02-22-2012 01:57 AM - edited 07-03-2021 09:38 PM
I have Cisco 2821 with NM-AIR-WLC6-K9 installed. And number of AIR-AP1131AG-E-K9. Now I set up trivial task to make WLC6 to work as bridge between on of WLANs and one of VLANs on a network segment. I have already attained the following: all is working fine while I use on my test notebook statically assgned IP-address. Broadcasts as ARP-requests are going through the network free. But as soon as I change IP assigning method I hear nothing on DHCP's side. Notebook is unable to acquire address through DHCP. But when I assing IP-address to vlan20 interface on WLC6 and set up correct DHCP-server all works fine again. Now with DHCP. But I don't want use IP on vlan20! I need totally bridged diagram! Is there an exit?
http://www.united-networks.ru/doku.php?id=hardware_configuration&#ciscoconfiguring_wlc6
- Cisco works as bridge (relative configuration):
interface GigabitEthernet0/1.20 (plugged into trunk on a wired segment)
encapsulation dot1Q 20
bridge-group 20
interface wlan-controller1/0.20
encapsulation dot1Q 20
bridge-group 20
interface BVI20
no ip address
bridge irb
bridge 20 protocol ieee
bridge 20 route ip
- WLC6 configured as follows (open system, no auth at all):
(Cisco Controller) >config interface create vlan20 20
(Cisco Controller) >config interface port vlan20 1
(Cisco Controller) >config wlan interface 2 vlan20
(Cisco Controller) >config wlan security wpa wpa2 ciphers aes disable 2
(Cisco Controller) >config wlan security wpa wpa2 disable 2
(Cisco Controller) >config wlan security wpa akm 802.1x disable 2
(Cisco Controller) >config wlan security wpa disable 2
(Cisco Controller) >config wlan enable 2
show wlan 2
WLAN Identifier.................................. 2
Profile Name..................................... free.united-networks.ru
Network Name (SSID).............................. free.united-networks.ru
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan20
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Allowed
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
IP Security Passthru.......................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
show wlan summary
Number of WLANs.................................. 2
WLAN ID WLAN Profile Name / SSID Status Interface Name
------- ------------------------------------- -------- --------------------
1 united-networks.ru / united-networks.ru Enabled management
2 free.united-networks.ru / free.united-networks.ru Enabled vlan20
show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
ap-manager 1 10 172.16.0.51 Static Yes No
management 1 10 172.16.0.50 Static No No
virtual N/A N/A 1.1.1.1 Static No No
vlan20 1 20 0.0.0.0 Dynamic No No
Kind regards,
Ellad Yatsko
Solved! Go to Solution.
02-23-2012 09:25 PM
Ellad,
The WLC is a DHCP proxy by default, which means that client DHCP traffic is not transparently passed through the WLC onto the upstream network. Instead, it is repackaged as unicast traffic originating from the WLC interface tied to the client's WLAN. If you want upstream servers or relays to hear client DHCP traffic directly without WLC meddling, then do this on your WLC's command line to disable DHCP proxy:
(wlc6) > config dhcp proxy disable
This is currently (as of 7.0) a global setting and affects all WLANs.
Justin
Ps. I have been disabling DHCP proxy on my WLC deployments as a best practice for about a year now. As a result, one thing I have noticed is that DHCP responses to clients seem to come much faster from the DHCP services behind the WLC (e.g., W2Kx DHCP server, IOS DHCP, ISC-dhcpd, etc.), especially if those DHCP servers are themselves highly responsive. With DHCP proxy turned on (on the WLC), DHCP assignments seem to take sometimes 4x to 5x longer, even on lightning fast networks with lightning fast DHCP servers. I chalk this delay up to a slow, buggy and unevolved DHCP engine in the controllers, which, IMO, has caused more trouble than it's worth over the years--I never use internal DHCP on the controllers, and these days I'm no longer letting them handle the proxying.
02-23-2012 01:10 AM
Ellad,
When you you say,
"But as soon as I change IP assigning method I hear nothing on DHCP's side. Notebook is unable to acquire address through DHCP,"
Where at that moment in time do you have your DHCP server configured? Is it upstream from the router, but still on vlan 20?
