Sunteți pe pagina 1din 22

How do i make Windows DHCP work with VLANs

I am studying for Cisco and Microsoft certifications and I am doing a practical bit in my own home network.
Here is the scoop, I have 3 Cisco rack mounted routers and 3 Cisco rack mounted switches. I also have a Windows
2012 Server running ADDS, DHCP, and DNS.
I have created 6 DHCP scopes which are as follows:

Server Pools
ADMINISTRATION 10.227.220.1 10.227.220.100
BEDROOM 10.227.221.1 10.227.221.100
KITCHEN 10.227.222.1 10.227.222.100
BATHROOM 10.227.223.1 10.227.223.100
LIVINGROOM 10.227.224.1 10.227.224.100
WIRELESS 10.227.225.1 10.227.225.100
Basically what I want to happen is all of the switches, routers, and servers to get an address from the
ADMINISTRATIVE pool. And for example if I plug a computer into the living room I want it to get an IP Address
between 10.227.224.1 - 100 and the bedroom devices to get an address from the bedroom pool etc etc.
One of my admin friends told me to give VLANs a try. Is my buddy correct? Would VLANs be the best way to
accomplish this, if so when I activate the scopes on the Windows server how do I get the VLANs to pass out
addresses from the Windows DHCP server, I am having trouble understanding how the DHCP server and the
VLANs are supposed to talk to each other and how to set that up. And last, how would i wire this physically, where
would i plug in the DHCP server etc etc.
Any help would be appreciated, even a point in the right direction.
Thanks,
Donnie

Hi,
Yes vlans is the way to go.
Before we proceed further could you list what is th model of the switches which you have.
Assuming that you have L3 capable switches you need to create vlans on your switches.
After the vlans are created you need to create a svi for each vlan on the L3 capable switch which will route between
your vlans.Define ip helper-address (ip address of your dhcp server) under each SVI.
And paralelly you need to create the DHCP Scopes on your windows server coressponding to each vlan.
Please let us know if you have any further questions.
Thanks

Hi Donald,
You should use subnetting with the proper prefix /24 so we can use a VLAN for each subnet and those VLANs will
communicate through InterVLAN routing configued on the Multilayer Switch so you should have at least one
Multilayer switch and you can use only one Router and no need for the other 2 Routers.
Regarding the DHCP, it assign IPs for clients but for Routers and Switches, you have to configure them manually for
every Router port (if you will use more than one) and for every SVI on switches.
For every Interface VLAN you have to add a DHCP Relay to relay the (Discover, Offer, Request and Ack) packets
between the clients and the DHCP server to assign a proper IP address for every client from the proper scope.
Description Subnet VLAN
Administration 10.227.220.0/24 100
Bed 10.227.221.0/24 200
Kitchen 10.227.222.0/24 300
Bath 10.227.223.0/24 400
Living 10.227.224.0/24 500
Wireless 10.227.225.0/24 600
The design will be as shown below:

Multilayer Switch Configuration:


ip routing
!
interface Vlan100
description Administration
ip address 10.227.220.254 255.255.255.0

!
interface Vlan200
description Bed-Room
ip address 10.227.221.254 255.255.255.0
ip helper-address 10.227.220.200 #This is the DHCP Server IP Address existing in VLAN 100
!
interface Vlan300
description Kitchen
ip address 10.227.222.254 255.255.255.0
ip helper-address 10.227.220.200
!

interface Vlan400
description Bathroom
ip address 10.227.223.254 255.255.255.0
ip helper-address 10.227.220.200
!
interface Vlan500
description Living-Room
ip address 10.227.224.254 255.255.255.0
ip helper-address 10.227.220.200
!

interface Vlan600
description Wireless
ip address 10.227.225.254 255.255.255.0
ip helper-address 10.227.220.200

interface FastEthernet 0/1


description DHCP-Server
switchport mode access
switchport access vlan 100
interface GigabitEthernet 0/1 #Multilayer switch port connected to Switch-1

switchport mode trunk


switchport trunk allowed vlan all
interface GigabitEthernet 0/2 #Multilayer switch port connected to Switch-2

switchport mode trunk


switchport trunk allowed vlan all
Switch-1 Configuration:
interface GigabitEthernet 0/1 #Switch 1 port connected to Multilayer switch
switchport mode trunk
switchport trunk allowed vlan all
interface FastEthernet 0/1 #Switch 1 port connected to a user in the Bed Room
description Bed-Room User
switchport mode access
switchport access vlan 200
interface FastEthernet 0/2 #Switch-1 port connected to a user in the Kitchen
description Kitchen-User
switchport mode access
switchport access vlan 300
Switch-2 Configuration:
interface GigabitEthernet 0/1 #Switch-2 port connected to Multilayer switch
switchport mode trunk
switchport trunk allowed vlan all
interface FastEthernet 0/1 #Switch-2 port connected to a user in the Bath Room
description Bath-Room User
switchport mode access
switchport access vlan 400
interface FastEthernet 0/2 #Switch-2 port connected to a user in the Kitchen
description Kitchen-User
switchport mode access
switchport access vlan 500
interface FastEthernet 0/3 #Switch-2 port connected to a Wireless user
description Wireless-User
switchport mode access
switchport access vlan 600
For Microsoft Server side:
Be sure that you installed the DHCP Server Role, and the DHCP server is authorized to assign TCP/IP configuration
for the clients, and activate the scopes as well, and configure a static IP address for the DHCP server with the IP
10.227.220.200/24 and Default-Gateway 10.227.220.254.

Default-
Scope Start-IP End-IP
Gateway
Scope-
10.227.220.1 10.227.220.100 10.227.220.254
1
Scope-
10.227.221.1 10.227.221.100 10.227.221.254
2
Scope-
10.227.222.1 10.227.222.100 10.227.222.254
3
Scope-
10.227.223.1 10.227.223.100 10.227.223.254
4
Scope-
10.227.224.1 10.227.224.100 10.227.224.254
5
Scope- 10.227.225.1
10.227.225.100 10.227.225.254
6

Segment ID Support for DHCP Relay

Feature Information for Segment ID

Table 1 Feature Information for Segment ID

Feature Releases Feature Information

DHCP 7.2(0)D1(1) Included a new chapter on Segment ID Support for DHCP


Relay .
DHCP relay configuration.

DHCP Server 7.2(0)N1(1) Included a new section on Configuring Windows 2012 as DHCP
Server .
Support common DHCP-Servers for IP address
assignments within DFA.

Segment ID Support for DHCP Relay


This feature explains how a Cisco Nexus 7000 Series Switches perform the role of a DHCP relay in the DFA environment.

Note
A detailed explanation of the DHCP feature documentation for Cisco Nexus 7000 Series Switches
is available in the Configuring DHCP chapter of the Cisco Nexus 7000 Series NX-OS Security
Configuration Guide.

Guidelines and Limitations

Information About Segment ID Support for DHCP Relay


Guidelines and Limitations
You should know about the DHCPv4 relay, DHCPv6 relay, BDI, and segment ID functions.

Information About Segment ID Support for DHCP Relay


DHCP Relay Configuration Overview
Figure 1. DHCP relay configuration through a BDI

The illustration depicts a Cisco Nexus 7000 Series Switches in a DFA environment (Nexus 7000). The DHCP client (Host)
seeking an IP address via DHCP is on the left side and the DHCP server that provides the IP address is on the right side (DHCP
Server). Here, we configure the DHCP server address on a BDI of the Cisco Nexus 7000 Series Switch.

The following sections explain DHCP relay configuration:

1. Enabling a Cisco Nexus 7000 Series Switch as a DHCP relay agent.

2. Configuring a DHCP server address on the relay agent.

3. Configuring the VPN option for the DHCP relay agent.

Enabling a Cisco Nexus 7000 Series Switch as a DHCP Relay Agent

Enabling a Device as a DHCPv4 Relay Agent

switch# configure terminal


switch(config)# feature dhcp
switch(config)# ip dhcp relay

Enabling a Device as a DHCPv6 Relay Agent

switch# configure terminal


switch(config)# feature dhcp
switch(config)# ipv6 dhcp relay

Configuring a DHCP server address on the Relay Agent

Configuring a DHCPv4 Server Address on the Relay Agent

switch(config)# interface bdi 15


switch(config-if)# ip dhcp relay address 192.0.2.120 use-vrf management
The interface level configuration command (ip dhcp relay address) is used to configure or disable a server address on
a BDI.

The use-vrf option is used to specify the VRF name of the server if the client and server are in different VRFs.

Configuring a DHCPv6 Server Address on the Relay Agent

switch(config)# interface bdi 15


switch(config-if)# ipv6 dhcp relay address 2001:DB8:1::1 use-vrf management2
The interface level configuration command (ipv6 dhcp relay address) is used to configure or disable a server address
on a BDI.

The use-vrf is used to specify the VRF name of the server if the client and server are in different VRFs.

The server address can either be a link scoped unicast or multicast address, or it can be a global or site local unicast or
multicast address.

An interface is required when the DHCP server address is a link local address or multicast address. It is not allowed for a
unicast address.
Important:

You should be able to ping the server (for the specified server address) from the specified VRF.

