Tuesday 15 October 2013

DHCP Related Configurations





From the perspective of the LAB I doubt very much Microsoft DHCP server related configurations will be tested. Therefore, my focus would be to enable DHCP services and associated features on IOS devices and WLCs.

DHCP and WLC

WLC support both internal and external DHCP servers

With external DHCP servers,   WLC DHCP configuration has two o flavours. Namely,  dhcp proxy mode and dhcp bridging mode.

DHCP proxy mode
  • Much secure as virtual IP is used to forward dhcp packets therefore server IP not exposed.
  • Enabled by default.
  • Required for option 82
  • If there are firewalls in play may need to disable DHCP proxy on the WLC
  • Need to configure the DHCP server IPs on the WLC interfaces

Configuration :

Config dhcp proxy enable

Config interface dhcp management primary 10.10.10.100
Config interface dhcp dynamic-interface data primary 10.10.20.100

Verification:

Cisco Controller) >show dhcp proxy
DHCP Proxy Behaviour: enabled

debug dhcp message enable

DHCP bridging mode.
  • WLC just bridges the client packed to the appropriate VLAN and the client performs a normal DHCP transaction.That is to say that the forwarding is done by the vlans L3 interfaceTherefore SVIs needs  to be configured with DHCP servers using ip helper-address command
  • Dhcp proxy must be disabled

Configuration:
config dhcp proxy disable
show dhcp proxy

L3  device:
interface vl 100
ip helper-address 10.10.10.100

  

Internal DHCP server
  • When configuring the internal DHCP server, the DHCP server address needs to be the management IP of the wlc.
  • DHCP proxy needs to be enabled.
  • Internal DHCP IP(management IP)  can be as part of the dynamic interface configuration or as DHCP override option

cli configuration:


Verification


IOS DHCP server

The following example configure DHCP on the IOS device which provides IP addresses for Cisco 3500 series APs.The WLC management IP is 1


ip dhcp pool TST1
   network 172.16.100.0 255.255.255.0
   default-router 172.16.100.100
   option 60 ascii "Cisco AP c3500"
   option 43 hex f104.0a0a.0a01



ip dhcp-excluded address 10.10.10.1
ip dhcp-excluded address 10.10.10.2


dhcp options 43 –provides the WLC management IP for WLC discovery as  a TLV
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml#tab
I will discuss this in WLC discovery section.

dhcp option 60 –restricts the forwarding of option 43 to devices that are defined under  Vendor Class Identifier(VCI).VCI  defines the  AP model class. The above URL also lists the VCIs for Cisco AP

Therefore due the configuration of option 60, WLC IP address (option 43) will be provided by the DHCP server for Cisco 3500 series APs.  other non-3500 device connected on the same vlan will not receive this info.

Note. I tested  this and can confrim that option 60 does not work on IOS.Raised this on CLN and one of the CCIEWs confrimed that for option 60 will only  work in a windows server.,


Note. For the VoWLAN the IP that is allocated for the handsets needs to be configured with
option 150 ip  10.10.10.101 where 10.10.10.101 is the IP address of the CME.

ip dhcp-excluded address 10.10.10.1
ip dhcp-excluded address 10.10.10.2

The above 2 statements will prevent any DHCP assignment of any IPs that are already defined statically.






DHCP Option 82  


This option is enabled to prevent any rogue DHCP servers from issuing IP addresses and also to prevent rogue client devices from obtaining legit IP addresses. ID is used to identify the devices participating in the DHCP transaction. If no matching ID is found for the relay agent, DHCP offers will not be sent. Therefore WLC and DHCP server both need to be configured.

On the server classes are defined on L3 switch per device.
Each class will contain the WLC identifier + AP base MAC which makes a unique ID.
WLC identifier is common for all Cisco WLC which 0104000000000206 in hex


APs and IP address allocation prior to Option 82 implementation:

R1(config)#do sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.1        0140.5539.8e2a.2c       Jan 02 1970 12:39 AM    Automatic
172.16.100.2        0100.1de5.56e5.b0       Jan 02 1970 12:40 AM    Automatic


The objective here is to use option-82 so that AP3500 get an IP from 172.16.100.120- .140 range and
AP1130 to get an IP from 172.16.100.20 - .40 range

1. workout the relay information string based on the radio-mac

AP 1130 radio mac 00:21:55:4d:6e:00
relay information string is : 01040000000002060021554d6e00
AP 3500 radio mac 1c:aa:07:43:7a:90

realy information string is : 01040000000002061caa07437a90


2. define classes for each AP type

I could not configure the class option on 3560 so instead  I used 1841 for testing


ip dhcp pool TST1
   network 172.16.100.0 255.255.255.0
   default-router 172.16.100.100
   option 43 hex f104.0a0a.0a01
   class 1130
      address range 172.16.100.20 172.16.100.40
   class 3500
      address range 172.16.100.120 172.16.100.140
!
!
ip dhcp class 1130
   relay agent information
      relay-information hex 01040000000002060021554d6e00
!
ip dhcp class 3500
   relay agent information
      relay-information hex 01040000000002061caa07437a90
3. check shcp proxy is enabled on the WLC


4. enable option 82 on the cli

(wlc01) >config interface dhcp dynamic-interface op82_test option-82


Verification

WLC


(wlc01) >show interface detailed op82_test

Interface Name................................... op82_test
MAC Address...................................... 00:1b:d5:68:88:07
IP Address....................................... 172.16.100.1
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 172.16.100.100
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 100
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.16.100.100
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Enabled
Remote ID format................................. ap-mac
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

