03-10-2011 11:10 AM - edited 03-11-2019 01:04 PM
i have a requirement to use an ASA as the DHCP server.
My questions are.....If I have multiple vlans behind the ASA
1 - Can I use the ASA with sub interfaces as the default gateway for each of these vlans ?
2 - Can I use the DHCP server feature on the ASA to assign ip addresses to each of the clients on each of the vlans ?
So vlan 10 subnet would be 192.168.10.0 /24 DHCP scope would be 192.168.10.10 - 254
and
vlan 20 subnet would be 192.168.20.0 /24 DHCP scope would be 192.168.20.10 - 254
I know I can use the ASA as a dhcp server, just not sure if it can assign different scopes to different VLAN clients.
Any help would be appreciated.
Cheers
Dave
03-10-2011 11:16 AM
Hi,
You can configure a DHCP server on each interface of the ASA (I assume this also means subinterfaces however I haven't tried it).
Keep in mind the license restrictions also (ASA 5505):
For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.
Also, the ASA only assigns IPs to directly connected subnets... meaning it won't assign IPs to hosts that are 1 or more layer 3 hops away (on a different subnet).
Hope it helps.
Federico.
03-10-2011 12:02 PM
Thanks it does help. I'll have to set it up in the lab and verify that I can indeed setup
a DHCP server per sub interface.
Thanks
Dave
03-10-2011 02:26 PM
Dave , as Federico have indicated you can use DHCP when using subinterfaces. DHCP services are bound to nameif rather than the interface/subinterface, so regardles wether you use actual physical or logical subinterface you use the interface nameif to activate DHCP services when working with dhcp command syntax.
Exmaple ; using your IP scheme.
lets assume you will use physical e0/2 for your trunk and work your subinterfaces and DHCP
interface Ethernet0/2.10
vlan 10
nameif DMZ10
security-level 100
ip address 192.168.10.1 255.255.255.0
interface Ethernet0/2.20
vlan 20
nameif DMZ20
security-level 100
ip address 192.168.20.1 255.255.255.0
dhcpd address 192.168.10.10-192.168.10.254 DMZ10
dhcpd dns x.x.x.x y.y.y.y interface DMZ10
dhcpd enable DMZ10
dhcpd address 192.168.20.10-192.168.20.254 DMZ20
dhcpd dns h.h.h.h z.z.z.z interface DM20
dhcpd enable DMZ20
Some references
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/d2.html#wp1948446
Regards
03-11-2011 01:32 PM
Thanks for the info, got it up and running in the lab
Cheers
Dave
01-13-2012 01:44 PM
I got in same situation with Dave and tried to apply your nameif on other interface but found out that I could not do it with the ASA based 10 license, got the error message
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
I just want to share that
01-13-2012 02:51 PM
Hello,
The issue you are getting is related to a license restriction on your ASA 5505 where with a base license you only have 2 unrestricted interface, in this case I think you already have vlan 1 as inside and vlan2 as outside, and you want to use a dhcp server on a different vlan. The problem is again you have a restricted license. so the 3 vlan can be configured but just passing traffic to one interface.
You will need the following to make it work:
interface ethernet 0/2
no forward interface vlan 1
nameif dmz
ip address x.x.x.x
security level #
Then you can give it a try .
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide