I have inherited this network and don't fully understand the setup. I am hoping someone can give me some clarification.
Our main nework uses 172.20.0.0/16 the untrusted is set to 10.0.0.0/8. A seperate network was created for untrusted users to connect to and get internet only access.
VLAN101 is used to put ports into the untrusted network.
On the router we have the following config (in brief)
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 172.20.254.1
ip route 10.0.0.0 255.0.0.0 172.20.2.22
ip route 10.0.1.200 255.255.255.255 172.20.2.22
no ip http server
*The 172.20.2.22 is a NAC that acts as the gateway between the untrusted and internal network, also for untrusted clients to get through to the internet.
*Unlike other vlans on the router there is no interface for vlan101. In fact vlan 101 does not exist on the router, is it in layer2 mode?
Config On the switches....
switchport access vlan 101
I setup a scope on a windows dhcp server to supply ips and it works, I don't know how it works as I cannot find any setting that links vlan101 to the 10.0.0.0 network. However, now I am trying to create a second subnet in the 10.3.0.0 range and I cannot figure how to get the clients to pull IPs from that scope. The 2nd scope is necessary so I can break up the untrusted network, which is being used for wireless clients as well, to allow more than 1 ssid on the wireless with different levels of access.
Does anyone know in this setup how VLAN101 knows to grab the 10.0.0.0 dhcp settings? And how I would add a second VLAN to grab a different range in that network.
Full configs from the router and switch would be very helpful. It's difficult to see what's going on as we cannot see how the uplink port on the switch in configured as well as the fastE port on the router among other things.
That is a long config for the 6509!
Anyway, what is the exact topology? I have a config for the 6509 and one for a 3750 but I don't see your router.
I do see that on the you have FA1/0/6 and FA1/0/8 on the 3750 set to access VLAN 101, but also that FA1/0/48 and Gig ports 1/0/1, 1/0/2 and 1/0/3 are trunked and passing VLAN 101 amongst others. Where these ports go I don't know.
So, topology and router config?
The topology is setup with the LWAPPs connecting to the the 3750 on the access ports on vlan 101. The 3750 connects to the 6509 on Gi1/0/1 (Gi1/0/2 goes to a 2nd 6509 for a redundant route) to a fibre gigabit module. The 6509 handles all the routing via the RSM module. Gi1/0/3 and Fa1/0/48 go to switches that I am using for testing other things. Modules 8 and 9 on the 6509 are used as access switches for clients, any ports set to 101 go to more access points.
On the RSM there is a network route for 10.0.0.0 to route all traffice through 172.20.2.22 which is a clean access server. The clean access server has a 2nd interface 10.0.0.1 which is used as the gateway for clients in that network, thus passing all traffic through the clean access server. Clean access is setup to relay dhcp to our main windows dhcp server which is in vlan253.
VLAN101 is not present on the RSM, but is on the access switches. I am not sure how vlan101 is associated with 10.0.0.0 network.
So your access server is in VLAN2 on the RSM. There is an ip helper address configured for VLAN2 which I believe is the proper DHCP server from VLAN253.
The RSM doesn't really need to 'know' about VLAN101 - it just needs to know how to route to the 10.0.0.0 /8 network, and your access server knows how to supply that network with DHCP.
Was that any help or do you already know this?
OK. But how does the dhcp server know now which IP to hand out to the client requesting? If the client is on vlan101 how does the server know which scope to give the ip from?
The clients are not having trouble finding the dhcp, i just want diferent addresses (scopes)handed out to diferent vlans.
You stated that your access server is set up as a DHCP relay agent. Your DHCP server has to have multiple scopes set up, and when it receives a request from a machine on the 10.0.0.0 /8 network, which has been relayed by 10.0.0.1, the DHCP server knows to respond with a 10. address from the appropriate scope.
That makes sense. So there is no way under the current setup to use multiple scopes from a relay then.
Looks like I will need to redesign this to use vlans rather than the current network route.