11-30-2011 09:21 AM - edited 07-03-2021 09:09 PM
I have a single 5508 WLC that will be used for guest wireless now as well as secure employee wireless in the future. Since our DMZ consists of a only a single L2 vlan, I will be creating multiple new L2 vlans to be used for the open guest wireless clients. Since these are not routable, would I still be able to use a DHCP server on my internal network using the WLC as a proxy? Or do I need to just configure DHCP on my DMZ firewall for each VLAN and disable the WLC proxy?
Solved! Go to Solution.
11-30-2011 02:21 PM
Hello Ryan,
Even with DHCP proxy enabled, the DHCP request will be sent to the configured server as a unicast, with the source address being that of the respective dynamic interface.
Since this L2 vlan is not routed, then there will be no way to reach an internal DHCP server from the DMZ, if I understand your topology correctly.
So, it sounds like you will need to have a DHCP server present in the DMZ, either the firewall or a local WLC scope.
-Pat
12-01-2011 07:55 AM
Ryan,
Your access points will obtain DHCP independent of the WLC. They will send their own DHCP discover packets on the vlan that they are connected in. So if they are on an internal L3 vlan, you simply would need to add something like an ip-helper address to forward those DHCP broadcasts to your desired server.
The access points will then need to learn the IP address of your WLC management interface, through the use of things like DHCP option 43, or a DNS entry for cisco-capwap-controller.
You will also need to allow communication between the AP vlan and the WLC management vlan.
-Pat
11-30-2011 02:21 PM
Hello Ryan,
Even with DHCP proxy enabled, the DHCP request will be sent to the configured server as a unicast, with the source address being that of the respective dynamic interface.
Since this L2 vlan is not routed, then there will be no way to reach an internal DHCP server from the DMZ, if I understand your topology correctly.
So, it sounds like you will need to have a DHCP server present in the DMZ, either the firewall or a local WLC scope.
-Pat
12-01-2011 06:26 AM
Pat,
Thanks for the clarification. One follow-up question--if I'm using DHCP in my DMZ for those L2 vlans, would I stilll be able to have the controller proxy a DHCP server on my internal lan to hand out IPs to my access points that are on an L3 vlan? They would be able to route to the internal server--I'm just wondering if it's possible to mix and match DHCP settings like that on the same controller if I use LAG on the distribution ports.
12-01-2011 07:55 AM
Ryan,
Your access points will obtain DHCP independent of the WLC. They will send their own DHCP discover packets on the vlan that they are connected in. So if they are on an internal L3 vlan, you simply would need to add something like an ip-helper address to forward those DHCP broadcasts to your desired server.
The access points will then need to learn the IP address of your WLC management interface, through the use of things like DHCP option 43, or a DNS entry for cisco-capwap-controller.
You will also need to allow communication between the AP vlan and the WLC management vlan.
-Pat
12-20-2011 05:59 AM
Pat,
I have just tried this and my access points are getting IPs without any issues. However my clients are not. The guest WLAN is using an interface group of several /24 layer 2 vlans (using latest code version). There is an external DHCP server that has a virtual interface/IP defined for each L2 vlan. I have disabled DHCP proxy on the controller. Is there anything else I am missing?
12-20-2011 06:40 AM
If you disabled proxy did you add a ip helper on the vlans that are providing network access to the guest users?
Sent from Cisco Technical Support iPad App
12-20-2011 07:39 AM
Found the problem.. the Layer 2 vlans I had created weren't showing up in the vlan database on the L3 switch the controller was connected to. Once I set some access interfaces up on the switch and verified DHCP worked on the wired side for these vlans, all was well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide