DHCP servers on separate VLANs

- B
- blu_aqua
  
  Contact options for registered users
posted
18 years ago

Tue, May 24, 2005 7:40 PM

Hi there, I'm planning to build up a LAN made by:

5 Catalyst 2950G-EI 1 Catalyst 3508G 1 PIX 506e 1 router 1721 with ADSL module

If the following description of my plans is wrong in any part, please correct me.

The center of the network is the 3508 to which all 2950G are connected using fibre cables. The router (that accesses the internet) is connected by a crossed cable to the PIX. The PIX is connected to one of the 2950. All ports of each 2950 are assigned to separate VLANs (so I have 5 VLANs). Every VLAN accesses the internet using a subinterface on the PIX (so I have

5 sub-if on the pix [question: does the PIX support these 5 subif?]). All PC connected to my network are Windows based and their IP addresses are assigned manually to the NIC. Each VLAN has a separate addressing space: VLAN 1: 10.155.251.0/24 VLAN 2: 10.155.252.0/24 VLAN 3: 10.155.253.0/24 VLAN 4: 10.155.254.0/24 VLAN 5: 10.155.255.0/24

There is no intraVLAN routing.

I would like to know if it is possible to have a DHCP server for each VLAN, using only the components I listed above. Maybe there's a way to activate this service on each sub-if of the pix.... Or maybe on each 2950G (Enhanced Image)... Any hints is highly appreciated by a newby :-) Thanks

Raffaele

- A
- <Anthrax>
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, May 25, 2005 12:38 AM

Hello,

You do not need to do anything, DHCP will only grant the ip addresses accordingly to the scope it has configured and the giaddr of the relaying interface. Let's say that a dhcp discover (from one of your pc's) goes into the 2950 which is configured to do DHCP relay to the PIX or any other DHCP server or is serving as a DHCP server itself. The DHCP will look in its available scopes and will only grant an ip address compatible with the relaying or receiver interface. I hope this helps, let us know.

- C
- CiscoTech
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, May 25, 2005 5:48 AM

Notice he said that no intranet routing was being done. Without the vlan routing to each other, then the DHCP requests will not make it to the DHCP server for it to offer the address across the vlans. Thus multiple DHCP servers would be needed.

Anthrax wrote:

- B
- blu_aqua
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, May 25, 2005 11:27 AM

Ok thanks, I will activate DHCP server on each 2950. I found a complete documentation about this here:

formatting link

The big problem is that I just realized (please correct me if I'm wrong) that I can't let all the PC access the internet if I don't do interVLAN routing (and I can't with the hardware I have). Infact the PIX 506E (software version 6.3) has only 2 physical interfaces and the possibility to create 2 logical interfaces. So I can't let all the 5 VLANs access the internet throught a sub-if on the PIX. Considered that I need one physical interface of the PIX for the "outside", I have only 3 interfaces to deal with (1 physical + 2 logical)...so I can create only 3 VLANs if I want all the VLANs to access the internet...am I correct? Thanks

Raffaele

"CiscoTech" ha scritto nel messaggio news:meUke.15459$ snipped-for-privacy@fe06.lga...

- A
- <Anthrax>
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Wed, May 25, 2005 7:27 PM

Certanly didn't notice that, you are right. However one dhcp server with different scopes configured for all vlans should be enough if the 2950 is the DHCP server(or different dhcp servers located in each different vlan because there's no intervlan routing if is a different server). Sorry, next time will be more carefull reading the post :). Will try to reedem my errors..

:Every VLAN accesses the internet using a subinterface on the PIX (so I have :5 sub-if on the pix [question: does the PIX support these 5 subif?]).

As far as i know your HW does not provide support for vlans...

formatting link

" Note The PIX 501 and PIX 506/506E do not provide support for VLANs. "

and subinterfaces were not introduced prior to version 7

formatting link

" In PIX Version 7.0, the interface CLI and related commands are enhanced to be hierarchical. The concepts of `main interface,' such as Ethernet0, and `subinterface,' such as Ethernet0.10, are introduced. "

plus only version 7 can route a packet back to same interface it was received.

:The big problem is that I just realized (please correct me if I'm wrong) :that I can't let all the PC access the internet if I don't do interVLAN :routing (and I can't with the hardware I have).

Well, seems to me you need to do intervlan routing, the pix will not do it for you (at least not in the current version you have and not sure about the HW, sorry not security expert :( ). My suggestion will be put 1721 between the switches and the pix to do intervlan routing and configure the pix for dsl.

Any body has other thoughts?? :)