Nizam,

Integrated DHCP on the controller doesn't allow much(I dont recommand it). I suggest not using it unless there is a necessity to need. better to use a external DHCP server.

Regards

Dont forget to rate helpful posts 

Hi Sandeep,

Would you explain about "Integrated DHCP on the controller doesn't allow much" with reason?

Actually the users internet permission is being provided by their IP addresses. As a result if the IP address is changed in dhcp users then need to permission for new IP addresses which is very much cumbersome.

Please give me suggest the best solution. 

Nizam,

It(WLC internal DHCP) is a very basic DHCP server with no capablilty for reservations or options. so if you want to do this you'd need to use an external DHCP server instead.

Regards

Dont forget to rate helpful posts

Even with DHCP proxy enabled, the DHCP request will be sent to the configured server as a unicast, with the source address being that of the respective dynamic interface.

Since this L2 vlan is not routed, then there will be no way to reach an internal DHCP server from the DMZ, if I understand your topology correctly.

So, it sounds like you will need to have a DHCP server present in the DMZ, either the firewall or a local WLC scope.

-Pat

From a design perspective, it will be better to link the firewall to a user database such as LDAP or a local database on the firewall. This will allow you to create security policies based on the user's login names and not on their IP addresses. Which will be easier to manage and monitor their activities and avoid the situation you are in now.

If the database option is not possible and you don't have an external server to run DHCP services, using the firewall as a DHCP server will be your other option if you can't use the 3850 anymore. You will, however, need to understand the limitations on your firewall from a resource perspective.

As mentioned in the form running DHCP on the WLC in a production environment is not advisable.

Regards

Jurgens