Solved: Does WLC6 filter DHCP?

Ellad Yatsko · ‎02-22-2012

I have Cisco 2821 with NM-AIR-WLC6-K9 installed. And number of AIR-AP1131AG-E-K9. Now I set up trivial task to make WLC6 to work as bridge between on of WLANs and one of VLANs on a network segment. I have already attained the following: all is working fine while I use on my test notebook statically assgned IP-address. Broadcasts as ARP-requests are going through the network free. But as soon as I change IP assigning method I hear nothing on DHCP's side. Notebook is unable to acquire address through DHCP. But when I assing IP-address to vlan20 interface on WLC6 and set up correct DHCP-server all works fine again. Now with DHCP. But I don't want use IP on vlan20! I need totally bridged diagram! Is there an exit?

http://www.united-networks.ru/doku.php?id=hardware_configuration&#ciscoconfiguring_wlc6

- Cisco works as bridge (relative configuration):

interface GigabitEthernet0/1.20 (plugged into trunk on a wired segment)

encapsulation dot1Q 20

bridge-group 20

interface wlan-controller1/0.20

encapsulation dot1Q 20

bridge-group 20

interface BVI20

no ip address

bridge irb

bridge 20 protocol ieee

bridge 20 route ip

- WLC6 configured as follows (open system, no auth at all):

(Cisco Controller) >config interface create vlan20 20

(Cisco Controller) >config interface port vlan20 1

(Cisco Controller) >config wlan interface 2 vlan20

(Cisco Controller) >config wlan security wpa wpa2 ciphers aes disable 2

(Cisco Controller) >config wlan security wpa wpa2 disable 2

(Cisco Controller) >config wlan security wpa akm 802.1x disable 2

(Cisco Controller) >config wlan security wpa disable 2

(Cisco Controller) >config wlan enable 2

show wlan 2

WLAN Identifier.................................. 2

Profile Name..................................... free.united-networks.ru

Network Name (SSID).............................. free.united-networks.ru

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ vlan20

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Allowed

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

CKIP ......................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

H-REAP Local Switching........................ Disabled

Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

Client MFP.................................... Optional but inactive (WPA2 not configured)

Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

show wlan summary

Number of WLANs.................................. 2

WLAN ID WLAN Profile Name / SSID Status Interface Name

------- ------------------------------------- -------- --------------------

1 united-networks.ru / united-networks.ru Enabled management

2 free.united-networks.ru / free.united-networks.ru Enabled vlan20

show interface summary

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest

-------------------------------- ---- -------- --------------- ------- ------ -----

ap-manager 1 10 172.16.0.51 Static Yes No

management 1 10 172.16.0.50 Static No No

virtual N/A N/A 1.1.1.1 Static No No

vlan20 1 20 0.0.0.0 Dynamic No No

Kind regards,

Ellad Yatsko

Justin Kurynny · ‎02-23-2012

Ellad,

The WLC is a DHCP proxy by default, which means that client DHCP traffic is not transparently passed through the WLC onto the upstream network. Instead, it is repackaged as unicast traffic originating from the WLC interface tied to the client's WLAN. If you want upstream servers or relays to hear client DHCP traffic directly without WLC meddling, then do this on your WLC's command line to disable DHCP proxy:

(wlc6) > config dhcp proxy disable

This is currently (as of 7.0) a global setting and affects all WLANs.

Justin

Ps. I have been disabling DHCP proxy on my WLC deployments as a best practice for about a year now. As a result, one thing I have noticed is that DHCP responses to clients seem to come much faster from the DHCP services behind the WLC (e.g., W2Kx DHCP server, IOS DHCP, ISC-dhcpd, etc.), especially if those DHCP servers are themselves highly responsive. With DHCP proxy turned on (on the WLC), DHCP assignments seem to take sometimes 4x to 5x longer, even on lightning fast networks with lightning fast DHCP servers. I chalk this delay up to a slow, buggy and unevolved DHCP engine in the controllers, which, IMO, has caused more trouble than it's worth over the years--I never use internal DHCP on the controllers, and these days I'm no longer letting them handle the proxying.

View solution in original post

Justin Kurynny · ‎02-23-2012

Ellad,

When you you say,

"But as soon as I change IP assigning method I hear nothing on DHCP's side. Notebook is unable to acquire address through DHCP,"

Where at that moment in time do you have your DHCP server configured? Is it upstream from the router, but still on vlan 20?

