"Don't Use Our DCHP in Production" - Cisco rep to our Wireless guy, in regards to the WLC we're using for our guest wireless network.
:zomgwtfbbq:
Apparently, that DHCP in the WLC is not RFC compliant. :eek:
Fortunately, we have another solution to use, but there goes the easy one of just letting the WLC hand out IP addresses. It'll now relay DHCP back to our IP system, but we'll have to take an outage to make the switcheroo.
We've had a lot of issues with WLC's and DHCP. At times they just stop handing out IP's. We had a meeting a few weeks ago and the guy we were talking to was with a Cisco partner and super sharp. He also mentioned it was to be used for testing and not production.
Much better to wire your DHCP server into your guest WLAN :awesome:
At least he said "our" there and didn't say "don't use DHCP in production".
Honestly I wish more reps were that honest.
Quote from: dlots on June 05, 2015, 12:50:04 PM
At least he said "our" there and didn't say "don't use DHCP in production".
Honestly I wish more reps were that honest.
Coming from a previous engineering role, I feel your pain as I'm sure many of us do. Hence coming from that world, and now being on the "other side" of it, I know exactly how it feels to be B.S.'d, and how untrusting I was of vendors in general. Knowing that, I try to be as honest and transparent as possible - more so than a sales guy might like, but meh, that's who I am. I know myself as an engineer can understand if you don't have XYZ feature right now, but intend to implement by a certain date - and I appreciate if you can be honest and upfront about it. What I don't like, and will immediately blow you off in the future is if I catch you lying to me to try and make a sale. I can't stand that stuff.
Anyway, I personally, and I think a lot of engineers can respect and appreciate honesty - even if it's about something they don't want to hear.
More fun... but we may have things fixed when we kill off the Cisco DHCP entirely. When we had Cisco DHCP for one SSID and our internal DHCP for another, things still went badly. Moving the anchor for the internal DHCP to another controller that didn't run a DHCP scope of its own, and things really cleared up.
I'm thinking that, moral of the story... don't even use that Cisco DHCP for testing, man. It's bad stuff.
Its amazing how a vendor like Cisco can eff up a garden variety, well known, well documented and relatively simple protocol like DHCP.
So they can get pfr, fabricpath, vm-fex to work but freaking DHCP is not production worthy? WTF
Even having DHCP settings, but not active, messed things up. Total wtf-fest.
The intern needs to do something besides get the coffee. I can see the conversation now.
Fade into conference room Thursday morning...
Cisco Employee 1: Hey, we need to support DHCP on this platform. Who wants to write the code?
Cisco Employee 2: DHCP is easy, have the new intern do it. We can tell him when he gets back from the Starbucks run. I hope he got my order right this time.
:Enter Cisco Intern1 carrying several Starbucks cups, and starts handing them out.
Cisco Employee 1: Intern, for your first coding work we need you to write a DHCP server. Nothing fancy, it just needs to hand out addresses, and stuff.
Cisco Intern 1: OK sir, I can do that. When do you need it by?
Cisco Employee 1: Oh, no rush. Take your time. We just need it before Friday.
Cisco Employee 2: What is this? I clearly asked for a double shot caramel frapachino with 2% milk. This is obviously whole milk.
:Fade to black
-Otanx
Which WLC platform are we talking about? And does this apply to their virtual WLC as well?
Our issues have been on all platforms we have used so far. We have 2100/2500/4400/5500 series controllers and all have has the same issues. We have never used the virtual but I would imagine it has the same issues.
For us, it's all hardware, 8500s and 5500s.
Probably not compliant because it uses a virtual IP to hand out the addresses of 1.1.1.1?
IP:1.1.1.1 is now owned by someone, apparently. I'm still using 1.1.1.1, though. (couldn't find a middle finger emoticon. Consider the text within these brackets as a middle finger to "the man")
;)
Quote from: Dieselboy on August 11, 2015, 01:33:29 AM
Probably not compliant because it uses a virtual IP to hand out the addresses of 1.1.1.1?
IP:1.1.1.1 is now owned by someone, apparently. I'm still using 1.1.1.1, though. (couldn't find a middle finger emoticon. Consider the text within these brackets as a middle finger to "the man")
;)
The 1.1.1.1 part is sketchy to start with, but the actual handing out of addresses is what really breaks down.
This was us as we watched it fail in a debug. VVV
:hankhill:
Cisco wlcs use 1.1.1.1 by default for the guest captive portal
Kinda OT buuut.. HPs ex-Colubris MSM wireless controllers guest captive portal used a hardcoded 123.123.123.123 as response to all DNS queries. Owned by China Unicom, this tripped quite a few security bells at some companies...
Quote from: Dieselboy on August 11, 2015, 01:33:29 AM
Consider the text within these brackets as a middle finger to "the man")
;)
usually
m!m
Quote from: ristau5741 on August 12, 2015, 07:41:52 AM
Quote from: Dieselboy on August 11, 2015, 01:33:29 AM
Consider the text within these brackets as a middle finger to "the man")
;)
usually
m!m
Deanwebb realizes that he doesn't have enough smileys:
:frustration:
Quote from: srg on August 12, 2015, 06:29:32 AM
Kinda OT buuut.. HPs ex-Colubris MSM wireless controllers guest captive portal used a hardcoded 123.123.123.123 as response to all DNS queries. Owned by China Unicom, this tripped quite a few security bells at some companies...
Hey, just FYI, the guy on the first Google hit has the same avatar as you!
http://h30499.www3.hp.com/t5/MSM-Series/Access-Controller-VSC-DNS-reply-123-123-123-123/td-p/5796025#.Vcyog_lRIjM
:zomgwtfbbq:
Quote from: SimonV on August 13, 2015, 09:25:15 AM
Quote from: srg on August 12, 2015, 06:29:32 AM
Kinda OT buuut.. HPs ex-Colubris MSM wireless controllers guest captive portal used a hardcoded 123.123.123.123 as response to all DNS queries. Owned by China Unicom, this tripped quite a few security bells at some companies...
Hey, just FYI, the guy on the first Google hit has the same avatar as you!
http://h30499.www3.hp.com/t5/MSM-Series/Access-Controller-VSC-DNS-reply-123-123-123-123/td-p/5796025#.Vcyog_lRIjM
:zomgwtfbbq:
Yeah I wonder why... ;)
So yesterday we moved our guest networks to a public DNS. Captive portal stopped working, so we had to add a record for 1.1.1.1 on our public DNS as a quick fix :wall: