cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1072
Views
0
Helpful
8
Replies

PIX as DHCP Server over VLAN's

j.way
Level 1
Level 1

Hi Everyone,

Just had a question regarding PIX DHCP server capabilities. I didn't realize that the PIX even had it first of all.

Can someone tell me if PIX (525) can serve addresses to a specific VLAN? I have a small "corporate" VLAN set up in our 4006 that will need DHCP as well a about 10 others that won't need DHCP. Maybe the layer 3 portion of the 4006 can do this...?? I will look, but for now... I know that best practice is to just put a DHCP server on the VLAN somewhere but for the interim and for future knowledge it would be helpful to know if either of these devices can perform this fuction.

Thanks,

Josh

8 Replies 8

yusuff
Cisco Employee
Cisco Employee

No, both devices cannot do this.

What you want is acheivable using VMPS (VLAN Management Policy Server). Cisco offers URT (User Registration Tool) product for this.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csurt/index.htm

HTH

R/Yusuf

So I guess I should just wait a few weeks for our server to get relocated... Thanks.

Josh

Josh,

If I understand well you are trying to use your PIX 525 as a DHCP server. I believe you can do this. You can enable the DHCP deamon on the inside interface of your PIX and It can serve clients with IP. At least that is what the documentation on CCO says. You just have to make sure that the vlan is physically connected to the inside interface. Here is the link that might help you.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/df.htm#xtocid2

gilles

Thanks Gillies,

You are correct in your assumtion. I wans't really sure wether or not I needed to PHYSICALLY connect the VLAN since you can configure quite a bit with the individual NW's that the PIX talks to. I thought maybe you could tell the PIX to assign DHCP addresses to all the hosts on a specific NW that the PIX knows about. Well thanks anyway, it was worth a shot. :)

Josh

josh,

The Pix would be able to assign ip's to hosts that are on the same vlan as the firewall's inside interface. If all the devices that need to be serviced through DHCP are in the same vlan, you can use the PIX DHCP functionality. All those hosts would share the same ip subnet with the inside intf of the PIX. If you have other vlans that need dhcp too, you cannot use the PIX for those.

gilles

Thanks again Gilles,

That maks a lot of sense now. I have 4 additional interfaces on the PIX for the capabiltiy of mutliple DMZ's if needed as well as for a bit of port redundancy (just in case... heh heh). So, if I use any of those for DHCP to VLAN hosts, it sounds like it will work the way you stated. Make sense??

Josh

At this point, only the inside interface supports the DHCP server functionality. You cannot enable this service on any other interface.

gilles

Cool, thanks. That'll-do-it.....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: