I'm having some issues with getting external DHCP server working off my WLC.
When I have DHCP pool configured locally on the controller, everything works as it should.
When I enable DHCP Proxy, and use an external DHCP, the clients are not getting IP addresses.WLC, 2504, DHCP, Proxy,
WLC --> Cisco Switch --> Cisco Switch --> CheckPoint firewall.
I have dedicated VLAN and interface on my WLC for my new SSID. The default getaway for that WLC interface lives on the CheckPoint firewall. The idea is to keep the traffic logically separated hence the firewall.
Client connect to the new SSID, the SSID is associated with the dedicated interface which has Proxy Mode set to Global (DHCP Proxy is enabled globally on the WLC ) and external DHCP server's IP address configured. The DHCP request should be forwarded to the default gateway (CheckPoint firewall's sub-interface) unfortunately when I check the firewall logs, there is no traffic to my DHCP server. Since WLC will convert the DHCP to unicast, what will be the source (virtual interface IP address (126.96.36.199) or the dedicated (the one associated with my SSID) interface IP address)?
There is 2x extra hops in between WLC and the firewall (Cisco switches), do I need to enable anything on them to make sure DHCP requests is forwarded accordingly?
Did you configure "ip helper address x.x.x.x" command on your switch under vlan interfaces ? without that it won't work
*** Pls rate all useful responses ***
are the switches only forwarding on L2 (VLAN) ?
the you must disable the DHCP-proxy for this WLAN!
the WLC just drops the DHCP-packets on the VLAN and the switches wil forward to the packet on L2 to the Checkpoint.
If this does not work, than it is the checkpoint config you need to look into.
If the switches forward on L3, then as Rasika says, you need to configure the ip-helper on the VLAN.
afaik the WLC's management IP-address is used as the source to reach the DHCP-server
The checkpoint must allow this address for DHCP-relay
The controller’s virtual IP address is normally used as the source IP address of all DHCP transactions to the client.
Thank you both for you suggestions.
The VLAN L3 interface only exist on the CheckPoint firewall and WLC, the VLAN is stretched between them across the Cisco switches as L2.
There is no L3 interface on the switch hence no need for "ip helper address".
My understanding is that when DHCP proxy is enabled, the WLC should convert my broadcast DHCP request sent by the client into unicast DHCP request (DHCP server IP address configured in WLC-L3 interface configuration).
The DHCP server doesn't live in the same VLAN, it is actually behind the firewall.
The DHCP proxy is enabled globally on WLC, within the dynamic interface configuration the options for 'DHCP Proxy Mode' are Global/Enable/Disable - are you saying I should completely disable the DHCP proxy per interface?
If the DHCP request is sourced from the management IP address of the WLC (not the L3 interface associated with the SSID), how will DHCP server know which pool should it assign a new IP address from?
I have enabled dhcp debugging on the WLC and I can see the controller is sending the DHCP requests to the CheckPoint L3 interface, unfortunately when I check the firewall's logs, I can't see anything getting there.
*DHCP Socket Task: Sep 09 14:11:47.365: 38:ca:da:d9:e4:bb DHCP sending REQUEST to 10.32.25.126 (len 350, port 13, vlan 165)
I believe since there is a point-to-point between the WLC and CheckPoint, the DHCP request will be send from WLC dynamic interface (not management).
What am I missing here?
my mistake, not the management address but the WLAN interface (dynamic interface) address is used
look at this document at the image: proxy packet flow
is 10.32.25.126 the address of the checkpoint? or the DHCP server?
is should be the address of the DHCP server that is configured in the dynamic interface configuration of this WLAN
I have seen that document and the diagram (Proxy Packet flow) already hence saying the DHCP requests must be sent from the L3 dynamic interface associated with my SSID.
10.32.25.126 is the CheckPoint VLAN sub-interface and it is stretched from CheckPoint across 2x Cisco switches (L2 VLAN) to the WLC.
The DHCP ip addresses are mentioned as Relay1 & Relay2 in debug.
Even though everything seems to be configured correctly, I can not see anything hitting the CheckPoint interface.
Can I source ping from the WLC?
I may need to fire-up WireShark to see exactly what is happening because if the DHCP requests are sourced from the Management WLC interface, the traffic won't be routed via the CheckPoint - it goes directly from the switch the DHCP server.
the network layout is still not clear to me
clear: 10.32.25.126 is the CheckPoint VLAN sub-interface
but is the checkpoint also the DHCP server? or is the DHCP server behind the checkpoint?
if behind the checkpoint you need to configure the DHCP-servers address in the dynamic interface configuration.
The unicast destination must be the DHCP-server, and this will be normal routed/forwarded to the destination.
I suggest to first disable dhcp-proxy and see if the checkpoint properly processes the dhcp-request on this vlan
The CheckPoint firewall is NOT my DHCP server.
The DHCP server is behind the firewall in completely different VLAN/subnet.
I have configured the DHCP server IP addresses in the dynamic interface configuration (WLC) from very begging.
The WLC should convert the boradcast DHCP request into the unicast DHCP requests using the DHCP servers (dynamic interface) as the destination and send the packet to the default gateway address (CheckPoint sub-interface) configured on the dynamic interface, unfortunately I can not see any packets hitting the CheckPoint sourced from the WLC dynamic interface.
I have tried to disable the DHCP proxy on WLC, unfortunately no luck.
How can I confirm if the WLC creates the unicast DHCP requests and sends it to the firewall?
- 10.32.25.126 is the CheckPoint VLAN sub-interface
- The CheckPoint firewall is NOT my DHCP server.
- *DHCP Socket Task: Sep 09 14:11:47.365: 38:ca:da:d9:e4:bb DHCP sending REQUEST to 10.32.25.126 (len 350, port 13, vlan 165)
this information seems inconsistent!
in "sending request to..." the DHCP server should be mentioned not the default gateway.
unless you somewhere in the controller configured reference to the address 10.32.25.126
and as this is not your DHCP server, the DHCP request will fail.
- I have configured the DHCP server IP addresses in the dynamic interface configuration (WLC) from very begging.
did you also enable dhcp proxy on the interface? or only global?
if global, enable proxy mode on the dynamic interface.
debug dhcp packet enable
The debug shows a controller that receives a DHCP request from a client with MAC address 00:40:96:b4:8c:e1, transmits a DHCP request to the DHCP server, receives a reply from the DHCP server, and sends a DHCP offer to the client.
(Cisco Controller) >debug dhcp message enable
Thanks for you reply Pieterh,
I got to the bottom of this. It appeared to be an issue with the CheckPoint sub-interface configuration (topology).
I have corrected it and everything is working as expected. I can now see unicast DHCP requests sourced from the dynamic WLC interface (as expected) and the the clients are getting IP addresses.
Thank you for your help.