5508 - dhcp scope per wlan

mikearamamikearama Member Posts: 749
Just that... one ap-manager interface, with each AP broadcasting two SSID's. One for our user base, the other for guests.

I have assigned an ssid to each wlan, and have opted to go with internal scopes on the controller. However, I cannot locate a way to assign a scope per wlan... all documentation has the scope being applied to the interface.

In this case, both wlans/ssid's share the same interface.

This document says it's possible, but doesn't explain how:

Cisco Wireless LAN Controller Configuration Guide, Release 6.0 - Chapter 6 - Configuring WLANs [Cisco 5500 Series Wireless Controllers] - Cisco Systems

It says: You can configure DHCP on a per-interface or per-WLAN basis. The preferred method is to use the primary DHCP server address assigned to a particular interface.

It then goes on to explain how to apply to the interface... nothing on the per-Wlan approach.

Any thoughts appreciated.
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.

Comments

  • SteveO86SteveO86 Member Posts: 1,423
    This might be helpful.. Although it uses a different device for DHCP and not just the WLC itself. Maybe you can configure the DHCP on the device connected to the WLC?

    Guest WLAN and Internal WLAN using WLCs Configuration Example - Cisco Systems

    Although you'll need a second dynamic interface on the WLC
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • snoopgstsnoopgst Member Posts: 8 ■□□□□□□□□□
    Go into the WLAN, under advanced settings you should have an option to override the global DHCP settings with your own scopes.
  • mikearamamikearama Member Posts: 749
    Awesome... I'm getting there.

    So, I created the dynamic interfaces for the two departments. I also created a 4-port LAG channel, and assigned all three interfaces (management, IT and PMO) to the channel.

    I can ping the Cat 6509 core's interfaces from the controller... 10.22.129.1 for ap-management, 216.1 for IT and 217.1 for PMO. (The controller has 129.2, 216.2 and 217.2 as its IP addresses) Also, I created the scopes for these two departments on the core, and when I connect to their respective SSID's, I get an IP in the correct scope.

    Here's where the joy ends, however. Once my laptop has acquired the correct IP config, I cannot do anything. I cannot ping the 216.1 or 217.1 gateway.

    It's as if my client, with its 216.21 (from IT scope) address, communicates with the AP, the traffic is encapulated from the AP to the controller, the controller strips off the headers and sees the source as 10.22.216.21, but either isn't sending it out the correct IT interface... or it is, but the return traffic is looking for 10.22.216.21 directly and doesn't know to go to the controller (216.2) first.

    Any thoughts?
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • SteveO86SteveO86 Member Posts: 1,423
    From the client with a DHCP address can you ping the IP Address on the controller?

    I've seen issues with client timeouts being configured too high, and when the client connects to a different subnet/SSID the traffic is not forwarded to the wired LAN, however it communicates with the LWAP and the WLC. (It represents as a weird situation since you can ping the WLC IP Address, but not the default gateway on the same subnet which is on the wired LAN)

    Maybe connecting to the SSID again, and then clear the arp tables and mac address table on both the WLC and neighboring switch

    (Web Interface, Controller -> General -> ARP Timeout, might be worth a look at)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • mikearamamikearama Member Posts: 749
    Exactly right... connectivity to the controller is good. I can see the client listed as associated and authenticated, and I can ping the interface. Just not anything past it.

    I do what you suggest and clean everything... do a reboot too.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • SteveO86SteveO86 Member Posts: 1,423
    I hate rebooting WLC's (unless you got 2 of them icon_smile.gif )

    Let us know if it works for you.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • mikearamamikearama Member Posts: 749
    All good now.

    Odd... the AP is a fair distance away from me, and though I got a decent signal, my response times were between 2 and 4 thousand milliseconds. So I guess everything was timing out.

    I cleaned up some stuff, rebuilt the interface and wlans, rebooted... nothing helped. Then I added a second AP closer to my desk, and boom. She's all good now.

    In retrospect, I think I got it. Our security guy didn't want 802.11b enabled, so I killed all the slower data rates... everything below 9 is not available. I think that until I got an AP closer to me, that cost me.

    It's all good now, though.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • SteveO86SteveO86 Member Posts: 1,423
    I'm a little on the reasoning for your security wanting 802.11b turned off.. It's just as vulnerable as the other standards. Or are they one of those old fashioned security guys that also believe hiding the SSID is secure to.

    While I do believe in disabling un-needed services, just be aware the effects it will have your WLAN. With the lower data rates disabled you'll need make sure your clients are registering a good enough signal to sustain the higher data rate. So you may need to more densely pack an area with AP's for sufficient roaming.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • mikearamamikearama Member Posts: 749
    It isn't an issue with vulnerability... the opinion of our architect is to not allow 'b' users to connect, preventing the effects of having 'b' users mixed in with a/g/n. Regardless, you're right... it means you connect at better than 9MBps, or not at all. So in my testing, I either get three bars and a connection, or nothing.

    I am planning to roll out a few more AP's than might be required, to totally radiate our campus.

    And the security guy IS of old school thought... it took me a lot of talking and emails to get our SSID's to stay broadcasted.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Sign In or Register to comment.