Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
0
Helpful
7
Replies

Configuration of the dhcp in the Anchor controller.

daisybrito9
Level 1
Level 1

‎02-01-2022 06:14 AM

Hi,

Can you help me with this issue:

It is required to configure an external dhcp in the Anchor controller for wireless guest users. The Anchor controller is in the DMZ and the external server is on the internal network. Can someone tell me how to configure it (Catalyst 9800) and what considerations should be taken since the Anchor is in the DMZ.

Thanks for your attention.

0 Helpful
7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

‎02-01-2022 06:46 AM

Configuration of dhcp is like any other SSID's you might have.  You don't do any configuration on the controller, but on the SVI.  Many would have an external dhcp that is in the DMZ and not really poke holes to the internal, unless that is secured and allowed.  If setting up a new dhcp just for guest isn't something you want to do, you also can setup the dhcp on the router.  I think its more of what their security team will allow as far as poking holes in the firewall.

-Scott
*** Please rate helpful posts ***
0 Helpful

daisybrito9
Level 1
Level 1
In response to Scott Fella

‎02-02-2022 02:58 AM

Thanks for your quick response.

Another option is to configure the Anchor controller as a dhcp server for the Guest SSID, that is, an internal dhcp in the Anchor controller (C9800), is it correct?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to daisybrito9

‎02-02-2022 07:25 AM

@daisybrito9 Yes you can do that and many have gone that route.  Keep in mind that the dhcp service isn't like a full fledged dhcp server.  You just have to keep an eye out in case the dhcp hangs in which you may have to restart the service.  This solution is better for smaller guest networks, but in a larger guest network, I would use something else.  That is my opinion, but why not give it a try and see how it goes.  

-Scott
*** Please rate helpful posts ***
0 Helpful

jagan.chowdam
Spotlight
Spotlight
In response to daisybrito9

‎02-02-2022 01:55 PM

Here is a blog post with step by step process to configure internal DHCP server on c9800. 

 

https://wifininjas.net/2019/08/06/wn-blog-007-c9800-wlc-internal-dhcp-server-config/

CJ

 

0 Helpful

daisybrito9
Level 1
Level 1
In response to jagan.chowdam

‎02-13-2022 09:35 AM

Hi.

Thanks for sharing the blog about the step by step. I have the following queries:

1. I´m seeing that the internal DHCP was configured under the policy profile in the Anchor WLC. Query: In the policy profile created in the Foreign WLCs (for the Guest SSID) should this internal dhcp also be configured? I have read that the configuration of the wireless profile and the policy profile in both (the Foreign wlc and the Anchor wlc) must be the same.

2. The internal dhcp configuration can be configured in the SVI (guest vlan) in the Anchor wlc, instead of doing it in the policy profile?. What is the difference between doing it directly in the configured SVI (DHCP helper address configuration) and doing it in the policy profile?

3. The internal dhcp address must be the management IP of the wlc or it can be the IP of the loopback interface?

4. The policy Tag, I have read that it is not necessary to do it in the Anchor, it is only done in the Foreign. It is correct?

 

Thanks.

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to daisybrito9

‎02-13-2022 04:15 PM

There are always differ ways to set this up. Why not just test it with a test ssid and anchor that to the anchor controller. This way you can see what works and what doesn’t. Then with the testing, you can decide which way works better for you. 

-Scott
*** Please rate helpful posts ***
0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎02-03-2022 02:38 AM

As @Scott Fella highlighted internal DHCP server is limited in functionality and design wise it is not recommended to use it for larger networks. For SMB it is acceptable to use while recommendation is to use dedicated DHCP server.

 

In your case you can simply configure the DHCP relay in the DMZ interface directly (Firewall, router or whatever the device DMZ gateway) and allow the DMZ interface to communicate only with your internal DHCP server. You may use Firewall rules (recommended) to allow only DHCP packets between the DMZ interface and DHCP server. 

Alternatively you can configure a L3 SVI in your WLC for the Guest SSID and configure the DHCP relay there, but this will add more complexity as DHCP traffic will be sourced from the IP address of the client SVI and routed out of the interface that matches the destination in the routing table. Since source IP and the IP of the outgoing interface might be different (applicable only if you have multiple interface in your Anchor WLC only) some firewalls who inspect DHCP packets will start dropping this. So if this is the case please make sure you modify the configuration to source DHCP packets from your Guest SVI. 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card