Solved: Re: 9800 Series Internal Guest DHCP

dstrobel · ‎07-31-2024

Hello all,

I am trying to come up with a secure way to run DHCP on 9800 controllers for guest wireless users. To give some context I have about 30 9800's currently deployed with guest access setup through an ISE portal. We currently have guest DHCP running on the firewalls at each location but our security department wants to remove DHCP from them. It looks like the next best option is to run DHCP on the 9800's however I can't find any best practice for doing it securely.

I currently do not have any SVI on the guest vlan but it looks like it will be necessary to add one in order to serve DHCP on the vlan. How do I secure the SVI so that nothing other than DHCP is allowed to the guest vlan?

Thanks in advance

Dan

Flavio Miranda · ‎07-31-2024

Hi @dstrobel

You can use ACL to allow only DHCP traffic on the SVI:

access-list xxx permit udp any eq bootpc any eq bootps

access-lis txxx deny ip any any

View solution in original post

MHM Cisco World · ‎07-31-2024

in WLC CLI use

access-list MHM-DHCP permit udp any eq bootpc any eq bootps

then apply ACL under VLAN SVI not under port

myc9800-CL(config)#interface Vlan<number>
myc9800-CL(config-if)#ip access-group MHM-DHCP in

this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.

MHM

View solution in original post

Flavio Miranda · ‎07-31-2024

Hi @dstrobel

You can use ACL to allow only DHCP traffic on the SVI:

access-list xxx permit udp any eq bootpc any eq bootps

access-lis txxx deny ip any any

dstrobel · ‎07-31-2024

Thank you sir, I'm sorry I should have also mentioned I have a punt acl for the guests to get to DNS and ISE before registration:

ip access-list extended ACL_WEBAUTH_REDIRECT
10 deny ip any host x.x.x.x
15 deny ip any host x.x.x.x
20 deny ip host x.x.x.x any
25 deny ip host x.x.x.x any
30 deny udp any any eq domain
40 deny udp any eq domain any
50 permit tcp any any eq www

I'm guessing this needs a permit udp any eq bootpc any eq bootps added as well?

MHM Cisco World · ‎07-31-2024

check below please

MHM

Flavio Miranda · ‎07-31-2024

Not necessary. First the client will get IP address, than it will go to the portal so when the client hits this ACL_WEBAUTH_REDIRECT the IP address will be in place already

MHM Cisco World · ‎07-31-2024

in WLC CLI use

access-list MHM-DHCP permit udp any eq bootpc any eq bootps

then apply ACL under VLAN SVI not under port

myc9800-CL(config)#interface Vlan<number>
myc9800-CL(config-if)#ip access-group MHM-DHCP in

this ACL one line end with deny ip any any and this work if you use SVI only for DHCP server if you push this SVI as GW IP to guest wifi then you need to add permit ip any any line under acl, this way the SVI use as dhcp server and as GW for guest wifi.

MHM

dstrobel · ‎07-31-2024

Thanks for your help, I will give it a try tomorrow and let you know how it goes.

dstrobel · ‎08-01-2024

Thank you both for your help. It appears to be working as required. In case anyone else is looking for this exact setup, this is what I ended up using:

ip dhcp excluded-address 192.168.20.0 192.168.20.19
!
ip dhcp pool Guest
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server x.x.x.x x.x.x.x
lease 0 8

interface VlanXXX
description GuestWIFI
ip address 192.168.20.4 255.255.255.0
ip access-group GUEST-DHCP in

ip access-list extended GUEST-DHCP
10 permit udp any eq bootpc any eq bootps
20 deny ip any any

wireless profile policy xxxxx_WLANID_4
ipv4 dhcp required
ipv4 dhcp server 192.168.20.4

MHM Cisco World · ‎08-01-2024

You are so welcome

have a nice summer

MHM

Rich R · ‎08-04-2024

Note that you can also apply an ACL to the WLAN profile policy with "ipv4 acl <aclname>"

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs