Which role of Windows Server 2012 enables your server to act as a DHCP relay agent
DHCPInformation About Dynamic Host Configuration ProtocolYou can configure WLANs to use the same or different Dynamic Host Configuration Protocol (DHCP) servers or no DHCP server. Two types of DHCP servers are available—internal and external. Show
Internal DHCP ServersThe controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains a maximum of 10 APs or less, with the APs on the same IP subnet as the controller. The internal server provides DHCP addresses to wireless clients, direct-connect APs, and DHCP requests that are relayed from APs. Only lightweight access points are supported. When you want to use the internal DHCP server, ensure that you configure SVI for client VLAN and set the IP address as DHCP server IP address. DHCP option 43 is not supported on the internal server. Therefore, the access point must use an alternative method to locate the management interface IP address of the controller, such as local subnet broadcast, Domain Name System (DNS), or priming. Also, an internal DHCP server can serve only wireless clients, not wired clients. When clients use the internal DHCP server of the controller, IP addresses are not preserved across reboots. As a result, multiple clients can be assigned to the same IP address. To resolve any IP address conflicts, clients must release their existing IP address and request a new one. Wired guest clients are always on a Layer 2 network connected to a local or foreign controller.
External DHCP ServersThe operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay, which means that each controller appears as a DHCP Relay agent to the DHCP server and as a DHCP server at the virtual IP address to wireless clients. Because the controller captures the client IP address that is obtained from a DHCP server, it maintains the same IP address for that client during intra controller, inter controller, and inter-subnet client roaming.
DHCP AssignmentsYou can configure DHCP on a per-interface or per-WLAN basis. We recommend that you use the primary DHCP server address that is assigned to a particular interface. You can assign DHCP servers for individual interfaces. You can configure the management interface, AP-manager interface, and dynamic interface for a primary and secondary DHCP server, and you can configure the service-port interface to enable or disable DHCP servers. You can also define a DHCP server on a WLAN. In this case, the server overrides the DHCP server address on the interface assigned to the WLAN. Security ConsiderationsFor enhanced security, we recommend that you require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, you can configure all WLANs with a DHCP Addr. Assignment Required setting, which disallows client static IP addresses. If DHCP Addr. Assignment Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.
If slightly less security is tolerable, you can create WLANs with DHCP Addr. Assignment Required disabled. Clients then have the option of using a static IP address or obtaining an IP address from a designated DHCP server.
You can create separate WLANs with DHCP Addr. Assignment Required configured as disabled. This is applicable only if DHCP proxy is enabled for the controller. You must not define the primary/secondary configuration DHCP server you should disable the DHCP proxy. These WLANs drop all DHCP requests and force clients to use a static IP address. These WLANs do not support management over wireless connections. DHCP Proxy Mode versus DHCP Bridging ModeWhen using external DHCP servers, the controller can operate in one of two modes: as a DHCP Relay or as a DHCP Bridge. The DHCP proxy mode serves as a DHCP helper function to achieve better security and control over DHCP transaction between the DHCP server and the wireless clients. DHCP bridging mode provides an option to make controller's role in DHCP transaction entirely transparent to the wireless clients. Table 1. Comparison of DHCP Proxy and Bridging Modes
DHCP Proxy ModeIn DHCP Proxy Mode, the controller’s virtual IP address is used as the source IP address of all DHCP transactions to the client. As a result, the real DHCP server IP address is not exposed in the air. This virtual IP is displayed in debug output for DHCP transactions on the controller. However, use of a virtual IP address can cause issues on certain types of clients. When multiple offers come from external DHCP servers, the DHCP proxy normally selects the first one that comes in and sets the IP address of the server in the client data structure. As a result, all following transactions go through the same DHCP server until a transaction fails after retries. At this point, the proxy selects a different DHCP server for the client. DHCP proxy is enabled by default. All controllers in a mobility list must have the same DHCP proxy setting.
