Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
1
Replies

DHCP Server guard and DHCP Source guard - Wireless CCNP

rudimocnik
Level 1
Level 1

‎06-30-2019 12:16 AM - edited ‎07-05-2021 10:38 AM

Hi all

 

I am studying for the CCNP Wireless exam and I am trying to figure out some things that seem very similar and I want to verify my understanding of the topics. I've done quite a bit of reading already and I am suspecting that some terms are being used interchangeably so here I am asking you guys to clarify. I am aware that security features mentioned are available on wired side however, note that this is for a Wireless certification so I am really interested on wlc/ap configuration and features.

 

I see two issues when it comes to DHCP address assignment.

#1 Where DHCP offers comes from (port) - sort of L2 protection

#2 What IP DHCP offers come from (source IP) - sort of L3 protection

 

I relate these things to DHCP snooping and IP source guard on the wired side and am searching for Wireless options.

I wonder if it is even possible to set up or logical to talk about L2 protection on the wireless side. Is ensuring that DHCP offers are coming from a valid DHCP server IP address good enough? Let me know some thoughts on these before me move to the actual features.

 

There are these two topics related to DHCP security features (I noticed one is general IPv4 I suppose and the other is IPv6. However, I assume we can generalise things for the sake of understanding and be more specific when discussing configuration options):

 

DHCP Server Guard 

 

DHCPv6 Source Guard - In the Cisco documentation: "... feature prevents wireless clients from handing out IPv6 addresses to other wireless clients or wired clients upstream." Which setting on the WLC is related to this on WLC? No configuration found.

 

It seems to me that DHCP Server Guard and DHCP Source guard are the same things used interchangeably. I am still not sure what setting on the WLC controls these. 

 

I wonder if the DHCP Address Assignment Required solves both of the problems mentioned. And if DHCP Source Guard and DHCP Server Guard exist for both IPv4 and IPv6 on WLC.

 

Thank you!

 

 

Labels:
0 Helpful
1 Reply 1

patoberli
VIP Alumni
VIP Alumni

‎07-03-2019 08:06 AM

Never seen those settings on the WLC, but it's possible that the WLC by default filters out DHCP server packets from the clients.
To make it a bit more complicate, the WLC can also act as a DHCP proxy, where the Offers have the WLC as the source MAC.

If you configure a virtual interface on the WLC, one of the fields you can fill out is the DHCP server. If that is filled out and DHCP Addr Assignement Required not enabled, then the WLC will forward all DHCP packets to that server. As there is no Broadcast on Wireless (which DHCP would require), a wireless client can't play DHCP server (normally).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card