Noob VLAN Question

Answered Question
Jun 29th, 2009
User Badges:

Hello All,



I know this is a basic questions but can someone tell me how, in and environment with multiple VLANS how I restrict clients from only getting IP addresses via a WIndows DHCP server that is in the VLAN that they belong to? I know when can set up multiple DHCP scopes on the server but how do we restict them?



Thanks in advance. All replies rated!

Correct Answer by Richard Burts about 7 years 12 months ago

Angel


If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
wil_amaya Mon, 06/29/2009 - 09:10
User Badges:

Hello.


When you configure a switchport that has a workstation connected to it, you tell it what vlan it belongs to. For example


switchport mode access

switchport access vlan 10


This command above says you are an access port and you belong to vlan 10. Now, if you want to be able to assign a vlan based on the group membership or some other attribute then you can do dynamic vlanning but thats another can of worms.

Correct Answer
Richard Burts Mon, 06/29/2009 - 10:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Angel


If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.


HTH


Rick

xcz504d1114 Mon, 06/29/2009 - 11:53
User Badges:
  • Bronze, 100 points or more

Rburts was absolutely correct, a DHCP request is a broadcast, and by default routers do not pass broadcasts.


A broadcast is a packet sent to all devices in a network.


A unicast is a packet send to a single device in a network.


A VLAN is considered a broadcast domain, so all braodcasts that originate within a VLAN will not be sent to any other VLAN's.


Without going into silly situations and keeping this simple, the only way to pass a DHCP broadcast from one VLAN to another VLAN is by the use of an ip helper address (as Rburts mentioned). The IP helper address turns the broadcast into a unicast destined to your DHCP server.


Aside from the simple logic, I wanted to make sure you weren't talking about using DHCP snooping. DHCP snooping allows you to specify what servers are allowed to reply to DHCP requests.


DHCP snooping is a security measure that can be combined with IP source guard and dynamic ARP inspection.


DHCP snooping prevents unwanted DHCP servers from handing your PC's IP addresses, and helps mitigate man in the middle attacks.


HTH,

Craig

Actions

This Discussion