Proxy Mode Packet FlowThis section contains the following subsections: Restrictions on Using DHCP Proxy
Configuring DHCP Proxy (GUI)Procedure
Configuring DHCP Proxy (GUI)Procedure
Configuring DHCP Proxy (CLI)Procedure
Configuring DHCP Proxy (CLI)Procedure
Configuring a DHCP Timeout (GUI)For client associations to a WLAN that has DHCP required, the DHCP timeout controls how long the controller will wait, after a new association, for the client to complete DHCP. If the DHCP exchange is not completed within the timeout period, the controller deauthenticates the client. The default setting is the maximum of 120 seconds; we recommend that you do not reduce this value. Procedure
Configuring a DHCP Timeout (CLI)For client associations to a WLAN that has DHCP required, the DHCP timeout controls how long the controller will wait, after a new association, for the client to complete DHCP. If the DHCP exchange is not completed within the timeout period, the controller deauthenticates the client. The default setting is the maximum of 120 seconds; we recommend that you do not reduce this value. Procedure
DHCP Option 82DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can configure the controller to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server. Figure 1. DHCP Option 82The access point forwards all DHCP requests from a client to the controller. The controller adds the DHCP option 82 payload and forwards the request to the DHCP server. The payload can contain the MAC address or the MAC address and SSID of the access point, depending on how you configure this option.
For DHCP option 82 to operate correctly, DHCP proxy must be enabled. This section contains the following subsections: Restrictions on DHCP Option 82
Configuring DHCP Option 82 (GUI)Procedure
What to do nextOn the controller CLI, you can enable DHCP option 82 on the dynamic interface to which the WLAN is associated by entering this command: config interface dhcp dynamic-interface interface-name option-82 enableConfiguring DHCP Option 82 (CLI)Procedure
Configuring DHCP Option 82 Insertion in Bridge Mode (CLI)Procedure
DHCP Option 82 Link Select and VPN Select SuboptionsIn a wireless environment, when a client requests a DHCP address, specify to the DHCP server the subnet from which the IP address has to be assigned, using the giaddr field in the DHCP DISCOVER packet. You can also use the giaddr field to specify the address that the DHCP server can use to communicate with the DHCP relay agent (controller). It is difficult to determine that the controller IP address in the subnet is reachable from the DHCP server. Hence, there is a need to send link-selection information that is distinct from the controller-reachable address to the DHCP server. Using the DHCP link select (DHCP option 82, suboption 5) configured on the controller interface, the link selection information distinct from controller's reachable address is sent to the DHCP server. In a large network's wireless environment, the Cisco Network Registrar (CNR) server, which is a DHCP server, has multiple pools created based on VPN IDs or VRF names. Using these pools, you can assign IP address to a client with the help of the DHCP VPN Select option (DHCP option 82 and suboption 151). When you enable DHCP VPN Select (DHCP option 82 and suboption 151) on the controller interface, the controller sends the VPN ID or VRF name of the pool from which the IP address has to be assigned to the client. The DHCP VPN Select option enables easy-to-operate, shared usage of a centralized DHCP server, resulting in cost savings. DHCP Link SelectConfigure DHCP Link Select (DHCP option 82, suboption 5) on the management and dynamic interfaces of the controller. Before configuring DHCP Link Select on the controller interface, enable the DHCP proxy and DHCP option 82 on that interface. When the Link Select option is enabled on the controller interface, suboption 5 is added to the packet with the IP address information that contains the desired subnet address for the corresponding client. The subnet address is the controller interface address mapped to the client VLAN interface. The DHCP server uses the subnet address to assign the IP address to the DHCP client. DHCP VPN SelectConfigure DHCP VPN Select (DHCP option 82, suboption 151) on the management and dynamic interfaces of the controller. Before configuring DHCP VPN Select on the controller interface, enable the DHCP proxy and DHCP option 82 on that interface. You can configure different VPN IDs or VRF names on the same controller or different controllers using the VPN Select feature configured on the controller interface. Configuring the VPN Select feature, results in the DHCP server VPN pools having nonoverlapping addresses. You must add VSS Control suboption 152 every time VSS suboption 151 is sent to the DHCP server. If the DHCP server understands and acts on VSS suboption 151, VSS Control suboption 152 is removed from the DHCP acknowledgment. If the DHCP server copies back VSS Control suboption 152 in the DHCP acknowledgment, it means that the DHCP server does not have the required support for the VSS suboption. Mobility ConsiderationsSame Subnet VPN ID or VRF name mapping to a WLAN should be the same on all the controllers in a mobility group. For example, if WLAN1 interface maps to VPN ID 1 and WLAN2 interface maps to VPN ID 2 maps on WLC A, then WLC B should also have WLAN1 interface mapping to VPN ID 1 and WLAN2 interface mapping to VPN ID 2. This way, when client L2 roams to another WLC, the roamed WLC's DHCP configuration will ensure that the client is assigned an address from the same VPN. Different subnet mobility With L3 mobility, all the DHCP DISCOVER packets are sent to the anchor and the assignment of the original VPN is ensured. Auto anchor mobility All the DHCP DISCOVER packets are sent to the anchor and the assignment of the original VPN is ensured. Prerequisites for DHCP Option 82 Link Select and VPN Select
Configuring DHCP Option 82 Link Select and VPN Select (GUI)Procedure
Configuring DHCP Option 82 Link Select and VPN Select (CLI)Procedure
Internal DHCP ServerControllers have built-in DHCP relay agents. However, when you desire network segments that do not have a separate DHCP server, the controllers can have built-in internal DHCP server that assign IP addresses and subnet masks to wireless clients. Typically, one controller can have one or more internal DHCP server that each provide a range of IP addresses. Internal DHCP server are needed for internal DHCP to work. Once DHCP is defined on the controller, you can then point the primary DHCP server IP address on the management, AP-manager, and dynamic interfaces to the controller’s management interface. Per WLAN DHCP ServersBy default, when using DHCP proxy mode, a WLAN’s clients use the DHCP servers that are configured on the mapped interfaces. You can override the interface’s DHCP servers by configuring per-WLAN DHCP servers. This section contains the following subsections: Restrictions for Configuring Internal DHCP Server
Configuring DHCP Scopes (GUI)Procedure
Configuring DHCP Scopes (CLI)Procedure
Configuring DHCP Per WLAN (GUI)When you want to use the internal DHCP server, you must set the management interface IP address of the controller as the DHCP server IP address. Procedure
Configuring DHCP Per WLAN (CLI)Procedure
DHCP Release Override on Cisco APsIf you are using Microsoft Windows Server 2008 R2 or 2012 as the DHCP server and after an AP or a Cisco WLC reboot, the AP might fail to associate with the Cisco WLC because of no valid IP address. This can be caused due to an interoperability issue with the Microsoft server. When a Cisco WLC is rebooted, the AP tries to associate with the Cisco WLC. During this time, the AP keeps renewing the IP address. Every time the AP releases the current DHCP lease, the AP sends out 3 DHCP release packets. This functionality of sending 3 DHCP release packets is common across all Cisco IOS software-based products. Cisco DHCP servers running on various Cisco devices release the IP address when they get the first DHCP release message, but ignore the later messages. However, the Microsoft DHCP server marks the AP as BAD_ADDRESS when it receives the second and the third DHCP release packets. A workaround for this issue is to configure DHCP release override and set the number of DHCP releases sent by AP to 1, on a Cisco AP or all APs by entering this command: config ap dhcp release-override enable {cisco-ap | all}
For more information about this issue, see the CSCuv61271 caveat. Debugging DHCP (CLI)Use these commands to debug DHCP:
What is enable DHCP relay?A DHCP relay agent is a host or router that forwards DHCP packets between clients and servers. Network administrators can use the DHCP Relay service of the SD-WAN appliances to relay requests and replies between local DHCP Clients and a remote DHCP Server.
What function does a DHCP relay agent perform?The DHCP relay agent operates as the interface between DHCP clients and the server. The DHCP Relay Agent relays DHCP messages between DHCP clients and DHCP servers on different IP networks.
Where is DHCP relay agent?The workstation on the left is configured as a DHCP client. R2 on the right is configured as a DHCP server. The workstation sends a DHCP discover packet, but it receives no request, since R1 doesn't forward the packet to R2 (broadcast packets stay on the local subnet).
What command configure a DHCP relay agent?A DHCP relay agent uses "ip helper-address" command to indicate the DHCP server's IP address. It will insert the IP address of the interface which has that command configured into the gateway IP address field of DHCP packet to let DHCP server know which IP address range should be used to allocate.
|