Re: DHCP server on AironetAP 3602

fryfenchie · ‎08-10-2024

Hello all i have i have this AP AIR-CAP3602I-N-K9
that was lightweight but i have flashed it as standalone now. Thing i am trying now is to create a dhcp pool which is used to asing ips to wifi client i created a pool with network address and other details but radio still isnt providing the ip to the clients
another issues my office has 10.x.x.x.x network from which one ip is available that i have assinged to the ap on bv1 interface and i want my wifi client to have 192.168.1.0 network since i dont have any more ip on 10x network
but the main question is after creating the pool how do i apply it ? like do i only have to just create the pool and ap automatically takes it ? cause its not i have also tried to attach the pool to interface but its not working either.
please shed some light
cheers,

here is the config
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool NKN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 10
!
!
!
!
dot11 syslog
dot11 vlan-name NKN vlan 10
!
dot11 ssid NKN
vlan 2
authentication open
guest-mode
!
!
dot11 wpa handshake timeout 1000
dot11 network-map
!
!
!
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid NKN
!
antenna gain 0
stbc
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
station-role root access-point
dot11 dot11r pre-authentication over-air
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
!
interface Dot11Radio0.2
encapsulation dot1Q 2
!
interface Dot11Radio1
no ip address
shutdown
!
ssid NKN
!
antenna gain 0
peakdetect
no dfs band block
stbc
channel dfs
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.2
!
interface Dot11Radio1.21
encapsulation dot1Q 2
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
!
interface GigabitEthernet0
ip address dhcp
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
!
interface GigabitEthernet0.21
!
interface BVI1
mac-address 442b.03a9.8f79
ip address 10.154.2.60 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
no routing dynamic
!
interface BVI10
ip address dhcp
!
ip default-gateway 10.154.2.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 Dot11Radio0
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
end

marce1000 · ‎08-10-2024

- Correction , check this guide and compare your settings :
https://community.cisco.com/t5/wireless-mobility-knowledge-base/how-to-configure-aironet-devices-to-act-as-a-dhcp-server/ta-p/3113141

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

fryfenchie · ‎08-10-2024

this is exactly how i did it but i doesnt seem to lease ip to any client

marce1000 · ‎08-10-2024

- Check (DHCP related) logs on the access point
Use these commands on the AP-CLI , if available : debug dhcp detail
debug ip dhcp server events
(then let a client (try) to connect and check the logs on the AP afterwards)

If nothing is seen then that is suspicious try an alternative DHCP server on the WLAN/VLAN and check if the |
client(s) can get an address from that one ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

RxTx · ‎08-10-2024

Hi, try if you set:

station-role root bridge wireless-clients

add:

maybe you need also:

interface BVI10
ip address dhcp client-id xxxxxxxx

RxTx · ‎08-10-2024

Some AP DHCP related commands from doc :

To enable DHCP server debugging, use this command in privileged EXEC mode:
debug ip dhcp server { events | packets | linkage }

Use the no form of the command to disable debugging for the wireless device DHCP server.

show ip dhcp conflict [ address ] Displays a list of all address conflicts recorded by a specific DHCP Server. Enter the wireless device IP address to show conflicts recorded by the wireless device.
show ip dhcp database [ url ] Displays recent activity on the DHCP database.

show ip dhcp server statistics Displays count information about server statistics and messages sent and received.

clear ip dhcp binding { address | * } Deletes an automatic address binding from the DHCP database. Specifying the address argument clears the automatic binding for a specific (client) IP address. Specifying an asterisk (*) clears all automatic bindings.

clear ip dhcp conflict { address | * } Clears an address conflict from the DHCP database. Specifying the address argument clears the conflict for a specific IP address. Specifying an asterisk (*) clears conflicts for all addresses.
clear ip dhcp server statistics Resets all DHCP Server counters to 0.

fryfenchie · ‎08-10-2024

hey i managed to run dhcp no my clients are getting the ip from the pool no i just need to access internet clients cant access internet cause the internet is on 10x ip address and wifi clients are on 192x is there any way i can bridge it or something like that ? thanks

marce1000 · ‎08-10-2024

>....and wifi clients are on 192x is there any way i

- But you have configured this on the AP :
ip dhcp pool NKN
network 192.168.1.0 255.255.255.0
>...
- That means that the subnet and or VLAN that the clients are arriving on must support internet access for
the particular address range trough routing , NAT or something else.
If not then you must choose another address range for the wireless clients that complies with the used VLAN (and it's allocates subnet) on the network ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

RxTx · ‎08-10-2024

If your wifi clients can ping LAN clients then you need to specify gateway for wifi clients to be the same as for LAN clients and that router to accept wifi clients IP.

fryfenchie · ‎08-10-2024

not the thing is internet is coming from 10x address my clients can talk to each other but i need to send 192 traffic to 10x address

RxTx · ‎08-10-2024

Not sure if this is the way to go but you can try:

Assigning IP Redirection for an SSID

When you configure IP redirection for an SSID, the access point redirects all packets sent from client
devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs
serving handheld devices that use a central software application and are statically configured to
communicate with a specific IP address. For example, the wireless LAN administrator at a retail store
or warehouse might configure IP redirection for its bar code scanners, which all use the same scanner
application and all send data to the same IP address.
You can redirect all packets from client devices associated using an SSID or redirect only packets
directed to specific TCP or UDP ports (as defined in an access control list). When you configure the
access point to redirect only packets addressed to specific ports, the access point redirects those packets
from clients using the SSID and drops all other packets from clients using the SSID.
When you perform a ping test from the access point to a client device that is associated using an
IP-redirect SSID, the response packets from the client are redirected to the specified IP address and are
not received by the access point.

Configuring IP Redirection
Beginning in privileged EXEC mode, follow these steps to configure IP redirection for an SSID:

Step 1 configure terminal Enter global configuration mode.

Step 2 dot11 ssid ssid-string Enter configuration mode for a specific SSID.

Step 3 ip redirection host ip-address Enter IP redirect configuration mode for the IP address. Enter
the IP address with decimals, for example: 10.91.104.92 If you do not specify an access control list (ACL) which defines TCP or UDP ports for redirection, the access point redirects all packets that it receives from client devices.

Step 4 ip redirection host ip-address access-group acl in (Optional) Specify an ACL to apply to the redirection of packets. Only packets sent to the specific UDP or TCP ports defined in the ACL are redirected. The access point discards all received packets that do not match the settings defined in the ACL. The in parameter specifies that the ACL is applied to the incoming interface for the access point.

NoteACL logging is not supported on the bridging interfaces of access point platforms. When applied on a
bridging interface, it works as if the interface were configured without the log option, and logging does
not take effect. However ACL logging does work for the BVI interfaces as long as a separate ACL is
used for the BVI interface.

RxTx · ‎08-10-2024

Example from doc:

AP# configure terminal
AP(config)# dot11 ssid batman
AP(config-if-ssid)# ip redirection host 10.91.104.91
AP(config-if-ssid-redirect)# end

marce1000 · ‎08-10-2024

>... but i need to send 192 traffic to 10x address
- Such statements are not valid in standard networking (terminology) : for starters it is probably better
to use another address range then 192.168.x.x because those are link local addresses , and can indicate
that the client did not receive a DHCP address at all!!

So : 1) Use another address range for the wireless clients such as another 10.x subnet
2) If there must be communication with the wired clients then the different vlans (subnets) must
support inter-routing 'towards' each other ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

fryfenchie · ‎08-10-2024

i understand but as i mentioned early my dhcp is working now i cant use any othe subnet cause i work at the data center and they dont have any free ips or vlans i just want to use ap as hotspot

marce1000 · ‎08-10-2024

>i understand but as i mentioned early my dhcp is working now i cant use any other subnet cause i work at the data center and they dont have any free ips or vlans i just want to use ap as hotspot

If there is any need to communicate with other clients on the intranet then you have no other choice then to coordinate
with IT of the data center on the use of ip addresses (and then probably use those addresses for internet access too,
to get rid of 192.168.x.x)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '