To get a brief overview about DHCP process in Wired Infrastructure, please see my previous post: DHCP Basics
In this post we will see the different DHCP operation on Cisco Wireless LAN Controller.
As we all know that we can use External or internal DHCP server for wireless clients via Cisco WLC.
Topology Diagram:
So first we will go through the configuration and functionality of external DHCP server for a WLAN.
External DHCP Server:
WLC can support two modes in case of External DHCP server.
- DHCP proxy
- DHCP Bridging
DHCP Proxy Mode:
To use the controller as a DHCP proxy, the DHCP proxy feature must be enabled on the controller. By default, this feature is enabled.
DHCP server must be configured on each WLC interface that requires DHCP services. A DHCP server can be configured on the management interface, AP-manager interface, and on dynamic interfaces.
Configuration
To enable DHCP proxy and DHCP server configuration WLC interface:
Via GUI:
Enable DHCP Proxy
Enter DHCP IP for WLC Interface: (It just an example)
Via CLI:
Enable DHCP Proxy
(WLC1) >config dhcp proxy enable
(WLC1) >show dhcp proxy
DHCP Proxy Behavior: enabled
Configure DHCP server IP on WLC Interface:
Example:
(WLC1) >config interface dhcp dynamic-interface <interface-name> primary <primary-server> secondary <secondary-server>
(WLC1) >config interface dhcp dynamic-interface guest primary 192.168.10.1 secondary 0.0.0.0
- The DHCP proxy mode serves as a DHCP helper function to achieve better security and control over DHCP transaction between the DHCP server and the wireless clients.
- In this mode Controller virtual IP address (1.1.1.1 or depends on …what we have) as source IP address for all DHCP process for client means we will not see the exact DHCP server IP address in our packet capture.
- When multiple offers are coming from external DHCP servers, the DHCP proxy normally selects the first one that comes in and sets the IP address of the server in the client data structure. As a result, all following transactions go through the same DHCP server until a transaction fails after retries. At this point, the proxy selects a different DHCP server for the client.
- DHCP proxy is enabled by default. All controllers that will communicate must have the same DHCP proxy setting.
- In this DHCP proxy mode, it is not only directing DHCP packets to the DHCP server, it is actually building new DHCP packets to forward to the DHCP server. All DHCP options which are present in the client’s DHCP packets are copied in the controller’s DHCP packets.
Packet flow:
- Client boots up and send DHCP Discover on all subnet broadcast.
- WLC unicast this packet to DHCP server(as configured on WLC interface)
- DHCP server send DHCP offer to WLC.
- WLC unicast DHCP offer to Client with source address as WLC virtual IP address.
- Client send DHCP request to WLC on Virtual address because Client think that this virtual IP is DHCP server address
- WLC unicast DHCP request to DHCP server which returned the first offer to the client.
- DHCP server send ACK to WLC
- WLC unicast ACK from virtual IP to the client.
Let see the packet capture from Client side:
DHCP Discover Packet:
1.1.1.1 is the WLC Virtual Interface IP address
10.xx.xx.13 is the Client IP address.
DHCP Offer:
DHCP Request:
DHCP ACK:
DHCP Bridge Mode
DHCP bridging mode provides an option to make controller’s role in DHCP transaction entirely transparent to the wireless clients.
Configuration:
To enable the DHCP bridging functionality on the controller, we must disable the DHCP proxy feature on the controller.
Via GUI:
Via CLI:
(WLC1) >config dhcp proxy disable (WLC1) >show dhcp proxy DHCP Proxy Behaviour: disabled
Packet Flow:
- Client send DHCP Discover on all subnet broadcast which is bridged by controller
- DHCP server send DHCP offer to Client
- Client send DHCP request to all subnet
- DHCP server send ACK to client in unicast packet
Let see the packet capture from Client Side:
DHCP Discover:
DHCP Offer:
10.xx.xx.254 is the Router Gateway IP address
10.xx.xx.13 is the client IP address
10.xx.xx.1 is the DHCP server IP address
DHCP Request:
DHCP ACK:
Internal DHCP Server:
Internal DHCP is used for small office where external DHCP server is not possible to use.
Cisco recommend to use internal DHCP with less than 10 AP in network, if we have more AP then 10 then better to use external DCHP.
Internal DHCP provide IP to WLAN clients, directly connected APs.
Internal DHCP Server Configuration:
We must enable DHCP proxy on the controller to allow the internal DHCP server to function.
Via GUI:
Via CLI:
Enable DHCP Proxy
(WLC1) >config dhcp proxy enable (WLC1) >show dhcp proxy DHCP Proxy Behavior: enabled
*** For internal DHCP we must create a DHCP scope for specific interface and put the WLC management IP in interface primary DHCP server configuration box or Point DHCP override to the management interface IP address of our controller under WLAN > edit
How to Create DHCP Scope: Login to WLC GUI then goes to Controller >Internal DHCP Server >DHCP Scope > New
Assign DHCP Server :
On Dynamic Interface:
See the 2nd Pic of the post.
DHCP override to the management interface IP per WLAN.
Packet Flow:
- Client send DHCP discover on all subnet as broadcast
- WLC forward the DHCP discover via DHCP proxy to internal DHCP server ip address(Management interface IP of WLC)
- Internal DHCP server send DHCP offer to WLC proxy agent.
- WLC send unicast DHCP offer to client with source address of WLC management Interface IP.
- Client send DHCP request to WLC on management interface IP.
- WLC send unicast DHCP request to internal server via DHCP proxy
- Internal DHCP server sends DHCP ACK to DHCP proxy.
- WLC send unicast DHCP ACK to client
Just small Info in short to remember: Many guys like me have confusion between these two words:
A DHCP proxy server has a fully-functional DHCP client and DHCP server implementation in it. The client part requests addresses from another DHCP server and stores them in an internal address pool while the server part listens to DHCP requests from clients and uses this internal pool to lease the addresses.(like: Internal DHCP server)
A DHCP relay agent listens to the broadcast DHCP requests from clients and forward them to another DHCP server (usually per unicast).
*** In both DHCP relay and DHCP proxy cases the clients will never see the real DHCP server but rather will consider the intermediate element as their DHCP server.
Let’s see the packet capture from Client side:
DHCP Discover:
DHCP Offer:
DHCP Request:
DHCP ACK:
10.xx.xx.26 is the client IP address.
10.xx.xx.254 is the Router Gateway IP address.