[Cisco-AP] ip address-helper issue

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Dreece

Active Member
Jan 22, 2019
503
160
43
In the wireless 3702 IOS, I added: ip helper-address 192.168.10.60
under: interface Dot11Radio0.100

Unfortunately the SSID running under vlan 100 isn't finding the DHCP server via that helper.

In the actual switch the access point is connected to, if I enable a DHCP relay agent, then it hits whatever relay I configure there.

However, I would prefer for the AP to go looking for DHCP based on the entered helper-address.

Am I an apple short of a tree here with how I'm understanding the purpose of helper-address?

(please note the 3702 is in autonomous mode)
 

Dreece

Active Member
Jan 22, 2019
503
160
43
Hmmm, ok so router needs to do this, the AP can't do it because the router doesn't like shouting.

 

Discountsocks

New Member
Aug 16, 2018
8
7
3
Hmmm, ok so router needs to do this, the AP can't do it because the router doesn't like shouting.

Simple rule.... The helper address will go on the same interface as the default gateway IP. Helper address in a layer 3 function, not a layer 2
 

pricklypunter

Well-Known Member
Nov 10, 2015
1,708
515
113
Canada
Ok, so imagine your DHCP server is on a different VLAN to your AP. Your AP is in one domain, the DHCP server in another.

To use DHCP Snooping, you would configure an IP Helper Address on the AP's VLAN Interface, your AP's Switch port needs to be a member. This basically passes on DHCP request packets to the IP Address you have specified, i.e to your DHCP Server, thereby beginning your handshake process. Inter-VLAN Routing must also be enabled, either in the Switch itself, or via some other means like a router on a stick type configuration, in order for this to happen, the VLAN's cannot be unreachable.

I'll try and give a quick Cisco example off the top of my head for the switch. From terminal config mode (conf t from an elevated prompt):


int VLAN 10
desc Wireless VLAN
ip Address 192.168.1.1 255.255.255.0
ip helper- address 192.168.10.254 255.255.255.0
exit

Commands are basically:
get into VLAN interface config
Add a friendly description for the VLAN
the VLAN ID
The IP address of the VLAN
Your IP Helper - IP address of your DHCP Server
Exit back to Terminal mode


int g0/1
desc AP's switch port
sw mode access
sw access VLAN10
spanning-tree portfast
exit

Commands are basically:
get into Port interface config
Add a friendly description for the Port Interface
Switch Port Interface Number
Set the Port type as an Access Port
Set the Port as a member of VLAN 10
Tell the Port to skip the normal state processing and go straight to forwarding packets
Exit back to Terminal mode

The next part is just a repeat of the first part, but this time for the VLAN (domain) that the DHCP Server is a part of

int VLAN 20
desc Servers VLAN
ip address 192.168.10.1
exit

int g0/2
desc Servers VLAN (The DHCP Server lives at 192.168.10.254)
sw mode access
sw access VLAN20
spanning-tree portfast
exit




Your DHCP Server will, among other things such as DHCP Server Address, Default Router, NTP Server and etc, provide a Default Gateway Address to clients. In the case of devices in VLAN 10 above, your wireless domain, this will be the VLAN Interface IP Address, 192.168.1.1. All clients on this VLAN will use that address to send packets out of the wireless domain that is VLAN 10.
VLAN 20 is where your DHCP is located, different domain, and Switch Port g0/2 is a member of that.

Hope that helps a little :)

Added a bit more clarity I hope :)
 
Last edited:
  • Like
Reactions: Dreece and Evan

Dreece

Active Member
Jan 22, 2019
503
160
43
Thanks, that makes things clearer.

so effectively the router/switch needs to provide a DHCP Relay which functions over Layer 3.
Thus I must configure the router to assign a DHCP per VLAN and then the AP's SSID VLANs should just pick that up accordingly via DORA.

So problem one = the switch I'm using is a L2 POE switch, so I need to swap it out with an L3 POE switch to get this working with multiple VLANs along with multiple DHCP scopes.

...and how a DHCP scope is selected for relay is based on the routed address the relay request comes in on? or is this where that DHCP option 82 kicks in? which I have noticed the more advanced switches/routers facilitate.
 
Last edited:

pricklypunter

Well-Known Member
Nov 10, 2015
1,708
515
113
Canada
Yea, kind of, yer close. The Switch provides the micro-segmentation (VLAN's or mini-broadcast domains if you will) and relay function, the Router just forwards those packets between them and if not, then towards another Gateway, if one is configured. You can still use your L2 Switch, but it has to be capable of configuring and supporting VLAN's. I wont get into what folks believe is a L2 or L3 VLAN or the logic behind these things etc, suffice is that VLAN's are a L2 thing, the L3 confusion is brought about by the fact that the VLAN has a logical address, i.e an IP Address, which is a L3 construct.

You can use a separate Router to do your Inter-VLAN routing if your Switch doesn't support it, all you need is a Trunk port between them, that carries the multiple VLAN's to and from the Switch. This works perfectly well and is a well tried and reliable method of achieving this, but will introduce a smidge of added latency, for obvious reasons. Likewise a L3 Switch will be capable of keeping that function "in-house" so to speak, therefore negating the need for an external Routing device. Again, there is latency introduced, as you are still crossing Data and Control Planes, but it's nowhere near as bad as having external devices involved, plus there are usually other things that you can do within the configuration to mitigate most of that. MLS comes to mind. When using an external device to Route packets, this type of configuration is often referred to as "Router on a Stick" or Stub Router etc. Option 82 is another part of DHCP Snooping. It basically allows your DHCP Server to identify the Host by relay and therefore identify the Scope that Host should be in. Of course you need to tell your DHCP Server how to respond to such requests. There are lots of other options too to accomplish other tasks, but this is how a single DHCP Server can hand out different information to hosts in different broadcast domains (VLAN's). There are other methods and commands within ios and others, that can and will override such things, but that's beyond this. You are correct, you will want to use a method to identify which host, is in which scope, from your DHCP Server's perspective.

I'm trying to keep it simple, my OCD is making me want to get into protocols etc ;)

I should add that if you are planning on having multiple VLAN's served from your AP, as well as your wired Switch Ports, it is much the same deal. The same basic rules apply to doing this, as would to your Switch Ports. The only difference is that you will Trunk the AP link to the Switch and configure multiple matching VLAN's (BVIs) in the AP, each having it's own set of rules, like SSID, MAC filtering, beacons and etc, just like each VLAN on your Switch has rule sets for each VLAN. It might help to think of it as the same as any other Port, but this time the physical layer device is a radio wave, rather than an inductively coupled wire. It's just more of the same, frames being stuffed down either a physical wire or optical pathway, or using an invisible radio wave, everything beyond the physical delivery of the frames remains the same. Cisco just love a sentence splattered with 3 letter words, as I'm sure you are finding out :D
 
Last edited:
  • Like
Reactions: Dreece