Configuring the VPN option for the Relay Agent


Attention: In a DFA environment, configuring the VPN option is mandatory since the DHCP server is always in a different VRF,
typically in a management or default VRF.

Configuring the VPN option for the DHCPv4 Relay Agent

switch# configure terminal


switch(config)# ip dhcp relay information option
switch(config)# ip dhcp relay information option vpn

The global level VPN configuration command is used to enable or disable the DHCPv4 relay function across VRFs.

Configuring the VPN option for the DHCPv6 Relay Agent

switch# configure terminal


switch(config)# ipv6 dhcp relay option vpn

The global level configuration command is used to enable or disable the DHCPv6 relay function across VRFs. When this
is enabled, and the DHCPv6 server is in a different VRF, the relay agent inserts a virtual selection sub option in
the relay-forward message. By default, this is disabled.

After DHCP relay configuration on a device and assignment of a DHCP server address through a BDI, the network topology looks
like this:
Figure 2. DHCP relay configuration and DHCP server address assignment through a BDI

Configuring Windows 2012 as DHCP Server


You can have common DHCP-Servers (for example, Microsoft Windows) for IP address assignments within DFA. The DHCP-
Servers can assign IP addresses to a simple DHCP request. The common DHCP-Server support does not rely on specific DHCP
scope option (for example, simple-mode) by accepting some limitations or additional configuration.

We support Windows 2012 DHCP server by utilizing the 'Super Scope' as well as the policy on option 82 for address range
selection. The DHCP policy on scope reserves the address space exclusively for the request matching the policy.

Note
We support both Windows DHCPv4 and DHCPv6 servers and the configurations are
similar to regular networks.

Let us assume the switch is using the address from subnet B (it can be the backbone subnet, management subnet, or any
customer designated subnet for this purpose) to communicate with the Windows DHCP server. In DFA we have subnets S1, S2,
S3, , Sn for segment s1, s2, s3, , sn.

To configure DHCP on Windows server.

1.

Create a super scope. Within the super scope, create scope B, S1, S2, S3, , Sn for the subnet B and the subnets for
each segment.

2.

In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be
from this scope).

3.

For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX',
where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal.
Also ensure to check the Append wildcard(*) check box.

4.
Set the policy address range to the entire range of the scope.

Configuring Infoblox as DHCP Server

Uses the Link Selection sub-option for scope selection, as this is by default set as the client facing SVI address. For other DHCP
servers such as DHCPd and CPNR, GIAddr based scope selection is used. If you are already using Infoblox, then you must
upgrade the Cisco NX-OS Switch to version 7.1(1)N1(1) or later.

Note
We support only DHCPv4 for Infoblox and the configurations are similar to regular
networks. You can refer to Infoblox user manual for configuration.

Let us consider a case where, the DHCP clients are VM hosts connecting to Cisco switches in DFA. The switches are configured
with SVI as gateway for the VM hosts. The IP address of the SVI may not be unique in the DFA system, as when VM host moves
to server connecting to another switch, then another SVI will be brought up on that switch and configured with the same gateway
IP so that the VM does not need to change its gateway IP.

Configuring DHCPd as DHCP Server

The system has a centralized DHCP server that serves all VM hosts. Every switch has a DHCP relay agent running to forward the
DHCP requests from VM hosts to the DHCP server. Because the SVI IP address is not unique, hence not reachable from the
DHCP server, the relay agent on switch cannot use it as the GIAddr in the request. Instead, it uses another routing interface which
has unique IP address as GIAddr. In order for the DHCP server to select the correct subnet for each host, the relay agent also put
an identifier in the Circuit ID field in the Relay Agent Information option. The identifier uniquely identifies the subnet that a host
connects to. However the identifier is only a portion of the Circuit ID.

Now on the DHCP server, you must configure it to fetch the identifier out of the Circuit ID and use the identifier to choose the right
subnet. We are able to do this with DHCPd in the following way: we define classes matching on substring of the Circuit ID. All the
host subnets are in a shared-network. The shared-network also contains the subnet for the routing interfaces on the switch, so
that the shared-network will be picked when the request comes. The subnet for the routing interfaces does not have address pool,
so it will not assign addresses. The address allocation is from the host subnets in the shared-network. Each host subnet only
allows its own class members. Hence the server can correctly choose a subnet for address allocation based on the identifier
carried in the request.

An example of the DHCPd configuration is given below. Here '59.2.8.0/24' and '99.1.3.0/24' are the host subnets, with identifier
'01:5f:91' and '01:5f:92' respectively. Subnet '43.2.0.0/24' is the subnet of the routing interfaces. It is used to select the shared-
network, but not used for address allocation.

