Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3876
Views
0
Helpful
6
Replies

DHCP for Single 5508 WLC and Guest Access

Go to solution
SchurmanRyan
Level 1
Level 1

‎11-30-2011 09:21 AM - edited ‎07-03-2021 09:09 PM

I have a single 5508 WLC that will be used for guest wireless now as well as secure employee wireless in the future.  Since our DMZ consists of a only a single L2 vlan, I will be creating multiple new L2 vlans to be used for the open guest wireless clients.  Since these are not routable, would I still be able to use a DHCP server on my internal network using the WLC as a proxy?  Or do I need to just configure DHCP on my DMZ firewall for each VLAN and disable the WLC proxy?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
pcroak
Cisco Employee
Cisco Employee

‎11-30-2011 02:21 PM

Hello Ryan,

Even with DHCP proxy enabled, the DHCP request will be sent to the configured server as a unicast, with the source address being that of the respective dynamic interface.

Since this L2 vlan is not routed, then there will be no way to reach an internal DHCP server from the DMZ, if I understand your topology correctly.

So, it sounds like you will need to have a DHCP server present in the DMZ, either the firewall or a local WLC scope.

-Pat

View solution in original post

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to SchurmanRyan

‎12-01-2011 07:55 AM

Ryan,

Your access points will obtain DHCP independent of the WLC. They will send their own DHCP discover packets on the vlan that they are connected in. So if they are on an internal L3 vlan, you simply would need to add something like an ip-helper address to forward those DHCP broadcasts to your desired server.

The access points will then need to learn the IP address of your WLC management interface, through the use of things like DHCP option 43, or a DNS entry for cisco-capwap-controller.

You will also need to allow communication between the AP vlan and the WLC management vlan.

-Pat

View solution in original post

0 Helpful
6 Replies 6

Go to solution
pcroak
Cisco Employee
Cisco Employee

‎11-30-2011 02:21 PM

Hello Ryan,

Even with DHCP proxy enabled, the DHCP request will be sent to the configured server as a unicast, with the source address being that of the respective dynamic interface.

Since this L2 vlan is not routed, then there will be no way to reach an internal DHCP server from the DMZ, if I understand your topology correctly.

So, it sounds like you will need to have a DHCP server present in the DMZ, either the firewall or a local WLC scope.

-Pat

0 Helpful

Go to solution
SchurmanRyan
Level 1
Level 1
In response to pcroak

‎12-01-2011 06:26 AM

Pat,

Thanks for the clarification.  One follow-up question--if I'm using DHCP in my DMZ for those L2 vlans, would I stilll be able to have the controller proxy a DHCP server on my internal lan to hand out IPs to my access points that are on an L3 vlan?  They would be able to route to the internal server--I'm just wondering if it's possible to mix and match DHCP settings like that on the same controller if I use LAG on the distribution ports.

0 Helpful

Go to solution
pcroak
Cisco Employee
Cisco Employee
In response to SchurmanRyan

‎12-01-2011 07:55 AM

Ryan,

Your access points will obtain DHCP independent of the WLC. They will send their own DHCP discover packets on the vlan that they are connected in. So if they are on an internal L3 vlan, you simply would need to add something like an ip-helper address to forward those DHCP broadcasts to your desired server.

The access points will then need to learn the IP address of your WLC management interface, through the use of things like DHCP option 43, or a DNS entry for cisco-capwap-controller.

You will also need to allow communication between the AP vlan and the WLC management vlan.

-Pat

0 Helpful

Go to solution
SchurmanRyan
Level 1
Level 1
In response to pcroak

‎12-20-2011 05:59 AM

Pat,

I have just tried this and my access points are getting IPs without any issues.  However my clients are not.  The guest WLAN is using an interface group of several /24 layer 2 vlans (using latest code version).  There is an external DHCP server that has a virtual interface/IP defined for each L2 vlan.  I have disabled DHCP proxy on the controller.  Is there anything else I am missing?

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to SchurmanRyan

‎12-20-2011 06:40 AM

If you disabled proxy did you add a ip helper on the vlans that are providing network access to the guest users?

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
SchurmanRyan
Level 1
Level 1
In response to George Stefanick

‎12-20-2011 07:39 AM

Found the problem.. the Layer 2 vlans I had created weren't showing up in the vlan database on the L3 switch the controller was connected to.  Once I set some access interfaces up on the switch and verified DHCP worked on the wired side for these vlans, all was well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card