Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1496
Views
35
Helpful
9
Replies

C9800 Internal DHCP server for local switching SSID

Go to solution
ngkin2010
Level 7
Level 7

‎05-11-2022 09:37 AM

Hi Community,

 

I am planning to enable Internal DHCP for one of the SSID on C9800 WLC, but I am not sure if it's technically valid or not.

 

Here is some background: 

 

The SSID or the WLAN profile is configured as central authentication, local switching, local association, with WPA2 (PSK), just like FlexConnect in AireOS.

 

Given the SSID is assigned for VLAN20, and the diagram will be like:

diagra.png

 

 

I have a few doubts about the design:

 

1. Is the SVI (VLAN20) on C9800 is necessary for the internal DHCP server to work? 

 

2. If the SVI is necessary on C9800, and when I creating VLAN20 SVI on C9800, the interface oper status is down (e.g. no trunk allowed vlan 20 on C9800), is it necessary to make it up?  

 

3. If the SVI need to be UP/UP, then I am not quite sure the flow of DHCP discover; and here is my understanding:

  • a)  Client associated to the SSID and assigned to VLAN20
  • b)  Client broadcast the DHCP Discover, and Core Switch will receive the broadcast.
  • c)  Core Switch's SVI VLAN20 with [ ip helper 10.1.1.1 ]  will forward the DHCP discover to C9800 (10.1.1.1) with the source IP 192.168.0.1
  • d)  After C9800 receiving the DHCP Discover, it will allocate IP and send out DHCP Offer back to core switch 192.168.0.1
  • e)   The DHCP offer should never reach the 192.168.0.1 because according to C9800's routing table, 192.168.0.0/24 is directly connected subnet, but 192.168.0.1 is not on the cloud with C9800 (e.g. not on the same broadcast domain).
  • f)    The client will never get the IP address from Internal DHCP.

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎05-12-2022 05:49 AM

Hi

 "I am planning to enable Internal DHCP for one of the SSID on C9800 WLC, but I am not sure if it's technically valid or not."

 

It is valid so much that it support internal DHCP.  However, for heavy environment, it is best practive to have a dedicate DHCP server.  But, for low demand, no problem at all.  We see switches and routers over there doing DHCP just fine.

 

 

. Is the SVI (VLAN20) on C9800 is necessary for the internal DHCP server to work? 

Yes.

 

2. If the SVI is necessary on C9800, and when I creating VLAN20 SVI on C9800, the interface oper status is down (e.g. no trunk allowed vlan 20 on C9800), is it necessary to make it up?  

  Did you create the VLAN on the WLC?  Interface vlan is different from vlan. Priviouly, when we issue the command interface vlan the IOS already created the vlan for us, not anymore. You need to create the vlan.

 

3. If the SVI need to be UP/UP, then I am not quite sure the flow of DHCP discover; and here is my understanding:

  • a)  Client associated to the SSID and assigned to VLAN20

Yes.

  • b)  Client broadcast the DHCP Discover, and Core Switch will receive the broadcast.

Nop. It will be manage internaly on the WLC.

 

  • c)  Core Switch's SVI VLAN20 with [ ip helper 10.1.1.1 ]  will forward the DHCP discover to C9800 (10.1.1.1) with the source IP 192.168.0.1

Nop. It will be manage internaly on the WLC.

 

  • d)  After C9800 receiving the DHCP Discover, it will allocate IP and send out DHCP Offer back to core switch 192.168.0.1

Nop. It will be manage internaly on the WLC.

  • e)   The DHCP offer should never reach the 192.168.0.1 because according to C9800's routing table, 192.168.0.0/24 is directly connected subnet, but 192.168.0.1 is not on the cloud with C9800 (e.g. not on the same broadcast domain).

Nop. It will be manage internaly on the WLC.

  • f)    The client will never get the IP address from Internal DHCP.

Yes, will do.   When configuring the internal DHCP, disable the option "Reserved Only".

 

Please, look this guide:

 

https://wifininjas.net/2019/08/06/wn-blog-007-c9800-wlc-internal-dhcp-server-config/ 

View solution in original post

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to ngkin2010

‎05-12-2022 06:04 AM

Ok, in this case you need to use central dhcp. You can enable it under the policy profile, you also need to make sure that the DHCP server IP is configured under the policy profile and also ipv4 dhcp required is selected. Also you need to have Flex NAT PAT enabled.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/flexconnect.html#:~:text=Wireless%20Controllers%20document.-,NAT%2DPAT%20for%20FlexConnect,-If%20you%20want

I have tested the same with an external DHCP server in my HQ, but I haven't tested it with an Internal DHCP server. But I believe this should help you to achieve your requirement.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

9 Replies 9

Go to solution
marce1000
VIP
VIP

‎05-11-2022 10:19 AM

 

 - Lot's of specifics , always useful when working on 9800-configurations and also currently is (CLI) : show tech wireless , have the  output processed by : https://cway.cisco.com/tools/WirelessAnalyzer/   , you will already get a lot of useful advisories.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-11-2022 10:59 AM

The best practice is to use an external DHCP server, having said that you must create a SVI on VLAN20 if the WLC being used as the DHCP server and it will work. From the DHCP prospective the wireless client will be considered as a wired client (due to flex connect local switching) when the DHCP request reaches the WLC. 

Since you need to allow this in the trunk uplink connecting to the upstream switch SVI will be up/up, so make sure you add VLAN20 to allowed VLAN's. 

I am sharing the guide for starred IOS-XE code at the moment, however it's recommended that you read the documentation related to the code you have in your WLC before implementing.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x - DHCP for WLANs [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
ngkin2010
Level 7
Level 7
In response to Arshad Safrulla

‎05-12-2022 04:55 AM - edited ‎05-12-2022 04:57 AM

Hi Arshad,

 

Thanks for your reply.

 

The main point in the proposed setup is C9800 is located in different site, and its VLAN20 is not spanning to remote site (where the AP located). 

 

For example, the VLAN20 at Site 1 where the C9800 located is not the same as VLAN20 at Site 2 where the AP located.

ngkin2010_1-1652356432170.png

 

So, I am curious:

 

3. If the SVI need to be UP/UP, then I am not quite sure the flow of DHCP discover; and here is my understanding:

  • a)  Client associated to the SSID and assigned to VLAN20
  • b)  Client broadcast the DHCP Discover, and Core Switch will receive the broadcast.
  • c)  Core Switch's SVI VLAN20 with [ ip helper 10.1.1.1 ]  will forward the DHCP discover to C9800 (10.1.1.1) with the source IP 192.168.0.1
  • d)  After C9800 receiving the DHCP Discover, it will allocate IP and send out DHCP Offer back to core switch 192.168.0.1
  • e)   The DHCP offer should never reach the 192.168.0.1 because according to C9800's routing table, 192.168.0.0/24 is directly connected subnet, but 192.168.0.1 is not on the cloud with C9800 (e.g. not on the same broadcast domain).
  • f)    The client will never get the IP address from Internal DHCP.

 

 

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to ngkin2010

‎05-12-2022 06:04 AM

Ok, in this case you need to use central dhcp. You can enable it under the policy profile, you also need to make sure that the DHCP server IP is configured under the policy profile and also ipv4 dhcp required is selected. Also you need to have Flex NAT PAT enabled.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/flexconnect.html#:~:text=Wireless%20Controllers%20document.-,NAT%2DPAT%20for%20FlexConnect,-If%20you%20want

I have tested the same with an external DHCP server in my HQ, but I haven't tested it with an Internal DHCP server. But I believe this should help you to achieve your requirement.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
ngkin2010
Level 7
Level 7
In response to Arshad Safrulla

‎05-12-2022 07:01 AM

Hi Arshad, 

 

Thanks for your comment, and I will try it out with Central DHCP & Flex NAT PAT enabled.

 

Thanks~

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-12-2022 05:49 AM

Hi

 "I am planning to enable Internal DHCP for one of the SSID on C9800 WLC, but I am not sure if it's technically valid or not."

 

It is valid so much that it support internal DHCP.  However, for heavy environment, it is best practive to have a dedicate DHCP server.  But, for low demand, no problem at all.  We see switches and routers over there doing DHCP just fine.

 

 

. Is the SVI (VLAN20) on C9800 is necessary for the internal DHCP server to work? 

Yes.

 

2. If the SVI is necessary on C9800, and when I creating VLAN20 SVI on C9800, the interface oper status is down (e.g. no trunk allowed vlan 20 on C9800), is it necessary to make it up?  

  Did you create the VLAN on the WLC?  Interface vlan is different from vlan. Priviouly, when we issue the command interface vlan the IOS already created the vlan for us, not anymore. You need to create the vlan.

 

3. If the SVI need to be UP/UP, then I am not quite sure the flow of DHCP discover; and here is my understanding:

  • a)  Client associated to the SSID and assigned to VLAN20

Yes.

  • b)  Client broadcast the DHCP Discover, and Core Switch will receive the broadcast.

Nop. It will be manage internaly on the WLC.

 

  • c)  Core Switch's SVI VLAN20 with [ ip helper 10.1.1.1 ]  will forward the DHCP discover to C9800 (10.1.1.1) with the source IP 192.168.0.1

Nop. It will be manage internaly on the WLC.

 

  • d)  After C9800 receiving the DHCP Discover, it will allocate IP and send out DHCP Offer back to core switch 192.168.0.1

Nop. It will be manage internaly on the WLC.

  • e)   The DHCP offer should never reach the 192.168.0.1 because according to C9800's routing table, 192.168.0.0/24 is directly connected subnet, but 192.168.0.1 is not on the cloud with C9800 (e.g. not on the same broadcast domain).

Nop. It will be manage internaly on the WLC.

  • f)    The client will never get the IP address from Internal DHCP.

Yes, will do.   When configuring the internal DHCP, disable the option "Reserved Only".

 

Please, look this guide:

 

https://wifininjas.net/2019/08/06/wn-blog-007-c9800-wlc-internal-dhcp-server-config/ 

Go to solution
ngkin2010
Level 7
Level 7
In response to Flavio Miranda

‎05-12-2022 07:08 AM

Hi Flavio,

 

Thanks for your detailed explanation. I do agree that it's not a very good option and not following best practice.

 

I've to validate if the design is technically possible when external DHCP server is not an option.   

 

It become make more sense, if WLC will mange the DHCP discovery process internally. thanks~

 

 

Go to solution
Rich R
VIP
VIP

‎05-12-2022 06:46 AM - edited ‎05-12-2022 06:46 AM

Since the VLAN is locally switched why would you use the WLC for DHCP?

That also means that users won't be able to get an IP address if you lose your WLC connection.

Simply configure DHCP locally at the site (instead of helper) and save yourself a whole lot of complication on the WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
ngkin2010
Level 7
Level 7
In response to Rich R

‎05-12-2022 07:28 AM

Hi rrudling,

 

That's true, I agree that it's not a good design if external DHCP server is available.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card