# Start Segment 90001


class "15f91" {
match if substring (option agent.circuit-id, 5, 3) =01:5f:91;
}
# End Segment 90001

# Start Segment 90002


class "15f92" {
match if substring (option agent.circuit-id, 5, 3) =01:5f:92;
}
# End Segment 90002

shared-network "dfa-network" {

# Start Segment primarySubnet


subnet 43.2.0.0 netmask 255.255.255.0 {
}
# End Segment primarySubnet

# Start Segment 90001


subnet 59.2.8.0 netmask 255.255.255.0 {
option routers 59.2.8.1;
option vlan-id 90001;
}
pool {
allow members of "15f91";
range 59.2.8.2 59.2.8.254;
}
# End Segment 90001

# Start Segment 90002


subnet 99.1.3.0 netmask 255.255.255.0 {
option routers 99.1.3.1;
option vlan-id 90002;
}
pool {
allow members of "15f92";
range 99.1.3.2 99.1.3.254;
}
# End Segment 90002

}
How to Multiple VLANs Single DHCP Server, Multiple DHCP
Scopes
Very usefull URL http://www.michaelriccioni.com/how-to-multiple-vlans-single-dhcp-server-multiple-dhcp-
scopes-2/

Posted on August 25, 2012 by Michael in Latest News, Tutorials

As you can see by the network diagram above, In this next tutorial Im going to cover off one of the most common
sort of setups with SMBs. Especially with the recent popularity of VOIP phone systems. I think its fair to say
most network switches used come straight out the box and straight in to the production environment, with the
switchs default settings. Until that is you wish to install a VOIP system or Guest Wireless. Now you need to make
changes, and section off the network using VLANs.

What we have is:

1x DHCP Server (Windows Server 2008 R2)


2x Cisco 2950 Switches
1x Cisco 1841 Router
The Idea behind it is, currently we have one single VLAN. We need to add another VLAN for a VOIP System going in
and this requires Its own DHCP Scope.

Scope1 192.168.10.0/24 (Default VLAN 1 Range)


Scope2 10.10.10.0/24 (VLAN 10 Range)
So lets get in to this.

Im going to assume youve done the basic housework (setting hostname/passwords etc.) on the switches, and
jump straight in to configuring them.

On your first switch we want to end up with the following:

Switch ports 1-10 (VLAN1) Default


Switch ports 11-20 (VLAN10)
Switch port 23 Link to Router (R1)
Switch port 24 Trunk port to SW2
Technically we dont need to do anything to ports 1-10 (as they are already members of the default VLAN), the
only change Im going to make here is to configure the ports to use portfast (a feature of STP (Spanning Tree
Protocol). Without going in to this in too much detail as STP is a totally different topic, it basically makes the port
active (Forwarding state) instead of having to wait the 30 seconds for STP to work its magic.

You will also see Im setting the ports to access ports (again this is a totally different topic and one you will cover
in the CCNA).

Now for configuring ports 11-20 Im going to exactly the same but this time make them members of VLAN 10.
There are a few ways to create VLANs, the way Im going to do it is to assign the ports to a member of VLAN 10
and let the VLAN create itself. You could also create the VLAN before, and then move the ports in to the VLAN. If
you do it that way you dont get the information message (like in the below picture) showing you that VLAN 10
doesnt exist.

Im now going to create the trunk port (switchport 24) which will be our uplink to SW2

Im now going to decide which VLANs this trunk port will allow. In this instance Im going to allow ALL vlan
traffic to pass over this trunk.
Im now going to move over to switch 2 and configure this. As youll see Ive done it slightly differently, but it still
provides the same end result

Finally Ill configure up the trunk port on SW2

If we do a quick show vlan brief you can see which ports are assigned to which VLAN
Now weve done this, lets connect SW1 and SW2 up with a cross over cable. Hopefully if the config is correct we
should get two green lights appear on both switches.

If we do a show vlan brief again, you should notice something is now missing.
Thats right Fa0/24 is now missing. Why? Well now its active its functioning as a trunk port so if we do a show
interfaces trunk, You will see Fa0/24 is now listed here. We can also see which VLANs are allowed to pass
through this trunk port.

Thats the switches done for now, so lets move our attention to the router. Weve no need for outside access so
this router is purely going to be used as the Layer 3 device in this setup. If you are going to have multiple VLANs
with intervlan routing or single DHCP server with multiple scopes you need a Layer 3 device (be it a router or
switch) which knows what to do with Layer 3 traffic. (The OSI layer model is another topic all together, so I am
assuming you know the basics/differences between Layer 2 and Layer 3 devices). This tutorial is purely for
getting you up and running.

