Sharing DHCP server between nonroutable VLANs

[serj]

I've added an ip helper address(the DHCP server) into the non routable vlans SVI but have not given the interface an IP address. I am unable to grab an IP while on that VLAN. I put the DHCP server on a trunk port that allows that vlan to access it as well. But I still can not get an IP address. Is there something else I need to do to get it to work?

This device is a cisco 4500 series

 

[ISPKing]

Does your Dhcp Have a route to those vlans?

CCNP

 

[serj]

The dhcp server has a default route of the IP of the switch that the vlans are on. The nonrouteable vlan doesn't have an IP address so how would I setup routing?

 

[vipergg]

Won't work unless the vlans are routable.

 

[serj]

Ok so maybe I'm confused about the ability of vlans to segregate networks.

I want to have networks in which the client machines in one vlan can not access client machines in another vlan, but yet I want them to share the same DHCP server. This is not possible?

 

[ISPKing]

Yes it is, Only though if the DHCP server can communicate to both Vlans.

CCNP

 

[serj]

so what needs to be done so that the dhcp server can communicate to both vlans? right now I have it on a trunk port with both vlans allowed

 

[burtsbees]

Until you create the L2 vlans (older switches, esp. CatOS), VLAN 1 will receive DHCP...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[serj]

Ok, so here is the relevant config that I have. What is incorrect?

vlan 10
name first_vlan
!
vlan 17
name second_vlan
!

interface GigabitEthernet2/1
description DHCP_Server
switchport trunk native vlan 10
switchport mode trunk
!

interface GigabitEthernet2/6
description test Vlan on laptop
switchport access vlan 17
switchport mode access
!


interface Vlan10
description first vlan
ip address 10.0.1.44 255.255.0.0
no ip redirects
!

interface Vlan17
description second Vlan
no ip address
ip helper-address 10.0.10.110
!



I've tried removing the svi for vlan 17, same results. The problem is that the machine on port 2/6 can not grab an IP.

 

[ISPKing]

Vlan17 needs to have an ip address on the 10.0.10.x subnet, and that switch or a router on a stick has to be able to route those two vlans. Right now your switch has no clue where 10.0.10.x is.

CCNP

 

[serj]

If I give vlan17 a 10.0.10.x IP won't the machines in vlan17 then be able to communicate with the ones in vlan 10? This is what I'm trying to avoid.

sh ip route shows that it knows how to get to 10.0.x.x
10.0.0.0/16 is subnetted, 10 subnets
C 10.0.0.0 is directly connected, Vlan10


or maybe I'm confused?

 

[vipergg]

You would have to use ACL's to keep them from talking to each other once you put an address on vlan 17.

 

[Cluebird]

This sounds like a situation for private VLANs. You can have the same subnet IPs on all the hosts, but define two community VLANs to separate them from each other and have the DHCP on a primiscuous VLAN.

 

[brianinms]

Why not just run dhcp on the switch for the "nonroutable" vlan? Then use an acl to block access between them

 

[meneerB]

@vipergg, I agree, ACLs is a good way.
I don't have experience with ACLs, but what about this:

Could this work?
In the example below, I'll route all traphic over the core switch
On the other switches, you only need 1 ip address for the native vlan (ipaddress of the switch)

vlan 10
 name first_vlan
!
vlan 17
 name second_vlan
!

interface GigabitEthernet2/1
 description DHCP_Server
 switchport trunk native vlan 10
 switchport mode trunk
 ip access-group accesslist_vlan10
!

interface GigabitEthernet2/6
 description test Vlan on laptop
 switchport access vlan 17
 switchport mode access
 ip helper-address 10.0.10.110
 ip access-group accesslist_vlan17
!
!
interface Vlan10
 description first vlan
 ip address 10.0.1.44 255.255.0.0
 no ip redirects
 ip helper-address 10.0.10.110
!

interface Vlan17
 description second Vlan
 ip address 10.17.0.1 255.255.255.0  {don't use .0 as an ipaddress}
 ip helper-address 10.0.10.110
!
!
ip access-list extended accesslist_vlan10
 permit udp any host 10.0.10.100 eq bootpc               {allow requests from any to dhcp server}
 permit udp host 10.0.10.100 any eq bootps               {allow reply back to any)
 permit ip  10.0.0.0  0.0.255.255 10.0.0.0  0.0.255.255  {allow traphic in vlan10}
 deny   ip  10.0.0.0  0.0.255.255 10.17.0.0   0.0.0.255  {deny  traphic from vlan10 to vlan17}

ip access-list extended accesslist_vlan17
 permit udp any host 10.0.10.100 eq bootpc               {allow requests from any to dhcp server}
 permit udp host 10.0.10.100 any eq bootps               {allow reply back to any)
 permit ip  10.17.0.0   0.0.0.255 10.17.0.0   0.0.0.255  {allow traphic in vlan17}
 deny   ip  10.17.0.0   0.0.0.255 10.0.0.0  0.0.255.255  {deny  traphic from vlan17 to vlan10}

I'm not sure about the in and out command 'ip access-group accesslist_vlan17 in / out'