DHCP Relay for Guest SSID

Sbarghouthi · ‎09-25-2012

Hello folks,

I hope everyone is well. I am stuck in a bind at the moment and could use a compass to be pointed in the right direction. I've been extensively reading everything I could find in the Cisco docs for DHCP relay but still can't solve the deployment I am trying to do.

I will try to keep this as short as possible but this is the current situation, I have a Cisco WLC 2500 with 3 LAPs in the same AP group. The LAPs are connected directly to an Access Switch and the same applies for the WLC.

On the WLC I have two SSIDs , one for production(192.168.16.0/24) and the second for Guests(192.168.20.0/24). Production SSID is configured with an Internal DHCP on the controller and is working fine. What I need to do is relay the DHCP server on 192.168.20.2/32 for the Guest SSID.

So what I did was create a new interface on the WLC on the 2nd port connected it to the switch (Interface IP is 192.168.20.3/32) , configured the interface with a Primary DHCP of 192.178.20.2/32 and configured DHCP override for the Guest SSID with 192.168.20.3/32 (interface IP on WLC). Interface happens to be a Dynamic one (it seems its impossible to have it configured as static) and enabled option-82 on it. I also have the DHCP Add. requirement selected.

However clients connecting to the Guest SSID still recieve no IP. I am scratching my head on this one as I can't find any additional steps that need to be done.

Note*: These are unmanaged switches so both interfaces are on the same VLAN.

Any help would be much appreciated. God bless.

Best Regards

Sinan Barghouthi - JNCIA-FWV,JNCIA-IDP,CCA-NS,TCSM-DS

grabonlee · ‎09-25-2012

Hi

Assuming that your guests do get an IP address, how do you intend to push them straight to the internet when both guest and production are on the same vlan. That's a security hole that you have blown open.

Back to the issue, you didn't mention if you created a separate dhcp scope for the guest. Also VLANs literally means separate subnets.

A 2500 WLC can't anchor guest traffic, except you are directly tunneling the guest to the Internet via the switch. In that case back to the first issue I raised, your production and guest can't be on the same vlan.

Sbarghouthi · ‎09-25-2012

Hello Osita,

Thanks for the reply, yes that is indeed correct, we have already recommended to the customer to buy Managed Switches so that we may segment the VLANs on the switches and be able to have different VLAN IDs for the SSIDs. They are currently in price negotiations for that issue.

For the time being until they do get those switches , we are setting up the Wireless clients to get the 20.0/24 subnet IPs from a hotspot server with SMS authentication that routes all the traffic back to their perimeter firewall to regulate the traffic between the subnets.

Customer is temperarly aware of the Switch issue as anyone can add a static ARP entry and have their traffic directed elsewhere to the production network.

There is nothing I can do to change the fact that the customer has unmanaged switches. Recomendations and advice have already been given. But what I do need to do at the time being is get the wireless clients to get IPs from the DHCP running on the Hotspot server.

Is there another place to configure DHCP scope other than the Internal DHCP Server scope on the WLC? Or is that what I should be looking for?

Sinan Barghouthi - JNCIA-FWV,JNCIA-IDP,CCA-NS,TCSM-DS

grabonlee · ‎09-25-2012

Hi Sinan

You have to create another dhcp scope on the WLC. However, note that the dynamic interface has the management interface of the WLC as the dhcp server address. But the main issue is that the guest interface will be mapped to a vlan and that means it can't be on the same vlan as your production clients because they are separate subnets. Hope this clears the confusion.