DHCP server override on 4402 WLC

Answered Question
Apr 18th, 2012

I have successfully implemented wireless guest access using 4402 WLC as the Anchor and 5508 as Foreign. The Anchor controller also provides dhcp services to guest clients. The 5508 is LAGged and there is no issue with the guests traffic separated from corporate. At a remote site, there is a 4402 WLC using LAG and also acting as a Foreign controller. But when a client connects to the guest WLAN, it obtains a corporate dhcp address instead of the dhcp address assigned from the Anchor controller. The guest WLAN setting is the same as with the 5508 controller i.e. DHCP server override is ticked and the management IP address of the Anchor controller is specfied. Also DHCP Addr required is ticked. Could anyone explain why the 4400 controller is not forwarding dhcp requests to the anchor controller and instead sending to the corporate dhcp server.

I have this problem too.
0 votes
Correct Answer by Stephen Rodriguez about 1 year 11 months ago

it doesn't seem that the client is getting anchored.  there is a mobile announce, which will happen when a client joins, and the WLC checks it's peers to see if there is already an entry.

What I do see on the Foreign is: DHCP successfully bridged packet to DS.

I don't see any of the other messages that would indicate the WLC is trying to anchor the client at all.

Can you post the output of:

show wlan < wlan ID >  - from both the Anchor and the Foreign that are not working?

show mobility summary - from both the Anchor and the Foreign that are not working?

Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Scott Fella Wed, 04/18/2012 - 16:05

Well it could be a few things. First, is your mobility anchor defined on the SSID on the remote wlc? The APs are in local mode not in h-reap or FlexConnect. Even though you have the dhcp override, if the traffic isn't getting tunneled, you won't get a dhcp from the anchor.

Sent from Cisco Technical Support iPhone App

Stephen Rodriguez Wed, 04/18/2012 - 16:56

For anchoring to work, the WLAN config must match.

If you are anchoring the WLAN to a DMZ WLC, you don't need to set the tho override parameter, as the DGCP will come from the DMZ WLC by default.

Now if you have that setting on the inside, you must have the same settings on the DMZ as well

Steve

Sent from Cisco Technical Support iPhone App

grabonlee Wed, 04/18/2012 - 23:04

Thanks for you responses. However, I mentioned that APs connected to the 5508 WLC are working as expected. That means the guest WLAN config on the 5508 is the same as the 4400 and DMZ WLC. The guest WLAN is centrally switched.

Stephen Rodriguez Wed, 04/18/2012 - 23:50

Are you able to eping and mping between them? If you run debug client and debug mobility handoff. You should see messages on the anchor of its not able to create the tunnel for the user.

Steve

Sent from Cisco Technical Support iPhone App

grabonlee Thu, 04/19/2012 - 06:58

The mobility data and control path (eping/mping) is up. I will run a debug later.

grabonlee Fri, 04/20/2012 - 05:59

Looked at the mobility stats on the controller and discovered that there is no Client handoff as Foreign. Compared the config between 5500 and 4400 Foreign WLCs and found no error. My config is as follows:

1. LAG is enabled

2. Guest wlan mapped to management interface

3. Anchor WLC is 4400

4. Both Foreign and Anchor controllers have DHCP server override with the management IP add of the Anchor specified

5. Both Foreign and Anchor controllers management interfaces have no DHCP server IP specified

6. There is no guest vlan interface or subnet.

7. DHCP proxy is only enabled on Anchor controller

8. 5500 WLCs have been supporting guest access properly since 2011

This is really frustrating. I wish Cisco would could maintain some consistency

Scott Fella Fri, 04/20/2012 - 06:05

On your foreign wlc, you have the SSID anchored to the 4400 and of course the 4400 guest WLAN is anchored to itself.

Thanks,

Scott Fella

Sent from my iPhone

Scott Fella Fri, 04/20/2012 - 06:06

I have the same setup using a 4400 (repurpose) as an anchor for a couple of my clients and no issues with 5508's as the foreign.

Thanks,

Scott Fella

Sent from my iPhone

grabonlee Fri, 04/20/2012 - 09:47

Scott,

Please read my comments. I never said I had issues with 5508 as Foreign WLC. My problem is with the Foreign 4402 WLCs. Anyway, l have planned to remove LAG from the Anchor 4400 and create a separate interface for the guest WLAN.

Scott Fella Fri, 04/20/2012 - 10:15

Never said it was an issue with the 5508. But if you don't see anything anchored to your anchor WLC, then your 5508 is not anchoring the traffic for that WLAN. There is nothing different per say config wise from a 4400 and 5508 running the same code except for the ap manager interface on the 4400. Why not post your show run-config on your 4400 and 5508 which is the issue.

Sent from Cisco Technical Support iPhone App

grabonlee Fri, 04/20/2012 - 12:00

My 5508 has no issues handing off to the 4400 Anchor. The problem is a foreign 4400 handing off to the 4400 Anchor despite the fact the config being the same as the 5508.

Scott Fella Fri, 04/20/2012 - 14:06

Well that should be simpler since its the same hardware, you eliminate hardware compatibility issue. You need to post your config for us to be able to see if it's setup correctly.

Thanks,

Scott Fella

Sent from my iPhone

George Stefanick Sat, 04/21/2012 - 10:11

You should never map the GUEST interface to managment even if its doesnt do DHCP, just bad pratices. If the tunnel breaks your guest will get dropped on the side of your network. You should create dummy interface.

What code revs are all these devices on ?

grabonlee Sat, 04/21/2012 - 12:19

My Anchor controller is on a DMZ. The corporate 4400s are not using etherchannel, hence there is a Guest interface that is not mapped to management. I only used LAG when the anchoring was not working between the Anchor 4400 and the Foreign 4400. The Anchor uses etherchannel, hence no separate guest interface. I have decided to create a separate guest interface on the Anchor controller to see if that solves the issue. This I will do on Monday. The 4400s are on 7.0.230.

George Stefanick Sat, 04/21/2012 - 12:45

It sounds very confusing, you mentioned above

2. Guest wlan mapped to management interface

Not sure what etherchannel has to do with your guest interface.

Its pretty simple...

Foreign controller -- DUMMY GUEST WIRED INTERFACE regarless of LAG or not. Your foreign controller will act as the relay point to your anchor. If configured right.

Anchor -- you need a guest interface to dump the guest traffic. Its good pratice.

grabonlee Sat, 04/21/2012 - 14:04

George,

In my opinion, whether the guest wlan on the Anchor controller is mapped to the management interface or not doesn't matter as it is behind the FW and there is no external DHCP server. When the I first configured the 5508 to relay guest traffic, it worked. But because of increasing demand for guest access in some sites with 4400s, I had to integrate the 4400. The config on the 4400 Foreign controllers were made similar to the 5508:

1. Created guest wlan and dhcp server override with IP address of the anchor

2. Created mobility group

From the debug, the Foreign 4400 actually contacted the Anchor, but there was no handoff. That is why I earlier said that the only change I intend to make is to create a guest interface on the Anchor and see if it solves the problem. But it is strange that the 5508 could hand off to the 4400 Anchor but the 4400 Foreign can't.

George Stefanick Sat, 04/21/2012 - 14:20

I agree, i was thinking intrenal, my bad. But if you map it on the mangement interface your guest clients are sitting on and can access the mangament . But regardless, they can anyway becuase its connected route in the wlc.. but anyway

What is your code revs on all these controllers?

George Stefanick Sun, 04/22/2012 - 06:56

Normally when anchoring cisco recommends staying on the same 7.x code. But I understand, 4400 cant support 7.2.

I know I've had anchoring issues when my anchors were on 5.x and my foreign controllers were on 6.x

grabonlee Sun, 04/22/2012 - 09:58

4400s can't do 7.2. The highest code for 4400 is 7.0.230. 7.2.130 is meant for 5500s

George Stefanick Sun, 04/22/2012 - 10:17

I understand.

But perhaps, since you are anchoring between 2 diferent major releases could be your issue. I have deployed more guest networks then I can count. And it sounds like your config it ok.

I know on a few TAC calls the engineer referenced to insure both anchor and foreign were at least on the same main rev and not to mix.

7.0.98.0 <--> 7.0.116.0 OK

6.0.115.0 <--> 7.0.116.0 not ok

Scott Fella Mon, 04/23/2012 - 07:48

Well he mentioned he didn't have any issue with the 5500's anchoring to the 4400 in the DMZ. His issue is a foreign 4400 anchored to the 4400 DMZ wlc. So it looks like you can have an anchor from 7.2 to 7.0 with no issues.

Thanks,

Scott Fella

Sent from my iPhone

Stephen Rodriguez Mon, 04/23/2012 - 07:54

Have you been able to gather the debugs I talked about earlier? If so, can you post them?

Steve

Sent from Cisco Technical Support iPhone App

grabonlee Mon, 04/23/2012 - 10:21

Unfortunately, I've been busy with some project planning stuff and I'll embark on a short trip tomorrow. I'll post the debugs on Thursday.

grabonlee Wed, 04/25/2012 - 06:33

Please see attached debugs;

1. DEBUG-MGT-Interface -- is a debug when guest wlan is mapped to management interface.

2. DEBUG-Guest-Interface --- is a debug when guest wlan is mapped to a separate guest interface.

The results are the same in both instances.

10.20.x.x is the Anchor controller

17x.5x.1.x is the management interface of the 4400 Foreign controller

17x.x9.2.x is the guest interface created on the 4400 Foreign controller

Stephen Rodriguez Wed, 04/25/2012 - 10:31

these both were run on the Anchor?

what I would like to see is the debug mobility handoff enable run on both the internal and the DMZ WLC.  If you want to run debug cleint < client mac address > enable on the anchor that is fine as well.

when running these debugs, have the setup as you would normally.

