Which role of Windows Server 2012 enables your server to act as a DHCP relay agent

The controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server.

The wireless network generally contains a maximum of 10 APs or less, with the APs on the same IP subnet as the controller.

The internal server provides DHCP addresses to wireless clients, direct-connect APs, and DHCP requests that are relayed from APs. Only lightweight access points are supported. When you want to use the internal DHCP server, ensure that you configure SVI for client VLAN and set the IP address as DHCP server IP address.

DHCP option 43 is not supported on the internal server. Therefore, the access point must use an alternative method to locate the management interface IP address of the controller, such as local subnet broadcast, Domain Name System (DNS), or priming.

Also, an internal DHCP server can serve only wireless clients, not wired clients.

When clients use the internal DHCP server of the controller, IP addresses are not preserved across reboots. As a result, multiple clients can be assigned to the same IP address. To resolve any IP address conflicts, clients must release their existing IP address and request a new one.

Wired guest clients are always on a Layer 2 network connected to a local or foreign controller.

Note	VRF is not supported in the internal DHCP servers. DHCPv6 is not supported in the internal DHCP servers.

The operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay, which means that each controller appears as a DHCP Relay agent to the DHCP server and as a DHCP server at the virtual IP address to wireless clients.

Because the controller captures the client IP address that is obtained from a DHCP server, it maintains the same IP address for that client during intra controller, inter controller, and inter-subnet client roaming.

Note	External DHCP servers can support DHCPv6.

You can configure DHCP on a per-interface or per-WLAN basis. We recommend that you use the primary DHCP server address that is assigned to a particular interface.

You can assign DHCP servers for individual interfaces. You can configure the management interface, AP-manager interface, and dynamic interface for a primary and secondary DHCP server, and you can configure the service-port interface to enable or disable DHCP servers. You can also define a DHCP server on a WLAN. In this case, the server overrides the DHCP server address on the interface assigned to the WLAN.

Security Considerations

For enhanced security, we recommend that you require all clients to obtain their IP addresses from a DHCP server. To enforce this requirement, you can configure all WLANs with a DHCP Addr. Assignment Required setting, which disallows client static IP addresses. If DHCP Addr. Assignment Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not allowed on the network. The controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.

Note

WLANs that support management over wireless must allow management (device-servicing) clients to obtain an IP address from a DHCP server. The operating system is designed to appear as a DHCP Relay to the network and as a DHCP server to clients with industry-standard external DHCP servers that support DHCP Relay. This means that each controller appears as a DHCP Relay agent to the DHCP server and as a DHCP server at the virtual IP address to wireless clients.

If slightly less security is tolerable, you can create WLANs with DHCP Addr. Assignment Required disabled. Clients then have the option of using a static IP address or obtaining an IP address from a designated DHCP server.

Note	DHCP Addr. Assignment Required is not supported for wired guest LANs.

You can create separate WLANs with DHCP Addr. Assignment Required configured as disabled. This is applicable only if DHCP proxy is enabled for the controller. You must not define the primary/secondary configuration DHCP server you should disable the DHCP proxy. These WLANs drop all DHCP requests and force clients to use a static IP address. These WLANs do not support management over wireless connections.

When using external DHCP servers, the controller can operate in one of two modes: as a DHCP Relay or as a DHCP Bridge.

The DHCP proxy mode serves as a DHCP helper function to achieve better security and control over DHCP transaction between the DHCP server and the wireless clients. DHCP bridging mode provides an option to make controller's role in DHCP transaction entirely transparent to the wireless clients.

• DHCP proxy must be enabled in order for DHCP option 82 to operate correctly.

• All controllers that will communicate must have the same DHCP proxy setting.

• DHCP v6 Proxy is not supported.

• Suppose an interface in an interface group is marked as dirty. If a client is mapped to this interface through its association with a WLAN mapped to the interface group, the client does not get mapped to a new interface in the interface group because the controller DHCP proxy does not update the client interface VLAN to a new interface. This has been observed in conditions in which the interface group is assigned through AAA override and the DHCP mode is aggressive. The workaround is to use a non-aggressive DHCP mode.

  For more information, see CSCvv74634.

• Configure a DHCP timeout by entering this command:

  config dhcp timeout seconds

• DHCP option 82 is not supported for use with auto-anchor mobility.

• Configure the format of the DHCP option 82 payload by entering one of these commands:

  • config dhcp opt-82 remote-id ap_mac—Adds the radio MAC address of the access point to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id ap_mac:ssid—Adds the radio MAC address and SSID of the access point to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id ap-ethmac—Adds the Ethernet MAC address of the access point to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id apname:ssid—Adds the AP name and SSID of the access point to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id ap-group-name—Adds the AP group name to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id flex-group-name—Adds the FlexConnect group name to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id ap-location—Adds the AP location to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id apmac-vlan-id—Adds the radio MAC address of the access point and the VLAN ID to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id apname-vlan-id—Adds the AP name and its VLAN ID to the DHCP option 82 payload.
  • config dhcp opt-82 remote-id ap-ethmac-ssid—Adds the Ethernet MAC address of the access point and the SSID to the DHCP option 82 payload.

• Configure the format of the DHCP option 82 as binary or ASCII by entering this command:

  config dhcp opt-82 format { binary | ascii}

• Enable DHCP Option 82 on the dynamic interface to which the WLAN is associated by entering this command:

  config interface dhcp dynamic-interface interface-name option-82 enable

• See the status of DHCP option 82 on the dynamic interface by entering the show interface detailed dynamic-interface-namecommand.

• Configure DHCP Option 82 insertion in Bridge mode on the management interface by entering this command:

  config interface dhcp management option-82 bridge-mode-insertion {enable | disable}

  Note	Enter the show interface detailed management command to see if DHCP Option 82 Bridge mode insertion is enabled or disabled on the management interface.

• Configure DHCP Option 82 insertion in Bridge mode on the dynamic interface by entering this command:

  config interface dhcp dynamic-interface dynamic-interface-name option-82 bridge-mode-insertion {enable | disable}

  Note	Enter the show interface detailed dynamic-interface-name command to see if DHCP Option 82 Bridge mode insertion is enabled or disabled on the dynamic interface.

Configure DHCP Link Select (DHCP option 82, suboption 5) on the management and dynamic interfaces of the controller. Before configuring DHCP Link Select on the controller interface, enable the DHCP proxy and DHCP option 82 on that interface.

When the Link Select option is enabled on the controller interface, suboption 5 is added to the packet with the IP address information that contains the desired subnet address for the corresponding client. The subnet address is the controller interface address mapped to the client VLAN interface. The DHCP server uses the subnet address to assign the IP address to the DHCP client.

Configure DHCP VPN Select (DHCP option 82, suboption 151) on the management and dynamic interfaces of the controller. Before configuring DHCP VPN Select on the controller interface, enable the DHCP proxy and DHCP option 82 on that interface.

You can configure different VPN IDs or VRF names on the same controller or different controllers using the VPN Select feature configured on the controller interface. Configuring the VPN Select feature, results in the DHCP server VPN pools having nonoverlapping addresses.

You must add VSS Control suboption 152 every time VSS suboption 151 is sent to the DHCP server. If the DHCP server understands and acts on VSS suboption 151, VSS Control suboption 152 is removed from the DHCP acknowledgment. If the DHCP server copies back VSS Control suboption 152 in the DHCP acknowledgment, it means that the DHCP server does not have the required support for the VSS suboption.

Same Subnet

VPN ID or VRF name mapping to a WLAN should be the same on all the controllers in a mobility group. For example, if WLAN1 interface maps to VPN ID 1 and WLAN2 interface maps to VPN ID 2 maps on WLC A, then WLC B should also have WLAN1 interface mapping to VPN ID 1 and WLAN2 interface mapping to VPN ID 2. This way, when client L2 roams to another WLC, the roamed WLC's DHCP configuration will ensure that the client is assigned an address from the same VPN.

Different subnet mobility

With L3 mobility, all the DHCP DISCOVER packets are sent to the anchor and the assignment of the original VPN is ensured.

Auto anchor mobility

All the DHCP DISCOVER packets are sent to the anchor and the assignment of the original VPN is ensured.

• The DHCP mode should be set to proxy.

• The DHCP external server should be configured.

• DHCP Option 82 must be enabled on the controller.

• The interface being configured should not be of type service or virtual.

• The relay source interface name should be a valid interface with IP address configured.

Note	Proxy mode is not supported for IPv6.

• You can configure up to 16 Internal DHCP scopes.

• Internal DHCP Server is not supported on the following controllers:

• You must configure DHCP Proxy Mode to use the Internal DHCP Server.

• When you want to use the Internal DHCP Server, you must set the management interface IP address of the controller as the DHCP server IP address.

Use these commands to debug DHCP:

• debug dhcp packet {enable | disable} —Enables or disables debugging of DHCP packets.

• debug dhcp message {enable | disable} —Enables or disables debugging of DHCP error messages.

• debug dhcp service-port {enable | disable} —Enables or disables debugging of DHCP packets on the service port.