On the router, Im going to be using FastEthernet 0/1 as the inside LAN, this is going to be the default gateway for
clients.

As you will see in the below, because we dont physically have multiple ports for the different VLANs what we
are going to configure is sub-interfaces on the router. We are then going to use the ip helper feature so VLAN
10 knows where to forward DHCP packets.

To fully understand this you do need to have a little bit of background on why we do this and how DHCP packets
work. Basically when a DHCP client sends a DHCP request packet, it doesnt have an IP address (obviously) so it
uses the all-zeroes address, 0.0.0.0, as the IP source address. It also doesnt know how to reach the DHCP server,
so it uses a general broadcast address, 255.255.255.255, for the destination.

This is where the router (or layer 3 switch) comes in to play. The router must replace the source address with its
own IP address, for the interface that received the request. It replaces the destination address with the address
specified in the ip helper-address command. (So the packet now has a from address of 10.10.10.254. This
then gets sent to the IP helper Address to which the server then looks at its DHCP scopes and matches up
10.10.10.254 with the 10.10.10.0/24 scope, which in turn hands out an IP from this range)
The client devices MAC address is included in the payload of the original DHCP request packet, so the router
doesnt need to do anything to ensure that the server receives this information.

The DHCP server now has enough information to assign an address from the correct address pool, since it now
knows what the originating subnet was for the DHCP request. Simple right!?

Anyway let continue with the configuration of the router, once again Im going to assume youve done the basic
housekeeping commands, and proceed to configure the FastEthernet 0/1 interface and sub interface.

You will notice when configuring the sub interface, you specifically tell the sub interface what number vlan its
meant to be tagging. (ignore the message regarding baby giant frames)

So in the above we have configured FE0/1 with an ip address of 192.168.10.254, and the subinterface with an IP
address of: 10.10.10.254, with VLAN 10 tagging.

Finally lets put the IP helper address in on the sub interface


Right then, now this configuration is done lets get on to testing it. First I need to make sure I can ping both IP
addresses on the router from the Server:

Now we can get on to testing this setup.

Ive already configured the server with the two DHCP scopes I will be using:

First Im going to make sure we can get an IP address on default VLAN (so Ill be connecting in to switchport 1 on
SW1 first)

Im using a standard windows 7 laptop for this called Michael2510p. Now its connected run a quick ipconfig to see
if its picked up an IP address
Everything looks OK from the client side, lets logon to the server and check the DHCP leases on the server

Everything looks good for the default VLAN. Just to be sure, Im now going to connect in to switchport 1 on SW2.
Im also going to adjust the DHCP scope so the laptop should now pickup the address 192.168.10.20 (this is just to
verify both switches can get an IP lease from the default VLAN)

Lets connect the laptop backup and see what is issues to the laptop this time.
As you can see the laptop has been assigned the IP we expected, so as far as VLAN 1 is concerned everything looks
good.

Right, now im going to plug in to port 14 on SW1 (which is a member of VLAN 10) so we should now get an ip
address in the 10.10.10.0/24 range

Oh dear, something isnt right.

So lets troubleshoot what it could be. Maybe its the IP Helper address? instead of pointing to 192.168.10.1 lets
move it to 10.10.10.254 (the default gateway for VLAN 10), and lets see what happens
Right lets run an ipconfig /renew and test again

Oh dear still not working. So maybe it wasnt the IP helper address. Well thats correct, if you think about it,
there isnt actually a DHCP server located at 10.10.10.254 is there? Its located on 192.168.10.1. So this was never
going to fix the problem. So lets put it back to how it was

So what an earth could it be? We know the the uplink between the switches is fine (because we can get an IP
address in VLAN1 when plugged in to either switch). This also means the link back to the router is fine for VLAN1.

But hang on a minute what about VLAN10? Lets just rewind a bit, we havent actually configured the port on SW1
which connects to the router (switchport 23). So at the moment its acting as a normal link (which is why VLAN1)
is working, as this is its default behaviour. What we need to do is specify that this port is actually a TRUNK port,
and then allow (which ever VLANs required) to pass.

So lets give that ago


Now lets run ipconfig /renew on the laptop and see what happens.

Success! Lets just verify this on the server

So we now know we can get access to the DHCP server from BOTH Vlans on SW1. But what about SW2? Well lets
change the scope to start from 10.10.10.20 and plug in to port 20 (a member of VLAN 10)
Lets run a ipconfig /renew on the laptop again and see what happens
This is now looking a lot better! lets just check on the server

Success!

Well there we are, we now have two separate VLANs, each running their own subnet easily managed from the
one DHCP server.