07-12-2021 10:36 AM
Hi,
Our deployment is currently composed by:
- Catalyst 9800-40 release Amsterdam 17.3.3 (upgrade performed from the default version 16.12.02s) - Access Point 9120AX
We are not allowed to configure the helper address on the Gateway (Firewall Checkpoint).
During the test phase the following problem has been checked: issue with the IP release for the Clients connected to the new AP 9120 AX in local mode (no flexconnect central switching/local).
We configure :
Interface vlan 222
description management_plane
ip address y.y.y.y
interface vlan 111
description dataplane
ip address x.x.x.x
ip helper-address x.x.x.x
ip dhcp relay source-interface vlan 222
ip route 0.0.0.0 0.0.0.0 y.y.y.1
Do we have to configure something else ? the client don't receive the ip address .
Thank you
07-14-2021 04:01 PM
You can configure the DHCP relay in the Checkpoint firewall, it is supported for a very long time in checkpoints.
remove all DHCP related configuration from the WLC and only configure the dhcp relay in the firewall, client DHCP traffic gets bridged at the controller in the client VLAN mapped to the SSID. So no need for any relays or helpers in WLC
07-14-2021 10:58 PM
Yes, this can be a solution but at the moment us i told is not possible (from the customer).
We will try the 17.5 release that use the same behavior of the aireos.
Thx Stef
07-15-2021 07:23 AM
Can you add the command ip routing, when you enable ip helper address it is compulsory to have routing.
07-15-2021 08:06 AM - edited 07-15-2021 09:04 AM
Tested with release 17.5 and do not work !! yes ip routing is enabled.
The dhcp request go out from the management interface, and the dhcp is not able to allocate the ip.
The behaviour is not ported on the new cat98
07-15-2021 09:23 AM
I already told you:
- It's not the same as AireOS - having trantrums will not change that. If you want to use 9800 then learn to work with the 9800 design.
- It does work - we have it working with live customers in service.
So get packet captures on 9800 and DHCP server, get debugs/logs on your DHCP server, check them and work out why it is not working then fix the cause. Very likely a config error somewhere on 9800 or DHCP server.
07-16-2021 05:35 AM
maybe you have a different dhcp server, how did you manage the option 82 ?
we have MS 2019
07-16-2021 06:15 AM
We don't use option 82.
02-14-2022 09:16 AM
Realize, that it might be slightly late for the reply. We ran in similar issues. In our case we were refreshing Anchor controller in DMZ to new 9800 vWLC. Management IP is configured as the DHCP relay source address.
1) Option 82 has to be used in this case (sub-option 5 "Link selection" is needed to specify the pool for IP assignment).
It was required to change default setting under config mode from cisco proprietary (150) to the standard (5) sub-option:
ip dhcp compatibility suboption link-selection standard
2) We are using DHCP Servers on Windows Servers 2016 (I believe it is earliest version supporting option 82). One of the requirements is to have valid DHCP scope for the dhcp relay source ip and it is being use for the "authorization" of the DHCP request. For that purposes we have created small scope with few ip addresses in the same Vlan where management interface is configured.
3) IP helper-address has to be configured under SVI and "ip dhcp relay source-interface xxx" specified.
I hope it helps
02-14-2022 09:54 AM
can you remove
ip dhcp relay source-interface vlan 222
and try please.
02-14-2022 10:37 AM
You can’t do it, the default gateway is configured on the management Vlan only.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide