In this post we will do a configuration example for DHCP option 82 in WLC 22.214.171.124 release. (later releases have additional options & refer specific config guides). As you aware with DHCP option 82 feature, DHCP relay (WLC in this case) add some additional information onto DHCP request payload which will be verify by the DHCP server prior to issuing an IP.( Refer “Understanding DHCP Option 82” post for basic understanding of this feature)
Here is the topology for this post. When users connecting to “data-13” WLAN via LAP1 they will get IP addresses in the range of 192.168.13.101-120 where as connecting via LAP2 will get in the range of 192.168.13.201-220.
First of all you need to define DHCP pools in CAT2 with an option called DHCP class.
ip dhcp pool VLAN13 network 192.168.13.0 255.255.255.0 default-router 192.168.13.1 domain-name mrn.com dns-server 192.168.200.1 class LAP2 address range 192.168.13.201 192.168.13.220 class LAP1 address range 192.168.13.101 192.168.13.120
Then you have to define the DHCP Classes in a way how you want to differentiate user IP ranges when they connect to WLAN based on their location(or point of attachment). DHCP Class configuration is having following syntax.
ip dhcp class <class_name> relay agent information relay-information hex <string>
NOTE – “STRING” can be divided into following parts “circuit-id” + “agent_type” + “length_of_remote-id” + “remote-id”.
- Circuit-id – 010400000000 – This is fixed for all Cisco wireless controller.
- Agent_Type – 02 – This is fixed for all cisco wireless controller.
- Length of Remote-id – This is not fixed and varies based on “remote-id”. If you select AP-ETHMAC or AP-MAC it would be “06” since it is 6 byte long. For AP-MAC-SSID it will be varying as SSID name length could vary.
- Remote-id – value of DHCP Option-82 attribute configured on wireless controller. In 7.0.116 WLC code it can be AP-MAC (by default), AP-ETHMAC or AP-MAC-SSID.
In our example we will use “AP-ETHMAC” as remote-id. Therefore string will be in the format of “0104000000000206<AP-ETHMAC>”. You can easily verify AP-ETHMAC by “show ap summary” command.
(WLC3) >show ap summary Number of APs.................................... 2 Global AP User Name.............................. Not Configured Global AP Dot1x User Name........................ Not Configured AP Name Slots AP Model Ethernet MAC Location Port Country Priority ------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------ LAP2 2 AIR-LAP1131AG-N-K9 00:1e:7a:be:e0:fe CAT2-FA1011 1 AU 1 LAP1 2 AIR-CAP3502I-N-K9 cc:ef:48:8c:fd:41 CAT4-F03 1 AU 1
Based on this you can add DHCP Class configuration on to CAT2.
ip dhcp class LAP2 relay agent information relay-information hex 0104000000000206001e7abee0fe ip dhcp class LAP1 relay agent information relay-information hex 0104000000000206ccef488cfd41
Now you can go to CAT4 & define the SVI for “data-13” WLAN. Remember to configure “ip helper-address ” command to specify the DHCP server address.
interface Vlan13 ip address 192.168.13.1 255.255.255.0 ip helper-address 10.10.10.3
Next you can configure dynamic interface & WLAN on WLC3 as shown below. I have used “open” authentication for simplicity.
config interface create vlan13 13 config interface address dynamic-interface vlan13 192.168.13.30 255.255.255.0 192.168.13.1 config interface dhcp dynamic-interface vlan13 primary 10.10.10.3 config interface port vlan13 1 config wlan create 13 data-13 data-13 config wlan interface 13 vlan13 config wlan security wpa disable 13 config wlan enable 13
Once configured you can check “DHCP Option 82” of the vlan13 interface by “show interface detailed vlan13” CLI command.
(WLC3) >show interface detailed vlan13 Interface Name................................... vlan13 MAC Address...................................... 00:1b:d5:cf:e6:00 IP Address....................................... 192.168.13.30 IP Netmask....................................... 255.255.255.0 IP Gateway....................................... 192.168.13.1 External NAT IP State............................ Disabled External NAT IP Address.......................... 0.0.0.0 VLAN............................................. 13 Quarantine-vlan.................................. 0 Physical Port.................................... 1 Primary DHCP Server.............................. 10.10.10.3 Secondary DHCP Server............................ Unconfigured DHCP Option 82................................... Disabled ACL.............................................. Unconfigured AP Manager....................................... No Guest Interface.................................. No L2 Multicast..................................... Enabled
You can enable this on vlan13 interface via following CLI config. In 126.96.36.199 this cannot be done via GUI (in later releases you can do this via GUI)
config interface dhcp dynamic-interface vlan13 option-82 enable
Now you can verify Remote-ID option set by WLC by using “show dhcp opt-82” CLI command. As you can see it will set as “AP Radio MAC address” which is not what we wanted. Since we have configured our DHCP classes in server to check “AP Ethernet MAC Address” we have to change this default behavior as follows.
(WLC3) >show dhcp opt-82 DHCP Opt-82 RID Format: <AP radio MAC address> (WLC3) >config dhcp opt-82 ? remote-id Set Format for RemoteId field in DHCP option 82 (WLC3) >config dhcp opt-82 remote-id ? ap-mac Set RemoteID format as <AP radio MAC address> apmac:ssid Set RemoteID format as <AP radio MAC address>:<SSID> ap-ethmac Set RemoteID format as <AP Ethernet MAC address> (WLC3) >config dhcp opt-82 remote-id ap-ethmac
This can be done via GUI as well. you can do this via “Controller > Advanced > DHCP” section as shown below. It is worth to note that “DHCP Proxy” feature needs to be enabled (which is the default behavior) in order to Option-82 to work. Otherwise all DHCP request from client transparently pass to DHCP server & WLC will not do any modification.
Now it is ready to test. You can verify these Option-82 information by “debug ip dhcp server class” on CAT2 (which is DHCP server). First we will disable LAP2 & let client associate to LAP1. You would see a similar to following DHCP debug output stating input relay information matches class LAP1.
CAT2#debug ip dhcp server class DHCP server class debugging is on. *Mar 7 02:08:21.542 AEDT: DHCPD: Class 'LAP2' matched by default *Mar 7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP2 *Mar 7 02:08:21.542 AEDT: DHCPD: Class 'LAP1' matched by default *Mar 7 02:08:21.542 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206ccef488cfd41' in class LAP1 *Mar 7 02:08:21.542 AEDT: DHCPD: input pattern 'relay-information 0104000000000206ccef488cfd41' matches class LAP1 *Mar 7 02:08:21.542 AEDT: DHCPD: input matches class LAP1
You can verify client has got an IP from the correct range (192.168.13.101-120)
CAT2#sho ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.13.101 0104.f7e4.ea5b.66 Mar 08 1993 02:08 AM Automatic
You can verify the same using “debug ip dhcp server events” command as well. See below
CAT2#debug ip dhcp server events DHCP server event debugging is on. *Mar 9 05:18:42.314 AEDT: DHCPD: Sending notification of DISCOVER: *Mar 9 05:18:42.314 AEDT: DHCPD: htype 1 chaddr 0022.fa94.6858 *Mar 9 05:18:42.314 AEDT: DHCPD: remote id ccef488cfd41 *Mar 9 05:18:42.314 AEDT: DHCPD: circuit id 00000000 *Mar 9 05:18:42.314 AEDT: DHCPD: giaddr = 192.168.13.30 *Mar 9 05:18:42.314 AEDT: DHCPD: interface = FastEthernet1/0/4 *Mar 9 05:18:42.314 AEDT: DHCPD: class id 4d53465420352e30 *Mar 9 05:18:42.322 AEDT: DHCPD: out_vlan_id 0 *Mar 9 05:18:44.335 AEDT: DHCPD: Adding binding to radix tree (192.168.13.101) *Mar 9 05:18:44.335 AEDT: DHCPD: Adding binding to hash tree *Mar 9 05:18:44.335 AEDT: DHCPD: assigned IP address 192.168.13.101 to client 0100.22fa.9468.58. (1022 0) *Mar 9 05:18:44.335 AEDT: DHCPD: Sending notification of DISCOVER: *Mar 9 05:18:44.335 AEDT: DHCPD: htype 1 chaddr 0022.fa94.6858 *Mar 9 05:18:44.335 AEDT: DHCPD: remote id ccef488cfd41 *Mar 9 05:18:44.335 AEDT: DHCPD: circuit id 00000000 *Mar 9 05:18:44.335 AEDT: DHCPD: giaddr = 192.168.13.30 *Mar 9 05:18:44.335 AEDT: DHCPD: interface = FastEthernet1/0/4 *Mar 9 05:18:44.335 AEDT: DHCPD: class id 4d53465420352e30 *Mar 9 05:18:44.335 AEDT: DHCPD: out_vlan_id 0 *Mar 9 05:18:44.335 AEDT: DHCPD: Sending notification of DISCOVER: *Mar 9 05:18:44.335 AEDT: DHCPD: htype 1 chaddr 0022.fa94.6858 *Mar 9 05:18:44.335 AEDT: DHCPD: remote id ccef488cfd41 *Mar 9 05:18:44.335 AEDT: DHCPD: circuit id 00000000 *Mar 9 05:18:44.335 AEDT: DHCPD: giaddr = 192.168.13.30 *Mar 9 05:18:44.335 AEDT: DHCPD: interface = FastEthernet1/0/4 *Mar 9 05:18:44.335 AEDT: DHCPD: class id 4d53465420352e30 *Mar 9 05:18:44.335 AEDT: DHCPD: out_vlan_id 0 *Mar 9 05:18:44.335 AEDT: DHCPD: Sending notification of ASSIGNMENT: *Mar 9 05:18:44.335 AEDT: DHCPD: address 192.168.13.101 mask 255.255.255.0 *Mar 9 05:18:44.335 AEDT: DHCPD: htype 1 chaddr 0022.fa94.6858 *Mar 9 05:18:44.344 AEDT: DHCPD: lease time remaining (secs) = 86400 *Mar 9 05:18:44.344 AEDT: DHCPD: interface = FastEthernet1/0/4 *Mar 9 05:18:44.344 AEDT: DHCPD: out_vlan_id 0
Now you can try to associate the same client via LAP2. You have to clear the IP DHCP binding & disable LAP1 & enable LAP2 as shown below.
CAT2#clear ip dhcp binding 192.168.13.101 (WLC3) >config ap disable LAP1 (WLC3) >config ap enable LAP2
This time you would see a output similar to this in CAT2’s “debug ip dhcp server class“. You would noticed this time DHCP relay information matches class defined for LAP2 which include LAP2’s ethernet MAC address as part of the string.
CAT2# *Mar 7 03:30:34.067 AEDT: DHCPD: Class 'LAP1' matched by default *Mar 7 03:30:34.067 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP1 *Mar 7 03:30:36.148 AEDT: DHCPD: Class 'LAP2' matched by default *Mar 7 03:30:36.148 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206001e7abee0fe' in class LAP2 *Mar 7 03:30:36.148 AEDT: DHCPD: input pattern 'relay-information 0104000000000206001e7abee0fe' matches class LAP2 *Mar 7 03:30:36.148 AEDT: DHCPD: input matches class LAP2
This time you would see the same client got 192.168.13.201-220 IP as it is connected to LAP2.
CAT2#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.13.201 0104.f7e4.ea5b.66 Mar 08 1993 03:30 AM Automatic
You can play with additional tweaking as long as you got basic configuration working as above.
You can refer following Cisco document(DOC-28639) for additional information of this feature.
DHCP Option 82 – Service Provider Wi-Fi
1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4. Understanding DHCP Option 82
5. Hex to String Conversion
P wireless said:
at first, i wanted to say that your blog is really good and helpful.
in regards to the option 82. Do you have any personal experience between a wlc and a ms dhcp server? Does the ms dhcp server understand/translate the remote-id correct?
Thanks for the feedback & glad my blog helps you…
Regarding DHCP option 82 with MS-DHCP, I do not have deployed it in my production network. But it should support it & you can test it before implementing it in large scale.
This option wil not work on windows 2003 DHCP server . But will work on 2008
Thanks for this information.
I haven’t tested this feature on windows DHCP server platforms since it is not in lab exam scope.
Below is the output I get from my test option 82. I was wondering how do I covert the Agent Circuit ID and Agent Remote ID?
Option 82 Suboption: (1) Agent Circuit ID
Agent Circuit ID: 00040bb80113
Option 82 Suboption: (2) Agent Remote ID
Agent Remote ID: 00060014a90d8700
If you look at this post you will able to convert those into characters/digits you can read
Hi, I have the same problem in two clients.
They are implementing guest internet access WLANs, but want to use their DHCP server.
Guest WLANs are non ruteable. So I need the WLC relay agent to source the unicast packets with the manangement IP, not the WLAN IP.
Can I do that?
In WLC 8.0 you can do this with option 5 combined with DHCP option 82.
Could you spend your time and convey DHCP option 43 explaination?
Thanks for request, I will try find time to do it. I hope you saw below cisco doc on that topic
Your blog is very helpful.
I have very complex scenario, I have a 9 APs installed in remote location connected to 3750 switch. The APs are managed by a WLC in the HQ. I don’t have DHCP server, so i will use the 3750 switch as a DHCP server and i will use option 82 but i can’t make the WLC and the switch in the same subnet. could you please help me to fix this issue.
Why do you want Switch & WLC to be on same subnet ? As long as AP can communicate with WLC it will work.
If WAN bandwidth is a concern, you can chage AP to FlexConnect/H-REAP mode & use.
Man, you are amazing.
Many thanks for your quick support. I believe your support is faster than Cisco TAC.
I don’t need the WLC and switch to be on the same subnet, but i though it should be like that.
I will have a dynamic interface on the WLC mapped to a VLAN :
Dynamic Int name: WIFI
IP address: 10.158.52.2/29
Gateway: 10.158.52.1/29 (This Nexus switch in the HQ and connected direct to the WLC).
DHCP server: 10.157.111.2 (3750 IP address which will be reachable from the WLC via the management IP)
On the switch side: I will configure a DHCP pool with subnet 192.168.1.0/24 and this subnet will be routed towards the WLC.
Does this setup work?
What is your requirement ? Branch users to get IP from your HQ defined VLAN or they should get IP from local 3750 switch at the Branch ?
If you want the 2nd option, then you have to make AP into FlexConnect mode & enable Local switching on the SSID. In that case all wireless user traffic will be locally terminated & AP control traffic is come back to WLC.
Even that situation you can have an SSID for central switching (eg like guest) where users get IP from central HQ defined vlan.
Have a look at below document
If you still have doubts, I would suggest to open a thread in Cisco Support Forum, so many will respond to your query
i use DHCP Snooping Feature on the switches. Should i trusted the WLC connected interfaces at the Switch? If i dont trust them, i have many “Unknown output interface” drops.
Many thanks in advance.
Typically you do not want to trust WLC connected port, unless internal DHCP feature used in WLC.
Worth investigate it with TAC if you see such behaviour