DHCP issues for Wired Guest LAN

Unanswered Question
Nov 30th, 2007

Hi Everyone,

I've a 1751 acting as a DHCP server for client PCs on a guest network A.B.8.x (using an Anchor controller) on the DMZ of my firewall. The 1751 reports the following

Nov 30 15:35:45: DHCPD: DHCPDISCOVER received from client 0100.1708.37a3.55 through relay A.B.7.y.

Nov 30 15:42:41: DHCPD: there is no address pool for A.B.7.y.

I'd tied my guest vlan and corresponding DHCP scope on the router to A.B.8.x, but as A.B.7.x is the DHCP relay for the Anchor controller I don't understand why the DHCP server on the router is not doing what I expected it to.

As ever any help will be appreciated.

Many Thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
ivillegas Fri, 12/07/2007 - 13:40

Controllers are usually used for wireless network. I haven't heard controllers being used for wired clients. Actual logic behind is Router assigns an ip address in the subnet of DHCP Relay's ip subnet. But the message DHCPD: there is no address pool for A.B.7.y. indicates that address in the A.B.7.Y subnet is exhausted.

CRISTIAN LACATUS Thu, 12/20/2007 - 20:33


I could not get the wired guest VLAN working in my lab, I had similar issues with DHCP. I am using a Windows 2000 machine as DHCP server.

The wireless controller should work as a DHCP relay. Every guest wired VLAN has an inside interface (the guest VLAN on switches, A.B.8.x in your case), and an outside interface (probably A.B.7.x in your case).

An Ethereal trace taken on the Windows 2000 server shows the wireless controller sending DHCP requests with the “outside” interface address as source, instead of the “inside” IP address. The source address for requests is very important, it determines what DHCP pool is used on server (hence the attempts to get addresses from the non-existing pool A.B.7.x in your case).

I may be missing something in the config, or the DHCP relay function is really screwed up on the Cisco wireless controller.



scottwilliamson Fri, 12/21/2007 - 01:32

Hi Cristian,

After much pulling of hair and gnashing of teeth I have got it working - what was not clear to me, and it looks as though you've fallen into the same trap, is that the egress interface on the anchor controller (ie the management port) defines the addresses given to the clients. The dhcp scope on your server has to be from the same network as the address of the management interface (so my guest clients get a A.B.7.x address). In fact the ingress interface addresses have no bearing (as I'm sure I read somewhere afterwards!) on how the guest access operates and can (should?) be dummy addresses.

I tried creating another vlan (with A.B.8.x) on the anchor controller and assigning that to the egress of the guest WLAN on the anchor and I could get A.B.8.x addresses from my DHCP server as I had planned, but, and this is a big but, web authentication just will not instigate. So it would seem that guest access is reliant on using the management interface as the egress on the anchor of the guest WLAN.

I hope this is helpful,



CRISTIAN LACATUS Fri, 12/21/2007 - 05:19

Hello Scott,

You found a workaround for what seems to be a non-functional DHCP relay function in the wireless controller. I expect the controller to work the same way the “ip helper-address” command function works on Cisco routers - the original address of the inbound interface is maintained, just broadcast/multicast traffic is converted to unicast.

My controller is still in the lab, and not covered yet by a maintenance contract. If you can, open a case with Cisco TAC. I am curious what is official Cisco recommandation.

Thank you,


scottwilliamson Fri, 12/21/2007 - 08:13

Hi Cristian,

I don't think it is a workaround. I believe that is how it is meant to work.



armonk_netdesk Fri, 04/04/2008 - 19:11

I'm having the same problem. How can Cisco say this is how it is meant to work with a straight face. This is a joke. Why would anyone want their wired guest users being assigned IPs from the Management subnet. Has anyone found a way to use a different dynamic interface for the egress and also have web-auth work?




This Discussion



Trending Topics - Security & Network