Disable DHCP Proxy per WLAN - WLC v7.2

Similar Messages

• Disable dhcp proxy for PPP VPN (outside DHCP server + NPS)

  Hi,
  Our VPN setup is to authenticate / authorize via RADIUS to a Microsoft NPS server / Active Directory and use our internal DHCP server to receive its information. We are running a Cisco 2811, with firmware release k9 15.1- 4.M5.
  However, we have been having some issues with our setup for a dial-in VPN. We managed to get almost everything working.
  The user can dial in and authenticate and it even builds the proper PPTP tunnel. However, the client machine when it sends out a DHCP requests seems to get forced to proxy through the Cisco router. Thus what the DHCP server sees is a encoded MAC address from the cisco all the time and sees the client as being the cisco router not the VPN client/user. This is rather frustrating, as in Active directory DNS tables it will show up as the router having x number of different IP addresses and the end client doesn't show up at all.
  I have tried utilizing a bunch of different configuration options to test, all with the same outcome.
  Utilizing "ip helper-address <dhcp server>", didn't work to forward correct. Thent trying to turn of all DHCP services, with the global command of "no service dhcp", didn't change any result. Neither did setting a global command of "ip dhcp-server <dhcp server>".
  What i am trying to acchive is that the cisco does NOT mess with the dhcp request and just allows it to pass through.
  Anyone have any idea?
  Here are the parts of the current configuration in respect to this:
  no service dhcp
  aaa new-model
  aaa authentication login CONSOLE local
  aaa authentication ppp default group radius local
  aaa authorization network default if-authenticated
  aaa session-id common
  no ip domain lookup
  ip domain name <domain>
  ip name-server xxx.xxx.xxx.xxx
  ip dhcp-server xxx.xxx.xxx.xxx
  vpdn enable
  vpdn-group 1
  ! Default PPTP VPDN group
  accept-dialin
    protocol pptp
    virtual-template 1
  interface Virtual-Template1
  ip unnumbered FastEthernet0/1    <-Internal Interface
  no ip proxy-arp
  ip nat inside
  no ip virtual-reassembly in
  peer default ip address dhcp
  ppp encrypt mppe auto required
  ppp authentication pap chap ms-chap ms-chap-v2
  radius-server host xxx.xxx.xxx.xxx
  radius-server key <private key>
  And the problem that i am seeing when running a debug on dhcp:
  *Jan 15 09:01:46.558: DHCP: proxy allocate request
  *Jan 15 09:01:46.558: DHCP: new entry. add to queue, interface Virtual-Access5
  *Jan 15 09:01:46.558: DHCP: Client socket is opened
  *Jan 15 09:01:46.558: DHCP: SDiscover attempt # 1 for entry:
  *Jan 15 09:01:46.558: DHCP: SDiscover: sending 284 byte length DHCP packet
  *Jan 15 09:01:46.558: DHCP: SDiscover 284 bytes
  *Jan 15 09:01:46.562: DHCP: XID MATCH in dhcpc_for_us()
  *Jan 15 09:01:46.990: DHCP: Received a BOOTREP pkt
  *Jan 15 09:01:46.990: DHCP: offer received from <DHCP SERVER>
  *Jan 15 09:01:46.990: DHCP: SRequest attempt # 1 for entry:
  *Jan 15 09:01:46.990: DHCP: SRequest- Server ID option: <DHCP SERVER>
  *Jan 15 09:01:46.990: DHCP: SRequest- Requested IP addr option: 192.168.10.100
  *Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes
  *Jan 15 09:01:46.990: DHCP: SRequest: 296 bytes
  *Jan 15 09:01:46.994: DHCP: XID MATCH in dhcpc_for_us()
  *Jan 15 09:01:46.994: DHCP: Received a BOOTREP pkt
  *Jan 15 09:01:46.994: DHCP: Sending notification of ASSIGNMENT:
  *Jan 15 09:01:46.994:   Address 0.0.0.0 mask 0.0.0.0
  *Jan 15 09:01:46.994: DHCP Proxy Client Pooling: ***Allocated IP address: 192.168.10.100
  *Jan 15 09:01:46.994: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:46.998: DHCP: look up prim NBNS for Vi5 from lease any ret: fail
  *Jan 15 09:01:46.998: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:46.998: DHCP: look up sec NBNS for Vi5 from lease any ret: fail
  *Jan 15 09:01:47.018: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:47.018: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:47.038: DHCP: look up prim DNS for Vi5 from lease good ret: <DNS server 1>
  *Jan 15 09:01:47.038: DHCP: look up sec DNS for Vi5 from lease good ret: <DHCP Server>
  *Jan 15 09:01:56.826: DHCP: Interface Virtual-Access5 going down. Releasing: 192.168.10.100
  *Jan 15 09:01:56.826: DHCP: start holddown for 192.168.10.100
  *Jan 15 09:01:56.826: DHCP: Holddown and T1 remain 1792 sec
  As one can see even with the configuration to turn of any proxy or dhcp, the cisco router still try's to interject and proxy the request, aka:
  DHCP: proxy allocate request
  If anyone has any idea, please let me know
  Thanks
  S.

  Hello Stephen.
  How is this behaviour in 7.5? It's weird because in the individual interfaces you might change the value, but it doesn't get accepted. So it still seems that it's a global setting... but then: why showing this item to be changed on each interface?
  Kind regards,
  Flavio.

• WLC4404 DHCP Proxy

  Hello everybody...
  How to disable dhcp proxy on controller and what is the impact of doing it in the middle?
  We tried once by giving 'config dhcp proxy disable' command but seeing virtual ip again.(likely it gets back to proxy mode).
  We also have ip helper address on the L3 interface.
  We have only external dhcp servers configured..
  Any help would be appreciated.

  Is the dhcp server on a different vlan? I would also try to remove the client as it might be the client with the stuck info.  You usually don't have to reboot the WLC, but it seems like something is hanging and a reboot might just be what you need to do in the middle of the night.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• DHCP Proxy

  Hello,
  I recently upgraded our WiSM software to version 4.2.99 from 4.1.171.0 to bypass the DHCP relay issues. However, I am still having issues with some clients not receiving DHCP addresses.
  I am using a Microsoft 2k3 server for DHCP and disabled dhcp proxy on the CLI of both controllers. I currently only have DHCP identified on the WLAN dynamic interface, although I have tried for S&G to enable the DHCP override also. I continue to get the same results.
  If I assign a static IP address I am able to browse intervlan, etc.
  Has anyone ran into this before? Thanks in advance.
  Kendall

  The only time I have ever had DHCP issues when implementing wireless is if I forget the map the interface to the WLAN SSID. If you configure a port on the chassis for the same vlan the wireless users will be on, can you get an IP. this will eliminate issues on the network side. If you can then I would delete the WLAN and recreate it and see if that works. If that doesn't help, then reboot the WiSM blade.

• ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

  Hey all,
  I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
  It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
  I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
  However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
  As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
  Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
  Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
  Thanks!

  Hi,
  The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
  AM

• WLC DHCP Proxy - To Do or Not to Do?

  What is the upside/downside of turning of the WLC's DHCP Proxy setting?  I know the option is there now, but it still defaults to proxy mode, so whats the issues?  I ask, because, I could make a current issue of a guest wlan getting to a dhcp server a lot easier, if the client requests it. I can then dhcp relay off of a pix and to my enterprise dhcp/dns server. But I'm concerned what effect this may have on my other wlans.

  Dhcp proxy is required if the WLC is the dhcp server, if you disable this remember to add the ip-helper address to your L3 interfaces.
  That part of the config is a holdover from the Airespace days that helped the WLC learn the ip access of the clients. This has been fixed updated in later releases of code. So to proxy or not to proxy is really up to if the WLC is the dhcp or not. Unless yopu are running 6.0.196.0 or 7.0.980. Where you could hit CSCth68708
  Sent from Cisco Technical Support iPad App

• 5508-DHCP per WLAN basis

  dear all, 
  kindly guide me  how to configure WLC 5508 internal DHCP  per WLAN basis , i read the following document it is clearly mentioned that we can configure DHCP on WLC 5508 per WLAN basis. but i did not find the configuration  per WLAN basis 
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1293808
  need your kindly response 
  my email address 
  [email protected]

  When you configure dynamic interfaces on your 5508, you can specify DHCP server IP address. Later on you will map a dynamic interface to WLAN.
  Also under WLAN advanced setting, you can specify DHCP server IP, if you want to override dynamic interface configured DHCP server to a particular WLAN.
  HTH
  Rasika
  **** Pls rate all useful responses ***

• DHCP proxy not working

  I have two WLC 4402 servicing several SSIDs. Every SSID represents a different VLAN with a different IP subnet.
  Now I want to use one DHCP server for all SSIDs. So I configured the server (I disinguish the requests from the different networks by option 82), put him into the VLAN where the ap-manager and the management interfaces are residing in and configured the DHCP server address of the interfaces on the WLC appropriate to the new setup.
  Now my problem: No request arrives at the server. I now tried nearly all options but without success.
  I found out that relaying works if the DHCP server is on the SAME subnet. Then all requests are relayed (yes, relayed, unicasted by the controller).
  DHCP debug of the WLC says:
  DHCP received op BOOTREQUEST (1) (len 313, port 1, encap 0xec03)
  DHCP selecting relay 1 - control block settings: dhcpServer: 10.22.72.3, dhcpNetmask: 255.255.248.0, dhcpGateway: 10.22.72.33, dhcpRelay: 10.22.72.1 VLAN: 22
  DHCP selected relay 1 - 10.22.72.3 (local address 10.22.72.1, gateway 10.22.72.3, VLAN 22, port 1)
  DHCP transmitting DHCP REQUEST (3)
  If now I enter the DHCP server address of the new server (directly reachable though the ap-amanager and management interfaces) I get the following:
  DHCP received op BOOTREQUEST (1) (len 308, port 1, encap 0xec03)
  DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.6.72.1 VLAN: 640
  DHCP selected relay 1 - NONE
  It just seems to ignore the entered DHCP server address.
  I tried several software versions (v4.2, v5.2), all the same.
  DHCP proxy is enabled - as mentioned, if the DHCP server is in the same subnet, it works fine.
  Any suggestions?

  Here's the debug data as requested. Its shows the complete connection try of a notebook.
  As I took a look on it myself I noticed line 77 of the debug output:
  DHCP selected relay 1 - 10.44.1.9 (local address 10.6.72.1, gateway 10.6.72.33, VLAN 640, port 1)
  It obviously selected the correct ip of the DHCP server (10.44.1.9). But does the rest mean the Controller tries to forward the request via the standard gateway of the VLAN the client resides in? (10.6.72.33 is the standard gateway of the WLAN of the client). This will fail because the network the DHCP server resides in doesn't have a gateway and is therefor unreachable by other networks (by purpose).
  Is there a way to make the controller send out the relayed request though its interface in the network of the DHCP server?

• Guest DHCP Proxy function question

  Starting Point: Multiple 5508 WLCs running recent software and required to run N+1 resilience. (No Guest Anchors, Guest and Corporate WLANs on same WLC...not ideal but we are where we are!)
  Whats Changing?: Migrating Guest Access from simple xDSL for Guest with DHCP delivered by the xDSL router to a regular DMZ (DMZ has no DHCP servers)...beginning migration to a proper configuration. 
  Question: Will the WLC running as a DHCP proxy provide DHCP leases to clients in Guest VLAN from a properly configured (Guest scope) DHCP server accessible via the management interface?
  Supplemental Question :Will this affect how N+1 resilience is configured?

  hi Jim
  So you're legging your controllers into the DMZ? Normally anchors are involved and you place the anchor in the DMZ and tunnel. But it sounds like you have foreign controller (inside) and using these as both internal wireless and guest. 
  I assume you are VLANng from your controller to the DSL router. 
  how proxy works ..on the wlc interface you have a guest interface. you give this an ip in the guest subnet and you also add the DHCP server IP. Wireless client comes on asks for a DHCP, controller intercepts it and UNIcast on behalf of the client for a IP address. 
  Does that help ?

• Per Wlan - Rate-Limit

  Hello, anyone know if its possible to set a maximum bandwidth for the entire wlan or for entire Vlan in the WLC 5508 ?
  Thanks

  This is a big desire for us too.
  You can do this multiple ways on the infrastructure:
  if using 6500s, you can use user-based rate limiting
  you can do this on various firewall products such as pfsense.
  You can use ingress & egress queuing on the switch, but it may not work as desired.
  We settled on using ip-nbar & policy routing for now to clamp down on file sharing protocols and also download urls with various extensions such as .iso, .dmg, .zip.....
  The challenge we found with per user limiting was that few solutions support the client count/demand that we see.
  If your environment is more spread out, you may have better luck with traffic policing and/or shaping at the switch level.
  As per wlan rate limiting, it will really depend on your infrastructure hardware & IOS supported functions.
  I agree about not shaping over the air, keep as much extraneous traffic off the air as possible.

• Asr9k dhcp proxy question

  Hi.
  There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
  An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
  I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
  Is there any way to workaround this?
  Thanks!
  Diego

  DHCP Proxy uses the VIP and not the management IP of the WLC. Is one of the WLC ports connected to your internal network and the other port connected to the FW? Again with DHCP Proxy enabled, traffic will flow to your internal DHCP server as long as you have all the dhcp server address configured on the interfaces and have ip helper-address setup on the L3 interfaces.
  Here is a doc regarding DHCP Proxy:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml#DHCP-Proxy

