Controllerless Networks

I have a fairly simple setup, but still I have run into a problem I can't quite figure out.

A customer have bought 4 IAP's to replace an old WLAN solution. It's a small office and not many users, but 3 subnets

Mgmt

Employee

Guest

In the current installation they have the Employee SSID tied to vlan 2, and the AP hands out IP adresses, but the gateway is on a firewall. It is the same for the Guest SSID. The AP hands out DHCP adresses, but the gateway is on the firewall.

The customer wants to keep the same setup with the gateway residing on the firewall. 

How can I solve this if I want to hand out DHCP from the IAP, but want the gateway to be firewall?

If I use the Local,L3 mode. Then I can do DHCP for the VLAN on the IAP, but the trafficc will be NAT'ed behind the IAP IP, and not forwarded as L2 to the firewall. The IAP would do the firewalling between the clients, and not the firewall as they want.

It would be an easy fix to run DHCP on the firewall, but that is not an option in this case.

I tried deny local routing, but that just stoped the traffic from being routed from the SSID vlan to the uplink for for NAT.

With a mobility controller it is very easy.

interface vlan 2

IP address 10.1.1.2 255.255.255.0

no ip routing

IP dhcp pool employee

network 10.1.1.0 255.255.255.0

default-gateway 10.1.1.1 

Is this even possible on a IAP?

I am running software 6.2.1.0-3.4.0.3

Can you stand up a DHCP server elsewhere?

Is your firewall capable of providing DHCP services?

I am investigating. The firewall I am fairly sure can't do it, but possibly I can get DHCP service running elsewhere.

Does this mean it's not possible?

Would be nice to not be dependant on other 3rd parties.

No...it isn't.  There are 2 options for doing DHCP from the VC

1. Using "virtual controller assigned" in the network settings

2. Using Local,L3 in the DHCP settings

Outside of that, we require an external DHCP server or a relay to a corporate DHCP server to accomplish what you require.  Unfortunately, the above 2 options require that the VC is the gateway however, only "virtual controller assigned" does NAT.

Fair enough, I got one follow up question then. In what scenario would you use the Deny local routing feature?

Do you still need to use that to stop routing between different WLAN subnets in a scenario like mine?

If networks are Network assigned, you won't have interfacecs to route between, and if you have a L3 interface it is bound to be a gateway, and then it will basically break the network.

On second thought I see that if can be used in a distributed L2 forwarding mode, where you don't want routing between VC mgmt subnett and the distributed L2 corporate subnet.

I wouldn't enable "deny local routing".  That feature denies users from communicating connected to the same IAP.  In 4.0, we are adding some additional restrictions to prevent users from accessing the mgmt interfaces.

I stand corrected...sorry that I misspoke, in Local, L3 the only requirement is the VC is the gateway.  The client is ROUTED from there but NOT NAT'ed.  

So...on the firewall, all you need is a static route pointing at the VC IP address as the next hop.

OK,  so it is not NAT'ed, but need routing. That is handy to know, but won't achieve the L2 forwarding I want :)

It looks like I can have the DHCP scope on a server, so then it will be easy to set it up.

Thanks for the help. Have a nice weekend. :)

Seth,

Thanks for the info in this post.  It helped me out of a jam.

Don Demars

(ex-Cabletron)

---

@SethFiermonti wrote:

I stand corrected...sorry that I misspoke, in Local, L3 the only requirement is the VC is the gateway.  The client is ROUTED from there but NOT NAT'ed.  

 

So...on the firewall, all you need is a static route pointing at the VC IP address as the next hop.

---