Solved: WLC 9800 Wireless Clients not getting DHCP IP Address

donniebman · ‎11-05-2019

I'm hoping for some help here, I'm trying to fire up a new Cisco 9800 WLC for first use, and for some reason I cant get the DHCP discovery from the client to be forwarded to and external DHCP Server. I enabled the DHCP Service from the CLI, also enabled "ip dhcp relay information trusted" on all the ports including the channel-port, but with no luck. when I enable wire shark on my client I see the requests going out for discovery, with no responses coming back. I am using vtp 3 setup so I can pull all the vlans down from the master switch, but unlike 5508 WLC there's no settings to point to a specific DHCP server there. Under Tags and Policies, I configured my policy in the advanced tab to require IPv4 DHCP and put a DHCP Server IP Address in it. I do have Central DHCP enabled on the general tab, but not quite sure what that setting is (on by default). I've toggled through various settings and not sure what to do next.

donniebman · ‎11-12-2019

I am able to apply "ip dhcp server X.X.X.X in a global setting but not on the interfaces, nor can I place a helper-address on any of the interface except for vlan1. all the other vlan interfaces are on the router. I do have policies associated to the wlan's requiring DHCP and a ip address to the server is there but when I pull wireshark from the client, I see the relay address, but when I pull wireshark on the AP interface, and the controller interfaces the source address has been stripped out.

View solution in original post

pieterh · ‎11-08-2019

read this document

the command ip dhcp server 200.1.1.2 is available in interface configuration mode

you can configure it in an interface assigned to a WLAN

and you can override it per WLAN assigned to an interface in wlan configuration mode

netops500 · ‎11-11-2019

donniebman · ‎11-12-2019

I am able to apply "ip dhcp server X.X.X.X in a global setting but not on the interfaces, nor can I place a helper-address on any of the interface except for vlan1. all the other vlan interfaces are on the router. I do have policies associated to the wlan's requiring DHCP and a ip address to the server is there but when I pull wireshark from the client, I see the relay address, but when I pull wireshark on the AP interface, and the controller interfaces the source address has been stripped out.

netops500 · ‎11-12-2019

Do you have the dhcp relay on each vlan interface on the wireless controller? you need to have the SVI for each network you are using on your wireless, otherwise each vlan won't know to relay it. unfortunately you cant put a ip-helper address in the global config. if the vlan on your router is say 10.100.50.1 255.255.255.0 then just create the SVI to be 10.100.50.2 255.255.255.0. If you ever worked on the 5500 series controllers it had kind of the same concept. let me know

stuart.pannell · ‎04-18-2023

Creating an SVI for each vlan that are assigned to specific wlan's would create local routing for each wlan. If the client changed thier gateway to be that of the SVI then this can cause a security issue because the WLC would be acting as a router and the client would be able to route between vlans? Imagine having a corporate vlan and a guest vlan, they would be able to route between them? In my case I have the client gateways further upstream and just have a layer2 vlan assigned to the wlan, on the L3 SVI's on the neighboring router I have ip helper-address assigned yet still my clients are not getting an address from the DHCP server. older Aeros WLC's would proxy the requests out from each client interface to the configured DHCP server on that interface.

Rich R · ‎04-18-2023

Exactly - which is why Cisco do not recommend using SVI on 9800 (although required for specific features). Refer to best practices guide below. If you do use SVI then you need appropriate ACLs etc to mitigate the security risk that creates so generally better to use the upstream device instead.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390