Configure DHCP services
RansNet mbox appliances (CMG/HSG/HSA) support standard Dynamic Host Configuration Protocol (DHCP) to issue end user devices IP addresses.
mbox offers a complete solution for implementing DHCP services for small networks to large distributed enterprise networks.
DHCP server (dhcp-server), receives clients’ requests from locally connected networks, and issues IP addresses to clients. It also suppors various DHCP options for assigning vendor-specific parameters, eg. controller IP for light-weight APs
DHCP pools (dhcp-pool), enables mbox as a DHCP server to centrally manage and issue IP addresses to external/remote networks.
DHCP relay agent (or dhcp-helper), relays DHCP requests from local LAN devices to another upstream DHCP server.
In this document, we will use below topology to elaborate how to configure dhcp-server, dhcp-pool, and dhcp-helper.
HSG-1 will be configured as a dhcp-server to issue IP address to local network devices (VLAN10 & 20)
HSG-1 will also function as central DHCP server (dhcp-pool) to manage and issue DHCP IP addresses to non-attached networks (VLAN30 & 40)
HSG-2 will act as a DHCP relay (dhcp-helper) to relay user DHCP requests to HSG-1 , so that users from VLAN30 & 40 can receive DHCP IP assignment from HSG-1 address pools.
1. Configure dhcp-server to issue IP addresses to attached/local networks
When configured with "dhcp-server" on the target interfaces, mbox accepts client DHCP requests from users/clients coming from interface local network (the network connected to this interface), and issues DHCP address from the configured range to clients.
CONFIGURATION NOTES
You can run multiple "dhcp-server" instances. Each instance is attached to a local interface (physical or VLAN). It will automatically generate DHCP range based on Interface IP address setting (you can still optionally change DHCP options/range parameters later).
NOTE: One interface can have multiple IP addresses. But only the primary IP address can be used as the DHCP range. So if you need to configure multiple IP addresses for the same interface, please make sure the primary IP address (where DHCP scope will be based on) is configured first/ahead of other IP addresses.
dhcp-server must be explicitly enabled and each config changes requires restarting of the DHCP service (disable and enable).
NOTE: When running HA (two boxes running VRRP), both mbox will be actively issuing DHCP (even for the standby unit), so each box needs to cover half of the available range in order to avoid address duplicates; and you need to explicitly configure "router" command to specify VRRP virtual IP as the clients default gateway.
CONFIGURATION STEPS
configure network interfaces with IP address and mask
configure dhcp-server to start listening and issuing DHCP IP addresses
CONFIGURATION EXAMPLES (on HSG-1)
Below sample config snip shows normal dhcp-server configuration under interface setting
!interface eth1 description "trunk to switch1" enable ip address 192.168.8.1/24 dhcp-server description "DHCP pool for management VLAN-1" router 192.168.8.1 dns 8.8.8.8 8.8.4.4 range 192.168.8.10 192.168.8.254 enable!!interface vlan 1 10 enable ip address 10.10.10.1/24 dhcp-server description "DHCP pool for VLAN-10" router 10.10.10.1 dns 8.8.8.8 8.8.4.4 range 10.10.10.2 10.10.10.254 enable!interface vlan 1 20 enable ip address 10.20.20.1/24 dhcp-server description "DHCP pool for VLAN-20" router 10.20.20.1 dns 8.8.8.8 8.8.4.4 range 10.20.20.2 10.20.20.254 enable!
When hotspot service is enabled for the interface, dhcp-server command is applied under hotspot instance setting. Below config snip shows dhcp-server config when hotspot service is enabled for VLAN10 and VLAN20.
!interface eth1 description "trunk to switch1" enable ip address 192.168.8.1/24 dhcp-server description "DHCP pool for management VLAN-1" router 192.168.8.1 dns 8.8.8.8 8.8.4.4 range 192.168.8.10 192.168.8.254 enable!!interface vlan 1 10 enable ip address 10.10.10.1/24!interface vlan 1 20 enable ip address 10.20.20.1/24!security hotspot vlan10 hotspot-server 10.10.10.1 ports 4907 4382 client-network 10.10.10.0 255.255.255.0 client-dhcp-server router 10.10.10.1 dns 8.8.8.8 8.8.4.4 range 10.10.10.2 10.10.10.254 enable client-static 10.10.10.2 255.255.255.0 radius-server splash.ransnet.com testing123 hotspot-portal https://splash.ransnet.com/pid/vlan10/login.php start!security hotspot vlan20 hotspot-server 10.20.20.1 ports 4081 4558 client-network 10.20.20.0 255.255.255.0 client-dhcp-server router 10.20.20.1 dns 8.8.8.8 8.8.4.4 range 10.20.20.2 10.20.20.254 enable client-static 10.20.20.2 255.255.255.0 radius-server splash.ransnet.com testing123 hotspot-portal https://splash.ransnet.com/pid/vlan20/login.php start!Useful troubleshooting commands:
show ip dhcp-servershow ip dhcp-logshow ip dhcp-leasetcpdump interface xx port 672. Configure dhcp-pool to issue IP addresses to non-attached/external networks
When configured with "dhcp-pool", mbox can manage and issue DHCP IP addresses to non-attached or external networks. The remote/external network router will relay client DHCP requests to mbox, and as long as the relay agent IP belongs to a valid address pool, mbox will issue client IP from the respective address pool. In this case mbox acts as DHCP server for both local and remote network so that it's easier to centrally administer IP address pools, without the need of 3rd-party dedicated DHCP server.
CONFIGURATION NOTES
You can configure multiple "dhcp-pool". Each pool refers to a remote network range. The remote address pools (dhcp-pool) do not bind to any local mbox interfaces. However, the incoming interface where remote DHCP relay agent will come in, MUST enable with "dhcp-server" so that this interface will listen for DHCP requests (from both local and remote). If you do not want to issue any IP address to the interface local network, you can set "range x.x.x.x y.y.y.y" to be really small, so that it limits giving out local addresses but will listen and respond to requests from external relay agent (therefore able to assign respective IP from dhcp-pools to remote clients).
dhcp-pool must be explicitly enabled and each config changes requires restarting of the DHCP service (disable and enable).
It's very important to ensure communication channel between DHCP server and relay agents are in place:
The external DHCP relay agent IP must be able to reach to the DHCP server IP address, with correct routing and firewall rules to permit accesses (UDP/67/68).
The DHCP server (where dhcp-pool is configured) must have a route back to the external DHCP agent IP address, so that it knows where to route back the DHCP responses.
CONFIGURATION STEPS
enable "dhcp-server" on the interface for incoming DHCP relay agent requests
configure "dhcp-pool" for each remote/non-attached network
CONFIGURATION EXAMPLES (on HSG-1)
interface eth1 description "trunk to switch1" enable ip address 192.168.8.1/24 dhcp-server description "DHCP pool for management VLAN-1" router 192.168.8.1 dns 8.8.8.8 8.8.4.4 range 192.168.8.10 192.168.8.254 enable!ip dhcp-pool 10.30.30.0/24 description "DHCP pool for VLAN-30 on HSG-2" router 10.30.30.1 dns 8.8.8.8 8.8.4.4 range 10.30.30.2 10.30.30.254 enable!ip dhcp-pool 10.40.40.0/24 description "DHCP pool for VLAN-40 on HSG-2" router 10.40.40.1 dns 8.8.8.8 8.8.4.4 range 10.40.40.2 10.40.40.254 enable!ip route 10.30.30.1/32 nexthop 192.168.8.9 remark "route back to VLAN-30 DHCP relay"ip route 10.40.40.1/32 nexthop 192.168.8.9 remark "route back to VLAN-40 DHCP relay"!
3. Configure dhcp-helper to relay local DHCP requests to external DHCP server
For large distributed networks, with many local/remote networks and routers, we don't want to configure each router to issue DHCP address to their local networks. Instead, we will configure a central DHCP server to centrally manage the address pools for users of all networks (as in above section #2), and configure each remote router to relay their local device DHCP requests to the central DHCP server.
In this case, each remote router acts as a dhcp-relay, and each relay will forward local client DHCP request to DHCP server through "dhcp-helper" command.
CONFIGURATION NOTES
You can run multiple "dhcp-helper" instances. Each instance is attached to a local interface (physical or VLAN), and the local interface must have an IP address configured and able to reach to dhcp-helper (DHCP server) IP address.
You can not run "dhcp-helper" and "dhcp-server" command under the same interface.
CONFIGURATION STEPS
configure IP address under the local interface
configure dhcp-helper to relay client requests to upstream DHCP server
CONFIGURATION EXAMPLES (on HSG-2)
Below sample config snip shows normal dhcp-helper under interface setting
interface eth0 description "connect to core switch" enable ip address 192.168.8.9/24!!interface vlan 0 30 enable ip address 10.30.30.1/24 ip dhcp-helper 192.168.8.1!interface vlan 0 40 enable ip address 10.40.40.1/24 ip dhcp-helper 192.168.8.1!ip route 0.0.0.0/0 nexthop 192.168.8.1 remark "default route through HSG-1"!If we enable hotspot service for VLAN30 and VLAN40, the dhcp-helper is configured under hotspot instance (which is attached to interface VLAN30 and VLAN40).
interface eth0 description "connect to core switch" enable ip address 192.168.8.9/24!!interface vlan 0 30 enable ip address 10.30.30.1/24!interface vlan 0 40 enable ip address 10.40.40.1/24!ip route 0.0.0.0/0 nexthop 192.168.8.1 remark "default route through HSG-1"!security hotspot vlan30 hotspot-server 10.30.30.1 ports 5415 5849 client-network 10.30.30.0 255.255.255.0 client-dhcp-helper 192.168.8.1 radius-server splash.ransnet.com testing123 hotspot-portal https://splash.ransnet.com/pid/vlan30/login.php start!security hotspot vlan40 hotspot-server 10.40.40.1 ports 4421 5467 client-network 10.40.40.0 255.255.255.0 client-dhcp-helper 192.168.8.1 radius-server splash.ransnet.com testing123 hotspot-portal https://splash.ransnet.com/pid/vlan40/login.php start!
4. Configure DHCP vendor options
Vendor options are DHCP options that are defined by the DHCP client software vendor. When a client broadcasts a request for a configuration, the client includes its vendor client class. If this client class matches any client classes in the dhcptab database, then the options specified for that class are sent to the client, along with other configuration options.
This is typically used by wireless AP to auto push WLAN controller IP to the AP to auto registration, so that we don't need to configure anything on the AP for it to register (call back) to the WLC. Another example is for VoIP phones to auto push call manager IP address to the IP phone so that they can auto register to the call manager without any manual configuration on the VoIP phones.
NOTES ON OPTION 43 SUPPORT
a vendor-name refers to a particular brand; a vendor-class refer to a particular model of a brand. Vendor-class must be included by double quotes in the configuration (eg. “Cisco AP c1600”)
mbox can support multiple dhcp scopes, and each scope can support one unique option 43 for each vendor (vendor-name), eg. scope 1 for Cisco APs, scope 2 for Aruba APs, etc.
same vendor-name can have multiple vendor-class, eg. different model of Cisco AP can be assigned with different controller IP, differentiated by vendor-class name
vendor-class string in the configuration must match exactly what’s being included in AP DHCP request headers. Sometimes, we don’t know the extract string for vendor-class, one way is to ask from vendor support, another way is to use tcpdump with “detail” option
Configuration snip:
!interface eth2dhcp-server-----option Cisco_LWAPP_AP "Cisco AP c1700" controller 203.211.151.79option Cisco_LWAPP_AP "Cisco AP c1600" controller 203.211.151.80----- Comemde# tcpdump interface eth1 port 67 detail10:12:46.028445 IP (tos 0x0, ttl 255, id 78, offset 0, flags [none], proto UDP (17), length 330) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from fc:5b:39:6e:34:e4, length 302, xid 0x200c, Flags [Broadcast] (0x8000) Client-Ethernet-Address fc:5b:39:6e:34:e4 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover MSZ Option 57, length 2: 1200 Client-ID Option 61, length 7: ether fc:5b:39:6e:34:e4 Hostname Option 12, length 16: "APfc5b.396e.34e4" Parameter-Request Option 55, length 9: Subnet-Mask, Domain-Name-Server, Domain-Name, Netbios-Name-Server Default-Gateway, LOG, Static-Route, Option 150 Vendor-Option Vendor-Class Option 60, length 14: "Cisco AP c1700" <--DHCP request from client, vendor-class config must match this. END Option 255, length 010:12:46.028987 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 192.168.1.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x200c, Flags [Broadcast] (0x8000) Your-IP 192.168.1.30 Client-Ethernet-Address fc:5b:39:6e:34:e4 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Server-ID Option 54, length 4: 192.168.1.1 Lease-Time Option 51, length 4: 86400 Subnet-Mask Option 1, length 4: 255.255.255.0 Domain-Name-Server Option 6, length 8: 203.211.152.66,8.8.8.8 Domain-Name Option 15, length 8: "mbox.com" Default-Gateway Option 3, length 4: 192.168.1.1 Vendor-Option Option 43, length 6: 241.4.203.211.151.79 <--DHCP reply by mbox, as per configuration END Option 255, length 0 PAD Option 0, length 0, occurs 4