Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco Aironet DHCP

Just when you think you have concepts well in hand, a unique situation really tests just how much you know.  So here goes:

1.  Aironet APs with an internal SSID (native VLAN [1]) and a guest SSID (VLAN 130).

2.  AP is trunked to the switch permitting VLANs 1 and 130.

3.  VLAN trunked throughout the infrastructure.

4.  The default gateway for the AP is on VLAN 1 and is a router-on-a-stick with g0/0.1 and g0/0.130 interfaces.

Here's where it gets crazy.  I want internal users to get their DHCP addressing on VLAN 1 from a DHCP server that is 'on-subnet'.  No problem.  I want guest users to get their DHCP addressing from my firewall because I'm putting the guest users into a DMZ.  Again, since the DHCP server is 'on-subnet', I have not specified a helper-address.  Yet the firewall does not hand out addressing and the vendor tech support has done packet captures and we don't see the traffic even getting to the firewall.

So here's the point where I thought I knew how AP bridging works inside and out.  With the AP connected to a trunk with proper bridge groups and subinterfaces for dot110.1, dot110.130, fa0.1 and fa0.130, I figured the DHCP broadcast would properly be contained within the layer 2 broadcast domain for each VLAN.  Since there's a DHCP server 'on-subnet' for each VLAN, I should be ok?  But in practice users on either SSID get an IP address on VLAN 1.  So then I ask you:  is the DHCP request being routed over VLAN 1 because that's the configuration for in BVI1, ip default-gateway, bridge 1 route ip, etc. etc.?  If the DHCP request is going to go over VLAN 1, how would I possibly send traffic for internal users to one DHCP server, but send requests for the guest network to a different DHCP server?  Is it as simple as multiple 'ip helper-address' entries and the router can figure it out based on packet/frame header information?

I'll try to upload a diagram if I can ...

Regards,
Scott

Everyone's tags (3)
10 REPLIES
VIP Purple

Cisco Aironet DHCP

Hi Scott,

Two suggestions

1. Use another vlan for internal SSID other than native vlan 1

2. Configure IP helper address under g0/0.130 pointing to firewall DHCP server

Try this & let us knkow how it goes

HTH

Rasika

**** Pls rate all useful responeses ****

Community Member

Cisco Aironet DHCP

Adding the helper address to g0/0.130 did not help at all.  I still got an IP address on VLAN 1 from my DHCP server on the 172.16.0.0 /16 network.

Re: Cisco Aironet DHCP

Can u give me the AP config?

Sent from Cisco Technical Support iPad App

Community Member

Cisco Aironet DHCP

I yanked out the irrelevant stuff.  Here's the remaining config:

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname US-NY-ROC-CW-60-3-AP3

!

!

clock timezone EST -5

clock summer-time EDT recurring

ip subnet-zero

ip domain name harrisinteractive.com

ip name-server 172.16.64.201

!

!

dot11 vlan-name GuestWireless vlan 130

dot11 vlan-name Native vlan 1

!

dot11 ssid -Harris-

   vlan 1

   authentication open eap eap_methods

   authentication network-eap eap_methods

   authentication key-management wpa

   mbssid guest-mode

!

dot11 ssid Harris Guest

   vlan 130

   authentication open

   mbssid guest-mode

!

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

ssid -Harris-

!

ssid Harris Guest

!

mbssid

speed basic-1.0 2.0 5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2437

station-role root

no cdp enable

!

interface Dot11Radio0.1

description Native VLAN

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.130

description Guest Wireless

encapsulation dot1Q 130

no ip route-cache

bridge-group 130

bridge-group 130 subscriber-loop-control

bridge-group 130 block-unknown-source

no bridge-group 130 source-learning

no bridge-group 130 unicast-flooding

bridge-group 130 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

description Native VLAN

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.130

encapsulation dot1Q 130

no ip route-cache

bridge-group 130

no bridge-group 130 source-learning

bridge-group 130 spanning-disabled

!

interface BVI1

ip address 172.16.37.33 255.255.0.0

no ip route-cache

!

ip default-gateway 172.16.247.6

bridge 1 route ip

Community Member

Re: Cisco Aironet DHCP

Also, the firewalls are in a cluster and the physical interfaces on the firewall are like this:

Cluster IP = 10.130.0.1

FW 1 - ETH4.130 = 10.130.0.3

FW 2 - ETH4.130 = 10.130.0.4

The physical interfaces have encapsulation defined, but the cluster IP does not.  I have contacted the firewall vendor to ask if the cluster IP needs encapsulation as well and whether or not it supports it because I'm not sure what methodology they use to provide the virtual IP for the cluster.  When I configure the 'ip helper-address' I send it to the cluster IP.

Re: Cisco Aironet DHCP

Hey,

I guess your dot11 interface config is wrong maybe u can find any idea here, I'm currently on the road so not so easy to type into your config..

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml


Sent from Cisco Technical Support iPad App

Community Member

Re: Cisco Aironet DHCP

I don't see anything wrong with the AP configuration.  I have done this sort of scenario many times before prior to working more with the lightweight APs as they came out.  The difference there  was that regardless of the SSID and/or VLAN, all DHCP requests were handled by either a single DHCP server or a cluster and it was a simple matter of configuring the 'ip helper-address' accordingly on each sub-interface at the router.  I think the issue is with the firewall and I have a case open with the vendor too but they are pointing fingers back at me and the Cisco config because they can't figure it out.  If my understanding of the DHCP request process is correct and the DHCP request will stay on it's subnet then this should be working.  However a packet capture shows the DHCP request going to '0.0.0.0 255.255.255.255' as opposed to 10.130.255.255.

VIP Purple

Re: Cisco Aironet DHCP

 However a packet capture shows the DHCP request going to '0.0.0.0 255.255.255.255' as opposed to 10.130.255.255.

This is normal behaviour, client does not have any IP when he sending a DHCP discovery message, so he use 0.0.0.0 as source IP & 255.255.255.255 as destination address. Refer this for more detail

http://mrncciew.com/2012/12/27/understanding-dhcp/

To figure it out if it is firewall or not, I would point g0/0.130 to your internal DHCP server by defining another scope. Then if you get guest to new scope while internal users get the other scope you know it is working fine from wireless perspective. It is even better if you could have a another DHCP server where you can point it to that & test (in your DMZ, if you have a IOS switch you can do that)

HTH

Rasika

***** Pls rate all useful responses ****

Community Member

Re: Cisco Aironet DHCP

Ok I figured that somehow it would know that since it's in bridge-group 130 that it would contain the DHCP request to only that layer 2 domain.  It may still do that, but as you say since it doesn't have an IP yet.  I do have a DHCP server on the native VLAN that DOES hand out IP addresses in the correct VLAN when I place a scope on it for VLAN 130.  I had that up and working from a wired port first before testing the wireless part to ensure I had carried the VLAN through the network properly because I'm only extending VLAN 130 on the switches that are in the pathway for guest users (IOW not all switches have VLAN 130 configured).  The wireless clients get an address in the correct VLAN too when I use my MS DHCP server.  This is what is continuing to push me towards working more with the FW vendor, but as I said they are pushing back at me and it's caused me to question whether or not I know what the heck is going on!  Just for the sake of completeness, does anyone know any documentation that presents the concept of bridge-groups within a switch or AP?

Community Member

Re: Cisco Aironet DHCP

I wanted to make sure I got back here and updated everyone so that I didn't leave the thread hanging.  Turns out that it was an issue on the firewall side of things.  Once I got escalated to a higher level tech, he realized the issue.  We had to modify some file within the firewall because it doesn't respond to DHCP on the virtual IP address by default.  Once we made the change to 'NAT' the DHCP request from the virtual address to the physical address of the active firewall in the cluster, all was well.  Thanks for those that responded.

313
Views
0
Helpful
10
Replies
CreatePlease to create content