Jacques Laroche
asked on
Setting up Cisco APs on VLAN with pfSense as DHCP Server
Background:
I'm helping a small school with limited resources set up some Cisco APs in their network. We want to keep the wireless devices outside of our internal network via a separate VLAN. I've had difficulty setting up this environment and could use some help.
Equipment:
Some older Cisco 720i APs A handful of old Cisco Catalyst 2960 Switches An APU2C4 appliance running pfSense acting as our Router/Firewall
What I tried:
I don't have much experience with the Cisco CLI, so I've been trying to set up as much as possible on the APs themselves via their web interface. APs have VLANs set up with an open SSID. I tried associating the ports these APs are connected to on the Catalyst 2960 switches with the VLAN we want to use. Also tried to use DHCP Relay (or "IP Helpers" in Cisco-speak) on the pfSense appliance and setup IP helpers on the APs, but I really have no idea what I'm doing at that point.
Any advice on how to actually get this done? Commands and step by step guidance would be greatly appreciated.
I'm helping a small school with limited resources set up some Cisco APs in their network. We want to keep the wireless devices outside of our internal network via a separate VLAN. I've had difficulty setting up this environment and could use some help.
Equipment:
Some older Cisco 720i APs A handful of old Cisco Catalyst 2960 Switches An APU2C4 appliance running pfSense acting as our Router/Firewall
What I tried:
I don't have much experience with the Cisco CLI, so I've been trying to set up as much as possible on the APs themselves via their web interface. APs have VLANs set up with an open SSID. I tried associating the ports these APs are connected to on the Catalyst 2960 switches with the VLAN we want to use. Also tried to use DHCP Relay (or "IP Helpers" in Cisco-speak) on the pfSense appliance and setup IP helpers on the APs, but I really have no idea what I'm doing at that point.
Any advice on how to actually get this done? Commands and step by step guidance would be greatly appreciated.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
1. The Cisco 2960 switch itself can be used as a DHCP server. that is an option that may be worth considering. This switch of course needs to be configured via a CLI, and configuration is not just a matter of checking boxes, however a LOT of help is available online, and it is only a couple a lines required for a simple DHCP setup. Here is a discussion with some links that may be helpful:https://supportforums.cisco.com/t5/lan-switching-and-routing/2960-be-a-dhcp-server/td-p/677936
2. A DHCP relay agent is used to allow machines to get a lease from a DHCP server outside of the local broadcast domain. When a DHCP client need to lease a new address, it uses broadcasts to locate a DHCP server. Thus, it can only use a server on the local VLAN. If your APU2C4 or any other device that can act as a DHCP server is configured onto the same VLAN, this it can work. Otherwise, a DHCP relay agent will intercept such broadcasts, and send them on as a unicast message to a specified DHCP server. Thus, you might have a 4 PCs on a LAN in a small office, and have the DHCP server in a server room at the head office, on the other end of a site to site VPN. Here is some info from Cisco on how it works, with config examples. https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/routing_bridging/guide/rtbrgdgd/dhcp.html
3. If you decide to use a DHCP server on a different VLAN, you just need one DHCP relay somewhere. Although the WPAs may support this, it is probably better not to use one of those. If you did, DHCP would no longer work when the device was offline.
4. There is not point configuring a DHCP relay on the APU2C4 if you want it to be a DHCP server. That would be a misconfiguration, and I don't know what would happen to be honest. The DHCP server would try to respond to the broadcasts and give the client an IP address, while the DHCP relay would try to send the request elsewhere.
5. Probably the best place to install a DHCP relay would be on the switch, IF you want to use a DHCP server in a different VLAN. The switch will nearly always be up, and if it was dead DHCP would be the least of your problems.
6. If t I all too hard, there is always the option of manually configuring IP addresses for the WAPS. In a corporate environment, switches, servers, routers and printers are generally given a manual address, documented somewhere. Client PCs usually rely on DHCP. WAPs could be done either way, I would generally set IPs on these manually.