cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
6
Helpful
9
Replies

9800 Series Internal Guest DHCP

dstrobel
Level 1
Level 1

Hello all,

I am trying to come up with a secure way to run DHCP on 9800 controllers for guest wireless users. To give some context I have about 30 9800's currently deployed with guest access setup through an ISE portal. We currently have guest DHCP running on the firewalls at each location but our security department wants to remove DHCP from them. It looks like the next best option is to run DHCP on the 9800's however I can't find any best practice for doing it securely.

I currently do not have any SVI on the guest vlan but it looks like it will be necessary to add one in order to serve DHCP on the vlan. How do I secure the SVI so that nothing other than DHCP is allowed to the guest vlan?

Thanks in advance

Dan

2 Accepted Solutions

Accepted Solutions

Hi @dstrobel 

 You can use ACL to allow only DHCP traffic on the SVI:

 

access-list xxx permit udp any eq bootpc any eq bootps

access-lis txxx deny ip any any

View solution in original post

in WLC CLI use 

access-list MHM-DHCP permit udp any eq bootpc any eq bootps

then apply ACL under VLAN SVI not under port 

myc9800-CL(config)#interface Vlan<number>
myc9800-CL(config-if)#ip access-group MHM-DHCP in

 this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.

MHM

View solution in original post

9 Replies 9

Hi @dstrobel 

 You can use ACL to allow only DHCP traffic on the SVI:

 

access-list xxx permit udp any eq bootpc any eq bootps

access-lis txxx deny ip any any

Thank you sir, I'm sorry I should have also mentioned I have a punt acl for the guests to get to DNS and ISE before registration:

ip access-list extended ACL_WEBAUTH_REDIRECT
10 deny ip any host x.x.x.x
15 deny ip any host x.x.x.x
20 deny ip host x.x.x.x any
25 deny ip host x.x.x.x any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www

I'm guessing this needs a permit udp any eq bootpc any eq bootps added as well?

check below please 

MHM

 Not necessary. First the client will get IP address, than it will go to the portal so when the client hits this ACL_WEBAUTH_REDIRECT the IP address will be in place already

in WLC CLI use 

access-list MHM-DHCP permit udp any eq bootpc any eq bootps

then apply ACL under VLAN SVI not under port 

myc9800-CL(config)#interface Vlan<number>
myc9800-CL(config-if)#ip access-group MHM-DHCP in

 this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.

MHM

Thanks for your help, I will give it a try tomorrow and let you know how it goes.

dstrobel
Level 1
Level 1

Thank you both for your help. It appears to be working as required. In case anyone else is looking for this exact setup, this is what I ended up using:

ip dhcp excluded-address 192.168.20.0 192.168.20.19
!
ip dhcp pool Guest
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server x.x.x.x x.x.x.x
lease 0 8

interface VlanXXX
description GuestWIFI
ip address 192.168.20.4 255.255.255.0
ip access-group GUEST-DHCP in

ip access-list extended GUEST-DHCP
10 permit udp any eq bootpc any eq bootps
20 deny ip any any

wireless profile policy xxxxx_WLANID_4
ipv4 dhcp required
ipv4 dhcp server 192.168.20.4

You are so welcome

have a nice summer 

MHM

Note that you can also apply an ACL to the WLAN profile policy with "ipv4 acl <aclname>"

Review Cisco Networking for a $25 gift card