9800 Series Internal Guest DHCP

dstrobel — Wed, 31 Jul 2024 20:48:30 GMT

Hello all,

I am trying to come up with a secure way to run DHCP on 9800 controllers for guest wireless users. To give some context I have about 30 9800's currently deployed with guest access setup through an ISE portal. We currently have guest DHCP running on the firewalls at each location but our security department wants to remove DHCP from them. It looks like the next best option is to run DHCP on the 9800's however I can't find any best practice for doing it securely.

I currently do not have any SVI on the guest vlan but it looks like it will be necessary to add one in order to serve DHCP on the vlan. How do I secure the SVI so that nothing other than DHCP is allowed to the guest vlan?

Thanks in advance

Dan

Re: 9800 Series Internal Guest DHCP

Flavio Miranda — Wed, 31 Jul 2024 21:34:50 GMT

Hi @dstrobel

You can use ACL to allow only DHCP traffic on the SVI:

access-list xxx permit udp any eq bootpc any eq bootps

access-lis txxx deny ip any any

Re: 9800 Series Internal Guest DHCP

dstrobel — Wed, 31 Jul 2024 21:58:30 GMT

Thank you sir, I'm sorry I should have also mentioned I have a punt acl for the guests to get to DNS and ISE before registration:

ip access-list extended ACL_WEBAUTH_REDIRECT
10 deny ip any host x.x.x.x
15 deny ip any host x.x.x.x
20 deny ip host x.x.x.x any
25 deny ip host x.x.x.x any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www

I'm guessing this needs a permit udp any eq bootpc any eq bootps added as well?

Re: 9800 Series Internal Guest DHCP

MHM Cisco World — Wed, 31 Jul 2024 22:04:36 GMT

in WLC CLI use

access-list MHM-DHCP permit udp any eq bootpc any eq bootps

then apply ACL under VLAN SVI not under port

myc9800-CL(config)#interface Vlan<number>
myc9800-CL(config-if)#ip access-group MHM-DHCP in

this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.

MHM

Re: 9800 Series Internal Guest DHCP

MHM Cisco World — Thu, 01 Aug 2024 19:56:34 GMT

check below please

MHM

Re: 9800 Series Internal Guest DHCP

dstrobel — Wed, 31 Jul 2024 23:27:42 GMT

Thanks for your help, I will give it a try tomorrow and let you know how it goes.

Re: 9800 Series Internal Guest DHCP

Flavio Miranda — Thu, 01 Aug 2024 00:58:09 GMT

Not necessary. First the client will get IP address, than it will go to the portal so when the client hits this ACL_WEBAUTH_REDIRECT the IP address will be in place already

Re: 9800 Series Internal Guest DHCP

dstrobel — Thu, 01 Aug 2024 19:50:56 GMT

Thank you both for your help. It appears to be working as required. In case anyone else is looking for this exact setup, this is what I ended up using:

ip dhcp excluded-address 192.168.20.0 192.168.20.19
!
ip dhcp pool Guest
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server x.x.x.x x.x.x.x
lease 0 8

interface VlanXXX
description GuestWIFI
ip address 192.168.20.4 255.255.255.0
ip access-group GUEST-DHCP in

ip access-list extended GUEST-DHCP
10 permit udp any eq bootpc any eq bootps
20 deny ip any any

wireless profile policy xxxxx_WLANID_4
ipv4 dhcp required
ipv4 dhcp server 192.168.20.4

Re: 9800 Series Internal Guest DHCP

MHM Cisco World — Thu, 01 Aug 2024 19:56:06 GMT

You are so welcome

have a nice summer

MHM

Re: 9800 Series Internal Guest DHCP

Rich R — Mon, 05 Aug 2024 00:02:20 GMT

Note that you can also apply an ACL to the WLAN profile policy with "ipv4 acl <aclname>"