topic Re: DHCP Snooping & WLC 9800 in Wireless

DHCP Snooping & WLC 9800

TrickTrick — Mon, 28 Oct 2024 20:58:31 GMT

Hi,

I'm using WLC 9800 local switching mode, I can see all the wifi client devices MAC coming from WLC ports (since the traffic is tunneled to the WLC), at the same time I'm configuring DHCP snooping in the Core switch to avoid any DHCP rogue servers from WIFI clients.

should I trust the WLC ports ? otherwise, my client can't get any IPs. Core switch logs show blocked DHCP packets coming from the WLC.

I'm using different SVIs in the WLC acting as dhcp relay, i'm just wondering if this is a correct implementation, or there is a way to untrust WLC ports (since all the clients MACs are seen from WLC ports).

Re: DHCP Snooping & WLC 9800

MHM Cisco World — Mon, 28 Oct 2024 21:04:07 GMT

Issue I think in op82 wlc add to dhcp packet' try use "" allow op82 in untrust port"" under port connect core to wlc9800.

MHM

Re: DHCP Snooping & WLC 9800

TrickTrick — Mon, 28 Oct 2024 22:18:57 GMT

Hi,

This command doesn't exit neither in the Core, nor in the WLC

If you mean in the core switch, I already did. Without trusting the WLC port it doesn't work

Re: DHCP Snooping & WLC 9800

Flavio Miranda — Mon, 28 Oct 2024 23:00:51 GMT

@TrickTrick

Cisco does not recommend having SVI on the WLC side. Ideally, you should have the SVI on the core and use ip help-address on the SVI.

Cisco Catalyst 9800 Series Configuration Best Practices - Cisco

Re: DHCP Snooping & WLC 9800

sidshas03 — Mon, 28 Oct 2024 23:33:20 GMT

If Cisco doesn’t recommend SVIs on the WLC, then setting the SVI on the core switch and using the ip helper-address to relay DHCP requests is indeed the preferred approach. This setup reduces complexity and aligns with best practices, especially for DHCP snooping configurations. By relocating the SVI to the core, you can untrust the WLC port while maintaining DHCP functionality and security.

Re: DHCP Snooping & WLC 9800

MHM Cisco World — Tue, 29 Oct 2024 05:00:28 GMT

ip dhcp snooping information option allow-untrusted

This command I talk about, the wlc to SW port must config as untrust

MHM

Re: DHCP Snooping & WLC 9800

TrickTrick — Tue, 29 Oct 2024 15:13:56 GMT

SVI are located on a palo alto firewall. The core switch itself is acting as an aggregation layer for Access switches and the WLC.

So all I need is to disable SVIs and everything should be fine ? the only problem is the Mgmt interface, I should absolutely keep it ON in the WLC, and it will keep the ip helper role for the APs. At the same time the WLC ports will be untrusted. I'm confused a little bit about this one.

Re: DHCP Snooping & WLC 9800

TrickTrick — Tue, 29 Oct 2024 16:01:35 GMT

As i'm reading the Best practices shared, I see that 9800 has built-in DHCP Snooping feature. I didn't find it anywhere in the settings "Cisco IOS XE has embedded security features such as Dynamic Host Configuration Protocol (DHCP) snooping"

Since all the clients MAC/IPs are seen as coming from the WLC ports, I want to untrust the WLC ports since it's acting as a big switch for all the Wireless clients to avoid any DHCP rogues among wireless devices.

Re: DHCP Snooping & WLC 9800

Flavio Miranda — Tue, 29 Oct 2024 16:44:39 GMT

I believe you need to trust the WLC interface if you leave the SVI on the WLC side.

Re: DHCP Snooping & WLC 9800

TrickTrick — Tue, 29 Oct 2024 17:55:29 GMT

Just removed them from WLC, untrusted the port.. everything is good now.. thanks to everyone

Re: DHCP Snooping & WLC 9800

Rich R — Wed, 06 Nov 2024 21:57:19 GMT

So all I need is to disable SVIs and everything should be fine ? Yes
the only problem is the Mgmt interface, I should absolutely keep it ON in the WLC - Yes
and it will keep the ip helper role for the APs - not clear why you would have ip helper on the WLC for that?

If in doubt check your WLC config using the Config Analyzer using out of "show tech wireless" (not show tech) - link below.