Best Practice for DHCP when Anchoring to a Guest Wireless LAN Controller

Hi all,

I'm interested in the communities opinion in relation to DHCP provisioning when using auto-anchor/guest tunneling.

As far as I can tell, one cannot use the internal DHCP on the anchor controller when using auto-anchor due to incompatibility between the auto-anchor feature and DHCP Option 82.

The scenario is as follows:

Guest controller is the anchor which provides Internet access to guests.

There is a foreign controller which is configured to anchor to the guest controller.

The internal DHCP server is configured on the guest anchor controller, therefore DHCP proxy must be enabled for DHCP to work.

DHCP proxy enables Option 82.

The guidlines for guest tunneling state that DHCP Option 82 isn't supported. (Ref: Deploying and Troubleshooting Cisco Wireless LAN Controllers - Ch14)

So, the internal DHCP server requires DHCP proxy to be enabled; this in turn enables Option 82, which stops DHCP leases being made to clients connected to the foreign controller.

Given that a guest WLC would normally be placed in a DMZ, the internal DHCP server may often be the only DHCP solution available.

I look forward to hearing your opinions.


Rhodri Jenkins

Cisco Employee

To me, the wrong part is "dhcp proxy enables option 82".

I would say "dhcp proxy is required if you want to turn on option 82" but option 82 is not enabled by default afaik. And I'm pretty sure I saw cases of internal dhcp on the anchor serving foreign clients ...

I can always be wrong but this is my impression


There are a couple of options here if you need to get proxy disabled

1) pinhole with an ACL that allows dhcp to pass your internal servers

2) run dhcp on a switch, router, or firewall in the dmz

3) if you are using a cab,e modem or dsl for the guest users, you can let that do the dhcp

In general I've seen most of these in play, but I like option 2 myself

Thanks guys for your comments.

The reason I came to the conclusion that enabling DHCP proxy means Option 82 is used was from the settings on the WLC, then again, as you say Nicolas, I thought in the past I'd used the internal DHCP server on an Anchor also...