Justin
Sent from Cisco Technical Support iPhone App
02-23-2012 09:01 PM
DHCP Server is Ubuntu computer with ISC-DHCP-Relay configured. It is on VLAN20 where WLC6's Dynamic Interface vlan20 is placed too. When Ubuntu "hears" DHCP-Discover it resends it to its another directly connected network to Windows 2003 172.16.0.2. It all works fine with another AIR-AP1131AG-E-K9 which is up to date acts as Autonomous AP (it is on VLAN20 too). But there are no DHCP-Discovers from my Notebook associated with LAP/WLC. The latter does not pass them. Is there some setting which disables WLC to intercept DHCP-traffic? I switched on "debug dhcp message enable" and saw that it processes DHCP-packets from Notebook. It would be nice if a setting would be that disables WLC even to listen to DHCP! :-)
02-23-2012 09:25 PM
Ellad,
The WLC is a DHCP proxy by default, which means that client DHCP traffic is not transparently passed through the WLC onto the upstream network. Instead, it is repackaged as unicast traffic originating from the WLC interface tied to the client's WLAN. If you want upstream servers or relays to hear client DHCP traffic directly without WLC meddling, then do this on your WLC's command line to disable DHCP proxy:
(wlc6) > config dhcp proxy disable
This is currently (as of 7.0) a global setting and affects all WLANs.
Justin
Ps. I have been disabling DHCP proxy on my WLC deployments as a best practice for about a year now. As a result, one thing I have noticed is that DHCP responses to clients seem to come much faster from the DHCP services behind the WLC (e.g., W2Kx DHCP server, IOS DHCP, ISC-dhcpd, etc.), especially if those DHCP servers are themselves highly responsive. With DHCP proxy turned on (on the WLC), DHCP assignments seem to take sometimes 4x to 5x longer, even on lightning fast networks with lightning fast DHCP servers. I chalk this delay up to a slow, buggy and unevolved DHCP engine in the controllers, which, IMO, has caused more trouble than it's worth over the years--I never use internal DHCP on the controllers, and these days I'm no longer letting them handle the proxying.
02-26-2012 09:34 PM
Thanks a lot, Justin! :-)
I did what you suggested me, but it filters DHCP yet:
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP processing DHCP DISCOVER (1)
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP xid: 0x7f88d3a2 (2139673506), secs: 0, flags: 80
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP chaddr: 00:16:cf:20:87:03
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
Mon Feb 27 09:29:41 2012: 00:16:cf:20:87:03 DHCP error bridging packet to DS
But something has shanged: it says: "error binding packet to DS". I suppose it is needed to be done besides config dhcp proxy disable, isn't it? :-)
02-26-2012 10:10 PM
Dear Justin!
I'm foolish! :-) I forgot to assign a physical port to interface. I explain: to remove IP address from interface to check out new diagram I disabled WLAN, I assigned temporarily Management interface to it, I deleted interface "vlan20" and then created it again but already without IP. :-)
By the way is there the shorter way? :-)
And thank you very, very much!
Kind regards,
Ellad
02-28-2012 08:09 PM
Ellad,
I'm glad to see your issue resolved. I'm not sure I understand your question about a shorter way. I'm not certain you needed to go through all those steps deleting and re-mapping interfaces in order to do your testing, if that's what you mean. I suppose you could have just remapped your WLAN to the management interface (and left your dynamic vlan20 interface alone--if you don't map it to a WLAN, it's not really used).
I checked out your notes page, and I have to say, you take a lot of notes. Keep up the good documentation work!
Justin
02-23-2012 01:47 AM
Hi Ellad
The vlan20 is native? This is vlan native for data?
Sent from Cisco Technical Support iPhone App
02-23-2012 09:15 PM
I'm afraid I didn't understand. What do you mean? :-) VLAN20 is terminated on Ubuntu server. VLAN20 is carried by WS-C2960 to C2800's GigabitEthernet0/1 (physical) port. Then there are two subinterfaces GigabitEthernet0/1.20 and Wlan-controller1/0.20 which I suppose process tagged traffic too. Where must it how you think be Native? "Wired" User Compurters connected to WS-C2960s' access ports process untagged traffic which is still on VLAN20's subnet. Please, explain me what do exactly you mean? :-) You can also cast a glance to my site www.united-networks.ru -> Hardware -> CISCO: Configuring WLC6. I endeavour to document my activites carefully.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide