ExtremeWireless (WiNG)

Expand all | Collapse all

DHCP only on radio interfaces

  • 1.  DHCP only on radio interfaces

    Posted 07-26-2017 12:08
    I need to deploy several pieces of AP7502 WING 5.9 with Mesh MCX when VC is DHCP server. Only VC is with ETH link.
    I need the DHCP responses only on the wireless side.
    Question:
    How can I block the DHCP from crossing the GE1?
    Thanks



  • 2.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Hi Aviv,

    you assign DHCP policy per VLAN, not physical interface.

    So then you shall crate ACL blocking UDP/68 incoming on GE1 and that's it.
    Here example blocking DHCP Discover on GE1
    VX(config-ip-acl-NO-DHCP-FROM-GE)#show context ip access-list NO-DHCP-FROM-GE deny udp any eq 68 any eq dhcps rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context interface ge1 switchport mode trunk switchport trunk native vlan 88 no switchport trunk native tagged switchport trunk allowed vlan 88,99 use ip-access-list in NO-DHCP-FROM-GE [/code]So in translation - incoming traffic will be examined by ACL NO-DHCP-FROM-GE and will deny packets matching source UDP port 68.
    At the same time AP will still be able to request IP address from external DHCP server as ACL is mapped to inbound direction only.

    You can definitely do it with different range - this is just en example.

    Regards,
    Ondrej


  • 3.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    But VC will be able to assign ip addresses to clients on other aps trough mcx? There is vlan1 only.


  • 4.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Hi Aviv,

    MCX will bring DHCP Discover over wireless interface.
    This won't be passed over to GE1 (inbound direction).

    Also, as shown the ACL is assigned to GE1 port, not a particular VLAN.

    Regards,
    Ondrej


  • 5.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Many thanks!!!!


  • 6.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Ondrej,

    Just I did not understand why we call it "inbound direction" although it seems to be an filtering on out direction in my opinion. Additionally we don't have the option to filter the out direction of GE.
    As it although filtering the DHCP on VLAN why still it will forward DHCP Discover over wireless interface.
    Can I find some information about internal bridging interface processes (radios, ge, bridge, svi, vlans) of the WING5 access points to understand better how it works?
    Sorry, but I just try to understand the logic.

    Thanks,
    Aviv



  • 7.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Hi Aviv,

    let me show something then:
    VX(config-ip-acl-NO-ICMP)#show context
    ip access-list NO-ICMP
    deny icmp any any rule-precedence 5 VX(config-profile-default-ap7562-if-ge1)#show context
    interface ge1
    switchport mode trunk
    switchport trunk native vlan 88
    no switchport trunk native tagged
    switchport trunk allowed vlan 88,99
    use ip-access-list in NO-ICMP [/code]Then trying to ping this host from its adopting controller this is what I see as deny - the I means inbound direction
    AP#service pktcap on deny filter not mint
    Capturing up to 50 packets. Use Ctrl-C to abort.
    1 9:24:54.304425 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 1, length 108, DF, DSCP 0
    2 9:24:55.305571 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 2, length 108, DF, DSCP 0
    3 9:24:56.305600 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 3, length 108, DF, DSCP 0
    4 9:24:57.305576 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 4, length 108, DF, DSCP 0
    5 9:24:58.305581 I "NO-ICMP:ip"/0 ICMP: 192.168.7.205 > 88.88.88.88 echo request, id 26268, seq 5, length 108, DF, DSCP 0[/code]However, FROM the AP you are able to ping controller as this is outbound request
    AP#ping 192.168.7.205
    PING 192.168.7.205 (192.168.7.205) 100(128) bytes of data.
    108 bytes from 192.168.7.205: icmp_seq=1 ttl=63 time=0.596 ms
    108 bytes from 192.168.7.205: icmp_seq=2 ttl=63 time=0.496 ms
    [/code]I am not sure about the system architecture but I consider interface "bridge" as a bus between GEs, VLANs and RADIOs. However, you request was not to respond to DHCP discoveries incoming from wired side - this is done by dropping traffic with source port UDP 68

    Does it make sense?

    Regards,
    Ondrej



  • 8.  RE: DHCP only on radio interfaces

    Posted 07-26-2017 12:25
    Hi Ondrej,
    Firstly, your rule with the addition of "allow all traffic precedence 100" working well.
    I understood why we filtering incoming traffic.
    DHCP server just don't receive the IP requests from the clients from the ETH side :)
    This is genius!
    Thank you