Had a fun one that I recently ran into and was lucky enough to make a good learning opportunity out of it. Hopefully it can help someone else too. This is concerning DHCP proxy mode on a Cisco WLC.
Take a look at my lab diagram above. I had a Cisco ASA firewall that I wanted to be the DHCP server for a small user environment. This user environment had a dedicated WLC with access points. All of that was connected to a single network switch. Nothing special of a network setup, but the main goal here was to use the ASA as the DHCP server for the wireless (and wired) clients.
I setup my DHCP scope in Firepower Management Center and deployed it to my firewall. This went without issue. When I connected the firewall to the new network I was working on, the wired clients connected, received an IP, and could browse to the web with no issue. The wireless users were having an issue though. I checked the WLC logs and did not see any issues or messages in the logs. I checked the interface for the main WLAN and it was pointed correctly to my ASA as the DHCP server. So what was the issue?
I did some searching and found a few forum posts from other people with similar situations using a handful of different devices as their DHCP server. It turns out that the issue was that the WLC was running in DHCP proxy mode.
Cisco describes a WLC running DHCP proxy mode like so:
The controller modifies and relays all DHCP transactions to provide helper function and address certain security issues.
The controller’s virtual IP address is normally used as the source IP address of all DHCP transactions to the client. As a result, the real DHCP server IP address is not exposed in the air.
Turns out the ASA (in my case) did not like the DHCP request coming in. I needed to disable DHCP proxy mode which would essentially turn on what is referred to as DHCP bridging mode. This would allow the WLC to leave the DHCP packets unmodified and able to reach my ASA just as a normal request would, such as with my wired clients.
To disable DHCP proxy mode, you need to enter the configuration for the interface for your WLAN on your WLC you want to be affected. Once in the interface, you are looking for the following options:
Just like the photo shows, my WLC was on “Global”. I changed this to “Disabled”, hit apply, and reconnected to my WLAN from my test device. Once I checked my firewall DHCP bindings, I now showed my device in the table, with an assigned IP address. I was able to wirelessly browse the web and reach other devices.
So that’s that! If you are having an issue with a DHCP server not receiving and more accurately, understanding \ processing DHCP requests, give the DHCP proxy mode settings a shot. Disabling it and moving to DHCP bridge mode allowed my ASA to handle DHCP requests without issue. Give it a try if you run into this issue and comment below if it worked. Also please include what type of device you are using for a DHCP server. I’m curious what other devices require this setting to be disabled.