DHCP & VLAN

Unanswered Question
Sep 18th, 2009

Hi Experts,

This may sound very basic. But I am have some subtle things to be known on DHCP and DHCP relay.

I am pretty sure that DHCP RELAY (ip helper-address) command is required if the DHCP server is in different network and in L3 environment. my understanding is below:

The DHCP server is able to provide addresses from the appropriate scope for VLANs, based on the use

of the Relay Agent field in the DHCP packets. A Relay Agent is the agent that is in charge of the conversion

of the broadcast DHCP packets sent by the client into unicast packets that are sent to the DHCP server.

This agent also converts the unicast DHCP packets sent from the DHCP server into broadcast packets that are

sent on the telephone network.

Fine, How about a pure L2 environment. Say for example I have a LAYER 2 2960 switch with VLAN 10 and 20. Please note no SVI is configured as i donot need the intervlan routing.

I have a DHCP server connected in trunk port carrying VLAN 20 and VLAN 10 of the switch. DHCP server is having 2 scope address one for VLAN 10 (10.10.10.0) and other for VLAN 20 (20.20.20.0).

In this case which parameter decides to pick/select the appropriate scope for corresponding VLANs. Do I need to configure DHCP options?

Hope I managed to explain better to your kind understanding. I tried with various sources and not able to get answers. I finally resorted your help

Thanks

sairam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Fri, 09/18/2009 - 10:17

Sairam

"I am pretty sure that DHCP RELAY (ip helper-address) command is required if the DHCP server is in different network and in L3 environment"

Thats correct because the DHCP request is a broadcast and broadcasts are not forwarded across vlans.

And that is the answer really to your question. On a L2 network you don't need a DHCP relay because the DHCP server would see the broadcast. If the DHCP server is trunked to a L2 network then the broadcast will come in on either vlan 10 or vlan 20 and so the server running 802.1q will know which subnet to allocate an address from.

Jon

snarayanaraju Fri, 09/18/2009 - 10:54

Hi Jon,

Thanks for your reply. You are saying:

"If the DHCP server is trunked to a L2 network then the broadcast will come in on either vlan 10 or vlan 20 and so the server running 802.1q will know which subnet to allocate an address from"

Here is the catch. The scope we create in DHCP server (to make the argument simple, I will take IOS DHCP server) will not have indication of VLAN ID. It is differentiated only by IP network address like

ip dhcp pool TEST-1

network 10.10.10.0 /24

ip dhcp pool TEST-2

network 20.20.20.0 /24

How this behaves. Hope my question is bit sensible.

Thanks for your time

Sairam

Jon Marshall Fri, 09/18/2009 - 11:13

Sairam

"How this behaves. Hope my question is bit sensible."

Your question is very sensible. I know that it can be done with certain DHCP servers but need to do a bit more reading/testing to explain it fully.

Unfortunately i'm out tonight so i'll have to get back to you later if that's okay, or perhaps another NetPro can step in.

Jon

Joseph W. Doherty Fri, 09/18/2009 - 11:38

If I recall correctly, what happens is when the DHCP broadcast packets hits the L3 gateway with the helper, the request is repackaged with the L3 gateway address so that way the DHCP server knows what subnet to provide an IP address for ([edit] also, I believe, uses the gateway address to know where to send the DHCP offer reply).

snarayanaraju Fri, 09/18/2009 - 11:53

Hi Joseph,

Your argument is very correct. But my question is, What is the behaviour in Layer 2 environment where there is not L3 interface or SVI interface in the switch

sairam

Joseph W. Doherty Fri, 09/18/2009 - 15:33

Without L3 gateway, I believe, there won't be communication between VLANs, so also no access to DHCP server on different VLAN as host needing IP address.

Jon Marshall Fri, 09/18/2009 - 15:44

Joseph

The question is what if you have 2 L2 vlans and the DHCP server has a trunk connection to the switch. There are no L3 vlan interfaces so there is no ip helper-address.

But because the DHCP server uses a trunk link it has a connection to both vlans. Therefore it will see the DHCP broadcast requests from each vlan at L2. How does it then know which subnet to allocate the IP address from ?

The NIC on the DHCP server understands 802.1q tagging but the actual DHCP application would someone need to "know" which vlan the broadcast came in on. I believe that it can be done and am sure i have come across it before but don't know if it applies to all DHCP servers ie. Windows, Unix, Cisco etc.

Logically it is just like having 2 DHCP servers, one for vlan 10 and one for vlan 20 but it does beg the question that by the time the packet gets up to the application layer how does the DHCP server differentiate between the broadcasts.

Jon

Joseph W. Doherty Fri, 09/18/2009 - 16:04

Jon, thanks! Overlooked the "little" fact of the trunk to the DSCP server.

I would think the answer to the question about the trunk to the DSCHP server is similar to if the DSCP server was multihomed on two NICs (rather than a VLAN trunk). The logical interface which receives the broadcast DHCP request should provide the interface and subnet inforamtion.

[edit]

Sairam, if this isn't working, the DHCP server does have correct addressing for the two VLANs? (I.e. it has a correct IP for those subnets? Also, these IPs correspond to the DHCP pools?)

Mohamed Sobair Fri, 09/18/2009 - 11:49

Hi Sairam,

You will need to have 2 default gateways for both DHCP pools.

both Scope will be selected based on each default gateway which basically on per vlan basis in your example.

HTH

Mohamed

snarayanaraju Fri, 09/18/2009 - 20:55

Hi Friends,

Mohamed said: "You will need to have 2 default gateways for both DHCP pools". I donot think default gateway is required if the InterVLAN routing is not needed.

I will again put the scenario simplel

VLAN 10 & VLAN 20 is configured in 2960 switch. VLAN 10 need not communicate with VLAN 20. In port Fa 0/24 is configured as TRUNK & DHCP server is connected with 2 scopes.

I refered various document and found that DHCP OPTION 82 can be configured to send the switch port MAC address to DHCP server. I think it is a direct method of achieving this.

Experts.. can comment on this please

sairam

Jon Marshall Sat, 09/19/2009 - 03:32

Sairam

Option 82 is used by the DHCP relay and as we don't have one in this case i don't think it's relevant.

I think Joseph has hit the nail on the head. Imagine a DHCP server with 2 NICs, one NIC in vlan 10 and one in vlan 20. These NICs would each have an IP address eg.

nic1 - 192.168.5.1

nic2 - 192.168.6.1

you then create 2 scopes on the DHCP server ie.

scope1 - 192.168.5.0/24

scope2 - 192.168.6.0/24

so if a packet arrives on nic1 the DHCP server will know that it needs to allocate an address from the 192.168.5.0/24 subnet because that subnet matches with the IP address of nic1 ie. 192.168.5.1 is from 192.168.5.0/24.

And the same logic applies to nic2.

Now rather than have 2 NICs you now only have one NIC but you run 802.1q on it. You would have 2 logical subinterfaces each with it's own IP address so

nic_sub1 = 192.168.5.1

nic_sub2 = 192.168.6.1

and again the DHCP server can correctly allocate an IP address from the relevant scope because it can match this with IP address of the subinterface on which the request was received.

I just overlooked the actual implementation of 802.1q on a server ie. that you still end up with multiple logical interfaces each with an IP address. Once i'd thought about it together with Joseph's thread it made a lot more sense :-)

Jon

snarayanaraju Sat, 09/19/2009 - 09:28

Hi Jon,

Thanks and I will decide based on your answer that the only solution to the scenario i described is to have 2 logical interface or 2 NICs.

Hope this is the best practised method in the industry and the only solution available.

Coming to DHCP Option 82 (which should be used along with DHCP snooping only) have the following behaviour

When you enable the DHCP snooping information option 82 on the switch, this sequence of

events occurs:

1) The host (DHCP client) generates a DHCP request and broadcasts it on the network.

2) When the switch receives the DHCP request, it adds the option-82 information in the packet.

3) If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.

4) The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

5) when DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID,the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server

echoes the option-82 field in the DHCP reply.

2) The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

This I have taken from CISCO 3560 config guide. I doubt DHCP relay is not mandatory for DHCP option 82 as per point 3 described above.

Your valuable comment is solicited.

sairam

Actions

This Discussion