06-29-2009 09:05 AM - edited 03-06-2019 06:30 AM
Hello All,
I know this is a basic questions but can someone tell me how, in and environment with multiple VLANS how I restrict clients from only getting IP addresses via a WIndows DHCP server that is in the VLAN that they belong to? I know when can set up multiple DHCP scopes on the server but how do we restict them?
Thanks in advance. All replies rated!
Solved! Go to Solution.
06-29-2009 10:11 AM
Angel
If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.
HTH
Rick
06-29-2009 09:10 AM
Hello.
When you configure a switchport that has a workstation connected to it, you tell it what vlan it belongs to. For example
switchport mode access
switchport access vlan 10
This command above says you are an access port and you belong to vlan 10. Now, if you want to be able to assign a vlan based on the group membership or some other attribute then you can do dynamic vlanning but thats another can of worms.
06-29-2009 10:11 AM
Angel
If the DHCP request is from a machine in the local subnet then the DHCP server will offer an IP address in the local subnet. If the DHCP request is from a remote subnet then it will have been sent through a gateway (in IOS that is a device configured with ip helper-address pointing to the DHCP server). For a remote request the DHCP server looks at the gateway address and chooses the scope that matches the subnet of the gateway address. The restriction is built in and you do not have to do anything to get the restriction to work.
HTH
Rick
06-29-2009 10:16 AM
Hi,
You might want to take a look at "ip helper-address" also.
http://www.cisco.com/en/US/docs/ios/12_3t/ip_addr/command/reference/ip1_i1gt.html#wp1169356
Regards,
Guilherme
06-29-2009 11:53 AM
Rburts was absolutely correct, a DHCP request is a broadcast, and by default routers do not pass broadcasts.
A broadcast is a packet sent to all devices in a network.
A unicast is a packet send to a single device in a network.
A VLAN is considered a broadcast domain, so all braodcasts that originate within a VLAN will not be sent to any other VLAN's.
Without going into silly situations and keeping this simple, the only way to pass a DHCP broadcast from one VLAN to another VLAN is by the use of an ip helper address (as Rburts mentioned). The IP helper address turns the broadcast into a unicast destined to your DHCP server.
Aside from the simple logic, I wanted to make sure you weren't talking about using DHCP snooping. DHCP snooping allows you to specify what servers are allowed to reply to DHCP requests.
DHCP snooping is a security measure that can be combined with IP source guard and dynamic ARP inspection.
DHCP snooping prevents unwanted DHCP servers from handing your PC's IP addresses, and helps mitigate man in the middle attacks.
HTH,
Craig
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: