Solved: WLC External DHCP

josephqiu · ‎01-23-2013

This might be an easy question, but Cisco documents don't seem to give a clear answer. That's why I need some help from the community.

When the WLC is configured with DHCP proxy using external DHCP server to assign IP's for wireless client, from which interface (source IP) will the WLC unicast the DHCP request to the external DHCP server? Cisco document has suggested to configure external DHCP server on all interfaces, including management, AP manager, virtual interface, and those interfaces associated with SSID's. But which interface IP will be used for forward the request? We suspect it's the interface IP associated with the SSID, but can't find a definitive answer from documents. Thanks!

George Stefanick · ‎01-23-2013

The IP unicast for DHCP comes from the DYNAMIC interface the client is on ..

So if you have a interface called production ip address 10.10.10.10 -- you will see a unicast frame from 10.10.10.10 to the DHCP server.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

George Stefanick · ‎01-23-2013

BTW-- with proxy enabled IP helpers on the SVI are not needed. They ARE needed if you turn off proxy.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

George Stefanick · ‎01-23-2013

The IP unicast for DHCP comes from the DYNAMIC interface the client is on ..

So if you have a interface called production ip address 10.10.10.10 -- you will see a unicast frame from 10.10.10.10 to the DHCP server.

Hope this helps ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎01-23-2013

BTW-- with proxy enabled IP helpers on the SVI are not needed. They ARE needed if you turn off proxy.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

josephqiu · ‎01-23-2013

Perfect. This confirms what I thought, and now we can apply our firewall rule accordingly. Much appreciate the help!

George Stefanick · ‎01-23-2013

No worries. Thanks for supporting the rating system

BTW -- This wasnt always the case. I recall in VERY early code maybe 4.1 the DHCP request was sourced from the WLC management interface.

Also if you use the FW for DHCP you NEED to disable proxy.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

josephqiu · ‎01-23-2013

The FW is between the WLC and internal DHCP server. We will need to allow the WLC to talk to the DHCP server. Do we need to disable DHCP proxy on the WLC in this case?

Yes, I also remember in earlier version (around 2006-2007), management IP was used for DHCP relay.

George Stefanick · ‎01-23-2013

No , not at all .. you will be good .. Add your 10.10.10.10 / DHCP allow and you will be good ..

If your FW WAS the DHCP server then you would have to ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

josephqiu · ‎01-23-2013

Ok, got it. Thanks again!! Have a great day!