Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
18
Helpful
4
Replies

Noob VLAN Question

Go to solution
angel-moon
Level 3
Level 3

‎06-29-2009 09:05 AM - edited ‎03-06-2019 06:30 AM

Hello All,

I know this is a basic questions but can someone tell me how, in and environment with multiple VLANS how I restrict clients from only getting IP addresses via a WIndows DHCP server that is in the VLAN that they belong to? I know when can set up multiple DHCP scopes on the server but how do we restict them?

Thanks in advance. All replies rated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to wil_amaya

‎06-29-2009 10:11 AM

Angel

If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Go to solution
wil_amaya
Level 1
Level 1

‎06-29-2009 09:10 AM

Hello.

When you configure a switchport that has a workstation connected to it, you tell it what vlan it belongs to. For example

switchport mode access

switchport access vlan 10

This command above says you are an access port and you belong to vlan 10. Now, if you want to be able to assign a vlan based on the group membership or some other attribute then you can do dynamic vlanning but thats another can of worms.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to wil_amaya

‎06-29-2009 10:11 AM

Angel

If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.

HTH

Rick

HTH

Rick

Go to solution
guilherme
Level 1
Level 1
In response to wil_amaya

‎06-29-2009 10:16 AM

Hi,

You might want to take a look at "ip helper-address" also.

http://www.cisco.com/en/US/docs/ios/12_3t/ip_addr/command/reference/ip1_i1gt.html#wp1169356

Regards,

Guilherme

Go to solution
xcz504d1114
Level 4
Level 4

‎06-29-2009 11:53 AM

Rburts was absolutely correct, a DHCP request is a broadcast, and by default routers do not pass broadcasts.

A broadcast is a packet sent to all devices in a network.

A unicast is a packet send to a single device in a network.

A VLAN is considered a broadcast domain, so all braodcasts that originate within a VLAN will not be sent to any other VLAN's.

Without going into silly situations and keeping this simple, the only way to pass a DHCP broadcast from one VLAN to another VLAN is by the use of an ip helper address (as Rburts mentioned). The IP helper address turns the broadcast into a unicast destined to your DHCP server.

Aside from the simple logic, I wanted to make sure you weren't talking about using DHCP snooping. DHCP snooping allows you to specify what servers are allowed to reply to DHCP requests.

DHCP snooping is a security measure that can be combined with IP source guard and dynamic ARP inspection.

DHCP snooping prevents unwanted DHCP servers from handing your PC's IP addresses, and helps mitigate man in the middle attacks.

HTH,

Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card