Justin

Sent from Cisco Technical Support iPhone App

Ellad Yatsko · ‎02-23-2012

DHCP Server is Ubuntu computer with ISC-DHCP-Relay configured. It is on VLAN20 where WLC6's Dynamic Interface vlan20 is placed too. When Ubuntu "hears" DHCP-Discover it resends it to its another directly connected network to Windows 2003 172.16.0.2. It all works fine with another AIR-AP1131AG-E-K9 which is up to date acts as Autonomous AP (it is on VLAN20 too). But there are no DHCP-Discovers from my Notebook associated with LAP/WLC. The latter does not pass them. Is there some setting which disables WLC to intercept DHCP-traffic? I switched on "debug dhcp message enable" and saw that it processes DHCP-packets from Notebook. It would be nice if a setting would be that disables WLC even to listen to DHCP! :-)

Justin Kurynny · ‎02-23-2012

Ellad,

The WLC is a DHCP proxy by default, which means that client DHCP traffic is not transparently passed through the WLC onto the upstream network. Instead, it is repackaged as unicast traffic originating from the WLC interface tied to the client's WLAN. If you want upstream servers or relays to hear client DHCP traffic directly without WLC meddling, then do this on your WLC's command line to disable DHCP proxy:

(wlc6) > config dhcp proxy disable

This is currently (as of 7.0) a global setting and affects all WLANs.

Justin

Ps. I have been disabling DHCP proxy on my WLC deployments as a best practice for about a year now. As a result, one thing I have noticed is that DHCP responses to clients seem to come much faster from the DHCP services behind the WLC (e.g., W2Kx DHCP server, IOS DHCP, ISC-dhcpd, etc.), especially if those DHCP servers are themselves highly responsive. With DHCP proxy turned on (on the WLC), DHCP assignments seem to take sometimes 4x to 5x longer, even on lightning fast networks with lightning fast DHCP servers. I chalk this delay up to a slow, buggy and unevolved DHCP engine in the controllers, which, IMO, has caused more trouble than it's worth over the years--I never use internal DHCP on the controllers, and these days I'm no longer letting them handle the proxying.

Ellad Yatsko · ‎02-26-2012

Thanks a lot, Justin! :-)

I did what you suggested me, but it filters DHCP yet:

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP processing DHCP DISCOVER (1)

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP xid: 0x7f88d3a2 (2139673506), secs: 0, flags: 80

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP chaddr: 00:16:cf:20:87:03

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0

Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP error bridging packet to DS

But something has shanged: it says: "error binding packet to DS". I suppose it is needed to be done besides config dhcp proxy disable, isn't it? :-)

Ellad Yatsko · ‎02-26-2012

Dear Justin!

I'm foolish! :-) I forgot to assign a physical port to interface. I explain: to remove IP address from interface to check out new diagram I disabled WLAN, I assigned temporarily Management interface to it, I deleted interface "vlan20" and then created it again but already without IP. :-)

By the way is there the shorter way? :-)

And thank you very, very much!

Kind regards,

Ellad

Justin Kurynny · ‎02-28-2012

Ellad,

I'm glad to see your issue resolved. I'm not sure I understand your question about a shorter way. I'm not certain you needed to go through all those steps deleting and re-mapping interfaces in order to do your testing, if that's what you mean. I suppose you could have just remapped your WLAN to the management interface (and left your dynamic vlan20 interface alone--if you don't map it to a WLAN, it's not really used).

I checked out your notes page, and I have to say, you take a lot of notes. Keep up the good documentation work!

Justin

Eduardo Cesaro · ‎02-23-2012

Hi Ellad

The vlan20 is native? This is vlan native for data?

Sent from Cisco Technical Support iPhone App

Ellad Yatsko · ‎02-23-2012

I'm afraid I didn't understand. What do you mean? :-) VLAN20 is terminated on Ubuntu server. VLAN20 is carried by WS-C2960 to C2800's GigabitEthernet0/1 (physical) port. Then there are two subinterfaces GigabitEthernet0/1.20 and Wlan-controller1/0.20 which I suppose process tagged traffic too. Where must it how you think be Native? "Wired" User Compurters connected to WS-C2960s' access ports process untagged traffic which is still on VLAN20's subnet. Please, explain me what do exactly you mean? :-) You can also cast a glance to my site www.united-networks.ru -> Hardware -> CISCO: Configuring WLC6. I endeavour to document my activites carefully.