Steve

grabonlee Wed, 04/25/2012 - 11:54

Stephen,

They were both run on the Foreign. Forgot to upload that from the Anchor. Occured to me that I didn't upload that from the Anchor. Will do so in the morning.

grabonlee Thu, 04/26/2012 - 03:19

See attached the debug for the Anchor controller and debug client mac on the foreign controller. On the Anchor, I noticed a message: Vlan List payload not found, ignoring. This to my knowledge means a bug issue in the Data path. However, note that my Control and Data paths are up and there is nothing preventing communication between both controllers across the FW.

Correct Answer
Stephen Rodriguez Thu, 04/26/2012 - 06:12

it doesn't seem that the client is getting anchored.  there is a mobile announce, which will happen when a client joins, and the WLC checks it's peers to see if there is already an entry.

What I do see on the Foreign is: DHCP successfully bridged packet to DS.

I don't see any of the other messages that would indicate the WLC is trying to anchor the client at all.

Can you post the output of:

show wlan < wlan ID >  - from both the Anchor and the Foreign that are not working?

show mobility summary - from both the Anchor and the Foreign that are not working?

Steve

grabonlee Thu, 04/26/2012 - 07:42

Guys,

I have solved my problem and will share the solution with you.

1. From the CLI of the Foreign 4400, I typed show mobility anchor wlan 4 and it came up blank. I was expecting to see the IP address of the Anchor controller. I typed the same command on the 5508 and it showed me the Anchor IP. That is when it occurred to me that Auto Anchor may be disabled. On the 5500, Auto anchor is enabled by default.

2. Disabled the WLAN and from the CLI typed, config wlan mobility anchor add 4 10.20.x.x (IP address of the Anchor)

3. Did a show mobility anchor wlan 4 and behold the IP of the Anchor showed.

Please note that don't always believe everything on the GUI. Always use the CLI to confirm. I had earlier done a Show mobility summary and it showed that Anchor details which matched the GUI information. If I had not done a Show Mobility Anchor Wlan ID, I would never have seen where the problem was. I have pasted the steps below. Thanks for your responses, especially Stephen Rodriguez.

(Cisco Controller) >show mobility anchor


Mobility Anchor Export List

WLAN ID     IP Address            Status
-------     ---------------       ------

GLAN ID     IP Address            Status
-------     ---------------       ------


(Cisco Controller) >show mobility summary

Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... X_MOBILITY
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x3a28
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 7
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
MAC Address        IP Address       Group Name                        Multicast IP     Status
00:24:97:3c:99:60  10.20.x.x     X_GUEST                         0.0.0.0          Up

(Cisco Controller) > config wlan mobility anchor add 4 10.20.x.x


(Cisco Controller) >show mobility anchor wlan 4


Mobility Anchor Export List

WLAN ID     IP Address            Status
-------     ---------------       ------
4           10.20.x.x          Up

grabonlee Thu, 04/26/2012 - 08:18

Just performed a SHOW WLAN ID and it showed if Auto Anchor is enabled. So the suggested command by Stephen Rodriguez and SHOW MOBILITY ANCHOR which I used helps.

Stephen Rodriguez Thu, 04/26/2012 - 08:31

IIRC Auto Anchor is something different.  That would be the internal dynamically building the tunnel for a client that roams between them.

Steve

grabonlee Thu, 04/26/2012 - 09:30

Not sure what your point is. But as soon as I enabled auto anchor on the WLAN, it worked for me. If you are refering to IRCM, that has to do with compatibility across different versions of a controller.

Stephen Rodriguez Thu, 04/26/2012 - 09:37

When you configure the anchor, that's not auto anchoring. That's a hard anchor, which is why it works across mobility groups. Again that's if I recall correctly on the terminology

Steve

Sent from Cisco Technical Support iPhone App

grabonlee Thu, 04/26/2012 - 12:40

You are both right and wrong. Auto anchoring is a hard anchor in the sense that forces a client or WLAN to a particular controller in the mobility domain or group. This is particularly suited to Guest networking. When a client first associates with a controller on an anchored WLAN, a local is created and the Mobile Announce message is sent to the mobility group. When the message is not answered, the Foreign controller contacts Anchor controller and creates a foreign session for the client in its database. You may refer to this process as Symmetric tunneling using a fixed anchor. If you disable Auto anchor on a WLAN, traffic will never be tunneled from the Foreign to the Anchor. You can test for yourself and see. Disable Auto anchor a WLAN, verify by using the 2 command I mentioned above - Show wlan ID and Show mobility anchor. Do a show mobility summary and you will still the Control and Data path showing as up, but no anchoring will ever take place.

Actions

Login or Register to take actions

This Discussion

Posted April 18, 2012 at 2:37 PM
Stats:
Replies:36 Avg. Rating:5
Views:1420 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard