Wireless Access

We are trying to setup our DMZ controller, that handles all RAPs, to provide Portal access via RAPs for remote guests.  We are trying to use an external DHCP server.  Everthing that we try so far is not working.  Setting the controller with the internal DHCP server on the controller works fine, but when the vlan is set with the IP-Helper address, it just doesn't work.

 

What configuration needs to be done on the controller in order for the external DHCP setup to work?

 

We will be doing this within our internal network as well since we have exhausted the internal DHCP server on our high traffic campuses.

 

 

1.  The ip address of the controller needs to be able to reach  the ip address of the external DHCP server

2.  the DHCP server needs to have a scope that corresponds to the subnet of the ip interface that the helper address is on

 

 

From the controller i can ping the dhcp server fine. The dhcp scope has been setup properly. Does a static need to be added for the portal subnet?

So the controller does not have an ip interface on that subnet?  That is absolutely necessary.

the controller has vlan 919 with ip 192.168.102.1/23.  The dhcp server has the scope of 192.168.102.1-103.254 excluding addresses 1-10.

---

@salvi wrote:

the controller has vlan 919 with ip 192.168.102.1/23.  The dhcp server has the scope of 192.168.102.1-103.254 excluding addresses 1-10.

---

 

Okay.

 

For that to work the controller has to have a physical connection to the same LAN as the DHCP server, and then assign users do that VLAN.  No helper address is necessary.  Let's suppose you connected your LAN to  gigabitethernet 0/3 on the controller, you would do this:

 

config t

vlan 919

interface gigabitethernet 0/3

switchport access vlan 919

 

You would connect a cable from gigabitethernet 0/3 on the controller to that physical LAN.

 

You would then go into the Virtual AP of that wireless network and make sure the VLAN is 919.  No helper address needed since you can make a physical connection from the controller to an already existing subnet.

 

 

As you are mentioning RAP's, when the RAP is in split-tunnel mode make sure that the DHCP requests are forwarded to the controller (not bridged out of the RAP).

If you only tunnel the private, internal ranges, the DHCP requests are bridged out locally and will not reach the DHCP server.

Use a permit action in the firewall rules to permit DHCP and/or the broadcast IP 255.255.255.255 on top of the user's role. You probably already have this in place, as the internal DHCP does work.

 

But you might double-check this.

Ok, what we are trying to do is to avoid routing the guest network.  We are doing src-nat for the dhcp and hence why we were adding the ip helper on the vlan interface.

 

Going through the knowledgebase, we did find an article stating not to nat DHCP.  So, what would be the best way to keep the guest network out of the corporate nework if the dhcp server is in the corporate network?

 

We want to do this internal guest users and if possible external guest users as well.