07-31-2024 01:48 PM
Hello all,
I am trying to come up with a secure way to run DHCP on 9800 controllers for guest wireless users. To give some context I have about 30 9800's currently deployed with guest access setup through an ISE portal. We currently have guest DHCP running on the firewalls at each location but our security department wants to remove DHCP from them. It looks like the next best option is to run DHCP on the 9800's however I can't find any best practice for doing it securely.
I currently do not have any SVI on the guest vlan but it looks like it will be necessary to add one in order to serve DHCP on the vlan. How do I secure the SVI so that nothing other than DHCP is allowed to the guest vlan?
Thanks in advance
Dan
Solved! Go to Solution.
07-31-2024 02:34 PM
Hi @dstrobel
You can use ACL to allow only DHCP traffic on the SVI:
access-list xxx permit udp any eq bootpc any eq bootps
access-lis txxx deny ip any any
07-31-2024 03:04 PM
in WLC CLI use
access-list MHM-DHCP permit udp any eq bootpc any eq bootps
then apply ACL under VLAN SVI not under port
myc9800-CL(config)#interface Vlan<number> myc9800-CL(config-if)#ip access-group MHM-DHCP in
this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.
MHM
07-31-2024 02:34 PM
Hi @dstrobel
You can use ACL to allow only DHCP traffic on the SVI:
access-list xxx permit udp any eq bootpc any eq bootps
access-lis txxx deny ip any any
07-31-2024 02:58 PM
Thank you sir, I'm sorry I should have also mentioned I have a punt acl for the guests to get to DNS and ISE before registration:
ip access-list extended ACL_WEBAUTH_REDIRECT
10 deny ip any host x.x.x.x
15 deny ip any host x.x.x.x
20 deny ip host x.x.x.x any
25 deny ip host x.x.x.x any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www
I'm guessing this needs a permit udp any eq bootpc any eq bootps added as well?
07-31-2024 03:27 PM - edited 08-01-2024 12:56 PM
check below please
MHM
07-31-2024 05:58 PM
Not necessary. First the client will get IP address, than it will go to the portal so when the client hits this ACL_WEBAUTH_REDIRECT the IP address will be in place already
07-31-2024 03:04 PM
in WLC CLI use
access-list MHM-DHCP permit udp any eq bootpc any eq bootps
then apply ACL under VLAN SVI not under port
myc9800-CL(config)#interface Vlan<number> myc9800-CL(config-if)#ip access-group MHM-DHCP in
this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.
MHM
07-31-2024 04:27 PM
Thanks for your help, I will give it a try tomorrow and let you know how it goes.
08-01-2024 12:50 PM
Thank you both for your help. It appears to be working as required. In case anyone else is looking for this exact setup, this is what I ended up using:
ip dhcp excluded-address 192.168.20.0 192.168.20.19
!
ip dhcp pool Guest
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server x.x.x.x x.x.x.x
lease 0 8
interface VlanXXX
description GuestWIFI
ip address 192.168.20.4 255.255.255.0
ip access-group GUEST-DHCP in
ip access-list extended GUEST-DHCP
10 permit udp any eq bootpc any eq bootps
20 deny ip any any
wireless profile policy xxxxx_WLANID_4
ipv4 dhcp required
ipv4 dhcp server 192.168.20.4
08-01-2024 12:56 PM
You are so welcome
have a nice summer
MHM
08-04-2024 05:02 PM
Note that you can also apply an ACL to the WLAN profile policy with "ipv4 acl <aclname>"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide