Wrong IP addresses from DHCP server via WLC - Page 2

CarloCrz · ‎09-29-2020

Hi Everyone,

I have a Cisco WLC 2504 that manages 2 WLANs. The first one is the corporate one and is connected to the management interface (it shares the same subnet) with no VLAN (0), while the second one is the guest WiFi and is connected to a dedicated interface with a dedicated VLAN, tagged (113).

On the L3 switch side, they share the same physical interface which is configured with VLAN 1 (management) and VLAN 113 both tagged in trunk mode (no native VLAN set).

Here is the issue: both WLAN rely on the same DHCP server (Windows server 2012) and the devices connected to the guest sometimes take also an IP from the lease of the corporate network. Now, those devices still use the correct IP (guest) but I can see them assigned on the other subnet and I also see the communication on the packet captures.

First I tried to enable the DHCP proxy option on both interfaces, because I saw traffic going from 0.0.0.0 to 255.255.255.255 and I knew that the device was connected to the guest WiFi, but still receiving and IP from the corporate network (and from the guest network too). I thought that maybe the requests were going directly to the DHCP server, and the DHCP server didn't know the source subnet, so it wasn't able to choose the correct subnet. I didn't resolved.

Then I tried to tag the management interface on the WLC side, since it is tagged on the L3 switch (i thought that it could mess up the routing), but the WLC became unavailable via GUI (I was also connected on CLI) so I had to switch back.

Any idea? I suppose there is a misconfiguration, but I don't see where.

Thank you

Sandeep Choudhary · ‎10-16-2020

Hi,

Ok so lets make correction step by step:

Step1: Assign a VLAN to mgmt interface of WLC by using the command:
config interface quarantine vlan management 1

Step2: Keep the swicthport setting as :

interface GigabitEthernet1/0/39
description Cisco WLC wireless
switchport trunk allowed vlan 1, 113
switchport trunk encapsulation dot1q
switchport mode trunk

!
Step3:

Configure the primary DHCP server IP under dynamic interface ap guest (vlan 113)

config interface dhcp ap guest "ip_address_of_primary_dhcp_server"

and then try again...

CarloCrz · ‎10-16-2020

Since I can't access via CLI at the moment, would it be the same if I configure it via GUI as follows?

On the management interface I flag the Quarantine option and I set 1 as Quarantine Vlan Id

On the ag guest interface I set the DHCP server on VLAN 1 IP address as primary

What I don't understand is the meaning of the quarantine VLAN. Previously I tried to set VLAN 1 directly on the interface via CLI but I lost the connectivity. Furthermore, since I don't have a backup access now, I need to be sure not to lose the GUI access

Sandeep Choudhary · ‎10-16-2020

Its not quarantine vlan. You need to vlan identifier as 1 on management interface.

Regards

Dont forget to rate helpful posts

CarloCrz · ‎10-19-2020

When I tried to set a VLAN ID (1) on the management interface I used the config interface vlan management 1 command and as a result I lost the network connectivity.

As I understand, the config interface quarantine vlan management 1 command is used to configure the quarantine VLAN ID on the management interface, is it not correct?

CarloCrz · ‎10-19-2020

I have an update: I have applied the primary DHCP server on the interface and also enabled the DHCP Proxy Mode. Then I performed a packed capture and I saw that the packets that are not forwarded with the right source address (which is the one of the interface VLAN on the switch, since there is an ip helper-address configured) are using the port UDP. The packets that use the port UDP 67 are instead correctly forwarded by the switch.

I know that both 67 and 68 are correct for DHCP and used for server and client, the fact is that I have a device that tried with port 68, reached the DHCP server with 0.0.0.0 as a source and received the wrong IP. Then it tried again with the port 67, it has been correctly forwarded and received the correct IP.

At this point my focus moved to the switch, where I manually specified that both UDP 67 and 68 must be forwarded to the helper-address (it should be the standard configuration):

ip forward-protocol udp bootpc
ip forward-protocol udp bootps

Still no luck: the packets using the UDP port 68 are not forwarded with the interface VLAN IP as source.

ajc · ‎10-23-2020

What is the WLAN ID value you configured?, How are you configuring the WLC interfaces for each WLAN/VLAN?, How is DHCP Proxy configured on your WLC? Please post screenshots. The Switch port connected to the LAN Switch is configured straightforward, no complexity.

CarloCrz · ‎11-13-2020

I have posted all of the potentially interesting screenshot, the only configuration not clear to me regards the ports for the WLC-Switch link (which is normally the easier part).

Why if I try to set the native VLAN tagged on the WLC (via CLI) I lose connection? And on the switch I'm not able to set the native VLAN, even by deleting part of the config and re-write it with the native VLAN and the other VLANs as tagged.

I'm really looking for suggestions.

Thank you all

CarloCrz · ‎11-16-2020

The DHCP server is a Windows server on the same subnet as the WLC management IP (10.75.0.x), so no firewall in the middle, both devices are on-premises.

CarloCrz · ‎10-27-2020

WLAN IDs:

3 -Corporate

4 - Guest

Interface for Corporate:

Interface for Guest:

General DHCP Proxy:

Carlo