Limiting DHCP Server on a VLAN

Unanswered Question
tprendergast Mon, 09/28/2009 - 14:04
User Badges:
  • Silver, 250 points or more

You can prevent a dhcp server from issuing addresses to other VLANs by the following:


- make sure no layer3 interfaces for other vlans have the "ip helper" address configured to point at this server. "ip helper" tells a layer 3 switch or router to send dhcp broadcasts from clients as unicast to this specific server.

- Make sure you have broadcast domains separated properly, so DHCP broadcasts from other subnets don't bleed into this one.

- configure your dhcp server so it only takes requests from certain subnets -- not available on the built-in cisco dhcp server.


You can learn more about the dhcp relay agent (ip helper) here:

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rly_agt.html#wp1085170



Hope that helps. Rate if it does!


Cheers,

Tim

Hi Tim,


Thanks for this information.


I have a dhcp server setup in vlan 4; and, we have another dhcp, production, in vlan 401.


Some how clients from vlan 401 started to receive ip address from the dhcp server in vlan 4.


Each VLAN is configure to have a ip helper-address pointing to its respective dhcp server.


So, I don't understand how the clients from vlan 401 cross to vlan 4 to get an ip address.


By the way, each vlan has a unique broadcast domain.

Hi Tim,


Thanks for this information.


I have a dhcp server setup in vlan 4; and, we have another dhcp, production, in vlan 401.


Some how clients from vlan 401 started to receive ip address from the dhcp server in vlan 4.


Each VLAN is configure to have a ip helper-address pointing to its respective dhcp server.


So, I don't understand how the clients from vlan 401 cross to vlan 4 to get an ip address.


By the way, each vlan has a unique broadcast domain.

platinum_jem Mon, 09/28/2009 - 20:06
User Badges:

Is there a chance where VLAN 4 and VLAN 401 is connected back to each other in the L2 infra ?


If thats the case, the 2 VLAN will 'crosstalk' in terms of DHCP request broadcast.


If the DHCP servers are only serving its own broadcast domain, then the IP Helper command is not required at all in the VLAN interface configuration.

Actions

This Discussion