Router


*Jan  1 01:39:34.179: DHCPD: Seeing if there is an internally specified pool class:
*Jan  1 01:39:34.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:39:34.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:39:34.179:   DHCPD: circuit id 00000000
*Jan  1 01:39:34.179: DHCPD: Searching for a match to '      relay-information 01040000000002061caa07437a90' in class 1130
*Jan  1 01:39:34.179: DHCPD: Searching for a match to '      relay-information 01040000000002061caa07437a90' in class 3500
*Jan  1 01:39:34.179: DHCPD: input pattern '      relay-information 01040000000002061caa07437a90' matches class 3500
*Jan  1 01:39:34.179: DHCPD: input matches class 3500
*Jan  1 01:39:36.179: DHCPD: Adding binding to radix tree (172.16.100.121)
*Jan  1 01:39:36.179: DHCPD: Adding binding to hash tree
*Jan  1 01:39:36.179: DHCPD: assigned IP address 172.16.100.121 to client 01e0.f5c6.025e.b1.
*Jan  1 01:39:36.179: DHCPD: Sending notification of DISCOVER:
*Jan  1 01:39:36.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:39:36.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:39:36.179:   DHCPD: circuit id 00000000
*Jan  1 01:39:36.179: DHCPD: Seeing if there is an internally specified pool class:
*Jan  1 01:39:36.179:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:39:36.179:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:39:36.179:   DHCPD: circuit id 00000000
*Jan  1 01:39:37.231: DHCPD: Sending notification of ASSIGNMENT:
*Jan  1 01:39:37.231:  DHCPD: address 172.16.100.121 mask 255.255.255.0
*Jan  1 01:39:37.231:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:39:37.231:   DHCPD: lease time remaining (secs) = 86400


I also noticed a debug on the WLC states that option 82 as skipping. I the skpping is applicable for parameters that are not relevant.



(wlc01) >
(wlc01) >*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP DISCOVER
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: 55 (len 6) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.581: e0:f5:c6:02:5e:b1 DHCP option: 57 (len 2) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: 61 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: lease time = 7776000 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP option: 12 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.582: e0:f5:c6:02:5e:b1 DHCP Forwarding DHCP packet (428 octets)                      -- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.584: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP OFFER
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: server id = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: lease time = 86266 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 58 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 59 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: netmask = 255.255.255.0
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: gateway = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP option: 82 (len 14) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:45.585: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP REQUEST
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: 55 (len 6) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.621: e0:f5:c6:02:5e:b1 DHCP option: 57 (len 2) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: 61 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: requested ip = 172.16.100.121
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: server id = 10.0.0.1
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP option: 12 (len 7) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.622: e0:f5:c6:02:5e:b1 DHCP Forwarding DHCP packet (428 octets)                      -- packet received on direct-connect port requires forwarding to external DHCP server. Next-hop is 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.624: e0:f5:c6:02:5e:b1 DHCP option len (including the magic cookie) 72
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.624: e0:f5:c6:02:5e:b1 DHCP option: message type = DHCP ACK
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: server id = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: lease time = 86400 seconds
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 58 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 59 (len 4) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: netmask = 255.255.255.0
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: gateway = 172.16.100.100
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP option: 82 (len 14) - skipping
*DHCP Proxy DTL Recv Task: Aug 16 20:10:46.625: e0:f5:c6:02:5e:b1 DHCP options end, len 72, actual 64
Client associates to AP3500 and obtains the intended IP.



R1#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.121      01e0.f5c6.025e.b1       Jan 02 1970 01:41 AM    Automatic




AP3500 was disconnected and therefore client got associated with AP1130.Received IP from the intended range.



*Jan  1 01:45:50.107:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:45:50.107:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:45:50.107:   DHCPD: circuit id 00000000
*Jan  1 01:45:50.107: DHCPD: Searching for a match to '      relay-information 01040000000002060021554d6e00' in class 1130
*Jan  1 01:45:50.107: DHCPD: input pattern '      relay-information 01040000000002060021554d6e00' matches class 1130
*Jan  1 01:45:50.107: DHCPD: input matches class 1130
*Jan  1 01:45:52.107: DHCPD: Adding binding to radix tree (172.16.100.20)
*Jan  1 01:45:52.107: DHCPD: Adding binding to hash tree
*Jan  1 01:45:52.107: DHCPD: assigned IP address 172.16.100.20 to client 01e0.f5c6.025e.b1.
*Jan  1 01:46:05.503: DHCPD: Sending notification of DISCOVER:
*Jan  1 01:46:05.503:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:46:05.503:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:46:05.503:   DHCPD: circuit id 00000000
*Jan  1 01:46:05.503: DHCPD: Seeing if there is an internally specified pool class:
*Jan  1 01:46:05.503:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:46:05.503:   DHCPD: remote id 020a0000ac10646400000000
*Jan  1 01:46:05.503:   DHCPD: circuit id 00000000
*Jan  1 01:46:06.535: DHCPD: Sending notification of ASSIGNMENT:
*Jan  1 01:46:06.535:  DHCPD: address 172.16.100.20 mask 255.255.255.0
*Jan  1 01:46:06.535:   DHCPD: htype 1 chaddr e0f5.c602.5eb1
*Jan  1 01:46:06.535:   DHCPD: lease time remaining (secs) = 86400


R1#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
172.16.100.20       01e0.f5c6.025e.b1       Jan 02 1970 01:46 AM    Automatic
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)