Solved: Use SSIDs with VRFs in C9800

Mohamed Adam · ‎02-03-2022

Hello All,

I have a C9800 anchor in a DMZ connected through EoIP with multiple front WLCs.

From a WLAN perspective, multiple "Guest" SSIDs are deployed, each is tied to an interface on the anchor.

As we have an external DHCP server, I have being trying to use the proxy/relay function with VRFs, since all forwarding decisions are based on the information in the routing table (previously the GRT).

The only information I found on this is that VRF are not supported when using internal DHCP, which should mean that it is supported when going external.

Any ideas on how to make this work ? Is that even possible ?

Thank in advance

Arshad Safrulla · ‎02-03-2022

I do not see any requirement for VRF here,

recommended design - You do not require any SVI's on 9800, so you can configure the IP dhcp relay under the Firewall Interfaces for each Guest SSID. Then create required firewall rules to allow communication from each interface to your internal DHCP

Alternative solution - configure L3 SVI's for each SSID in WLC and configure the IP DHCP relay under the interface. Make sure that you configure the relay source interface, otherwise firewall's will not like the packets and start dropping them. You can refer the below to understand the behavior of DHCP.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=Series%20wireless%20controller.-,DHCP%20bridging%20and%20DHCP%20relay,-DHCP%20bridging%20is

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

Flavio Miranda · ‎02-03-2022

Hi

External should work as it represent a external call using some IP address. What you need to identify in your environment is which IP address the WLC is using to sending DHCP request, in case the WLC is working as DHCP proxy. Identified this, and let´s say the WLC interface is inside a VRF, you may need to perform VRF leak in order to communicate with your DHCP server. You can try to ping the DHCP server from that VRF using "ping vrf XXX 'ip dhcp server". If ping happens, then DHCP request should be completed.

Basically, you need to exercise from where the DHCP requests starts and then make sure the VRF has route to that destination.

Mohamed Adam · ‎02-03-2022

Hello Flavio,

Thank you for your reply.

The SVI tied to the SSID is assigned to a VRF where I have added a static route for the DHCP server. A ping test shows that the anchor is able to reach the DHCP server from that VRF.

As for the relayed dhcp discovery, I have configured it so that the message is sourced from the SVI interface. And since it's the only interface in the VRF, I am not sure that part of the configuration even makes a difference.

The thing is, using the GRT the client can get an IP, but as soon as I assign the SVI to a VRF and re-do the test nothing!
So I am not sure if the Discovery even leaves the controller, although on the captures it's showing that it does.

Flavio Miranda · ‎02-03-2022

"The thing is, using the GRT the client can get an IP, but as soon as I assign the SVI to a VRF and re-do the test nothing!"

It sounds to me that you are isolating from DHCP server when adding to the VRF. Maybe the source is not what you are thinking?

Is the WLC configured as proxy DHCP? The WLC may be using the virtual interface to ask DHCP instead.

Arshad Safrulla · ‎02-03-2022

Hi Mohamed,

9800 is not a router or a L3 switch, therefor most of the VRF features are not supported. Only occasion where VRF can be used is the Service Port, this being the Out of band management interface and IOS-XE behavior meant that to segregate this management VRF was assigned.

At the data plane there is no VRF support exist for any 9800 platform at the moment. Configuration commands for VRF are available in the CLI as it's core is based on IOS-XE platform, but that doesn't mean it supports VRF. TAC support when it comes to VRF is limited only to management interface (service port).

If you want inter-guest ssid communication to be blocked, you need to do this at upper layers in DMZ such as Firewall.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Mohamed Adam · ‎02-03-2022

Hello Arshad,

Thanks for your answer.

At the end of the day, It's there but not there -_-

As for my use case, I'm not using VRFs to isolation between SSIDs (the seperation is achieved via firewall) but just to make external DHCP work for a multi SSID environment.

Arshad Safrulla · ‎02-03-2022

I do not see any requirement for VRF here,

recommended design - You do not require any SVI's on 9800, so you can configure the IP dhcp relay under the Firewall Interfaces for each Guest SSID. Then create required firewall rules to allow communication from each interface to your internal DHCP

Alternative solution - configure L3 SVI's for each SSID in WLC and configure the IP DHCP relay under the interface. Make sure that you configure the relay source interface, otherwise firewall's will not like the packets and start dropping them. You can refer the below to understand the behavior of DHCP.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=Series%20wireless%20controller.-,DHCP%20bridging%20and%20DHCP%20relay,-DHCP%20bridging%20is

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Mohamed Adam · ‎02-03-2022

Hello Arshadaf,

I ended up configuring the relay on the policy while setting the source interface to be the one used for routing out the packets.

This allowed for to set the source to pass the rpf check and the option 82 for the dhcp server to handle the discovery packet properly.

Thanks

divanko · ‎04-18-2023

VRFs are supported in at least release 17.9.3, I have been beating my head against the wall on this one and spotted this post.

What I found is that by creating a vrf for the guest network, assigning the vrf to the SVI and then entering in the appropriate IP address and ip helper-address information IT WORKS !!!

VIA CLI:

vrf definition guest-wireless
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

interface Vlan200

description guest

vrf forwarding guest-wireless

ip address 172.16.15.4 255.255.240.0

ip helper-address 10.10.10.4

Just use the above as an example.

Cheers!

divanko · ‎04-19-2023

One more thing you might need: a vrf static route pointing the traffic to the gateway:

ip route vrf guest-wireless 0.0.0.0 0.0.0.0 172.16.15.1

Cheers!