• Asr9k dhcp proxy

  Hi.
  There's a propietery dhcp server that in certain cases, assigns yiaddr=127.0.0.1. The goal is to get rid of unwanted clients.
  An asr9k configured as dhcp proxy sends a release for every ack for yiaddr=127.0.0.1, so client never gets this assignment and tries again and again multiplying traffic.
  I know this dhcp server config doesn't make much sense, but I don't see any limitations about this on rfc2131 nor draft-ietf-dhc-proxyserver-opt-05.
  Is there any way to workaround this?
  Thanks!
  Diego

  hi vikas,
  yeah that is the current existing limitation we have whereby the Prefix-Delegation with a local server is tied to all subscriber access interfaces.
  If you need more granularity we can provide that by using radius and an offbox dhcp server if that is an option for you.
  This way you have the ability also to load a dhcp class from radius to signal to the dhcp server this class so a more selective pool can be used.
  Mixing local dhcp server with offbox is currently not available.
  I would like to do this functionality, but it is not a quick fix unfortunately. So if that on a per access interface bases local DHCP pool is a requirement, I would need to redirect you to your account team and facilitate a discussion with our eng group to see what can be done when.
  Today; (using) radius (for pool selection on an OFF-box server) is your best option.
  cheers!
  xander

• Set IE proxy per computer

  Hello everybody,
  I am looking for a script in batch or powershell to set the internet explorer proxy per computer, actually i know how to change the proxy in registry but it's apply only for user.
  Someone know how to apply internet explorer's proxy to computer ? without using GPO.
  Thank you

  Hi SteliOS,
  Since you need to do this by using scripting instead of Group policy, we suggest you refer to TechNet scripting forum because you could get more useful advice about script modification.
  https://social.technet.microsoft.com/Forums/en-US/home?category=scripting
  And we still could provide some useful information.
  The registry entry about proxy settings are located in
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
  "ProxyEnable"=dword:00000000
  1 for enable 0 for disable
  “ProxyServer”=“192.168.1.1:80”
  These values would be helpful when you modify a script, good luck.
  Regards
  D. Wu

• Firmware update 7.5.2 is breaking workaround for disabling DHCP server

  If you are using the trick described here (http://discussions.apple.com/thread.jspa?threadID=121990) to disable DHCP, you should know that after upgrading to 7.5.3, it will not work anymore. Downgrade to 7.4.2 makes it working again.
  If somebody from Apple is reading this (and is interested in feedback, which I doubt, because there's no such option on the Support pages) - would it be possible to add an option to the AirPort configuration which would allow DHCP to be turned off (while NAT stays turned on)? It would be really nice...

  Hmm, while typing previous message it gave me the following idea (and it worked)
  Since i am using a mac mini as a server ( Debian, sorry ) it also has wlan, i set up the server so both are connected (eth0 / wlan0). Default of the dhcp server is to listen to all interfaces and voila DHCP for the wireless devices.
  Hope this can help someone, without the need for downgrading your APE.

• DHCP Proxy broken with particular interface/server (7.0.235.3)

  We are evaulating a NAC solution that wants to be the authoritative DHCP server for its quarantine vlans.
  So we created a new interface on the controller, and set that interface to use this product as the DHCP server.
  Systemwide, we are running with DHCP Proxy enabled because some years ago the passthrough option was not working reliably for us alongside DHCP_REQD.  Since this is a global setting we are somewhat reluctant to go playing around with it.
  The WiSM card sends the DHCP request to the alternate DHCP server, that server replies, and we can even see the DHCP offer being sent out the PortChannel to the controller via a span sniff. All the source and destination addresses on the offer look OK.  However, clients assigned to this interface do not acquire a DHCP address.
  A DHCP address can be successfully obtained from a wired client joined to the same VLAN (the helper address is there, too.  This should not interfere, and doesn't, as we tried removing it just to be thorough and still the WLC does not work.)
  In the debug logs we see that interface marked as dirty for failure to resolve DHCP.  However we are not using interface groups so there should be no other alternative, and as far as we can tell delivery of the requests to the DHCP server is not being blocked by the failover mechanism:
  *DHCP Proxy DTL Recv Task: Feb 21 13:58:24.70 9: %SIM-3-DHCP_SERVER_NO_REPLY: sim_interface.c:1039 Failed to get DHCP response
  on interface 'regtest'. Marking interface dirty.
  We've tried moving the APs temporarily and rebooting the controller with the interface configuration saved to flash.  This did not jog anything loose.  If we set the DHCP servers on the interface back to the same servers that all the other interfaces use, DHCP works for wireless clients.
  The NAC appliance uses what appears to be a vanilla Linux server, as do we in production.  We can see and even alter the config for that server, and it does not contain anything eclectic, just the run of the mill options.
  We've tried using DHCP override on the test SSID to send all DHCP for every interface to the NAC appliance (not our desired final result, just as a test.)  This fails as well.
  Anybody have any other ideas as to how to jog this loose, how to ferret more information out of the controllers, something we may have missed configuration-wise, or a bug ID?

  It's a hold over from the Airespace code.  In the early versions, the way the WLC learned the client IP address to put them into a RUN state, was to proxy the DHCP request, so they could see the IP offered to the client.
  Granted it wasn't ideal but it was the way they did it.  Now it's learned a different way, but proxy is still the default, and required if the WLC acts as a DHCP server.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered