Using ASA as DHCP server for multiple vlans

dclee · ‎03-10-2011

i have a requirement to use an ASA as the DHCP server.

My questions are.....If I have multiple vlans behind the ASA

1 - Can I use the ASA with sub interfaces as the default gateway for each of these vlans ?

2 - Can I use the DHCP server feature on the ASA to assign ip addresses to each of the clients on each of the vlans ?

So vlan 10 subnet would be 192.168.10.0 /24 DHCP scope would be 192.168.10.10 - 254

and

vlan 20 subnet would be 192.168.20.0 /24 DHCP scope would be 192.168.20.10 - 254

I know I can use the ASA as a dhcp server, just not sure if it can assign different scopes to different VLAN clients.

Any help would be appreciated.

Cheers

Dave

Federico Coto Fajardo · ‎03-10-2011

Hi,

You can configure a DHCP server on each interface of the ASA (I assume this also means subinterfaces however I haven't tried it).

Keep in mind the license restrictions also (ASA 5505):
For a 10-user license, the max. DHCP clients is 32. For 50 users, the max. is 128. For unlimited users, the max. is 250, which is the max. for other models.

Also, the ASA only assigns IPs to directly connected subnets... meaning it won't assign IPs to hosts that are 1 or more layer 3 hops away (on a different subnet).

Hope it helps.

Federico.

dclee · ‎03-10-2011

Thanks it does help. I'll have to set it up in the lab and verify that I can indeed setup

a DHCP server per sub interface.

Thanks

Dave

JORGE RODRIGUEZ · ‎03-10-2011

Dave , as Federico have indicated you can use DHCP when using subinterfaces. DHCP services are bound to nameif rather than the interface/subinterface, so regardles wether you use actual physical or logical subinterface you use the interface nameif to activate DHCP services when working with dhcp command syntax.

Exmaple ; using your IP scheme.

lets assume you will use physical e0/2 for your trunk and work your subinterfaces and DHCP

interface Ethernet0/2.10
vlan 10
nameif DMZ10
security-level 100
ip address 192.168.10.1 255.255.255.0

interface Ethernet0/2.20
vlan 20
nameif DMZ20
security-level 100
ip address 192.168.20.1 255.255.255.0

dhcpd address 192.168.10.10-192.168.10.254 DMZ10
dhcpd dns x.x.x.x y.y.y.y interface DMZ10
dhcpd enable DMZ10

dhcpd address 192.168.20.10-192.168.20.254 DMZ20
dhcpd dns h.h.h.h z.z.z.z interface DM20
dhcpd enable DMZ20

Some references
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/d2.html#wp1948446

Regards

Jorge Rodriguez

dclee · ‎03-11-2011

Thanks for the info, got it up and running in the lab

Cheers

Dave

vinlata2007 · ‎01-13-2012

I got in same situation with Dave and tried to apply your nameif on other interface but found out that I could not do it with the ASA based 10 license, got the error message

ERROR: This license does not allow configuring more than 2 interfaces with

nameif and without a "no forward" command on this interface or on 1 interface(s)

with nameif already configured.

I just want to share that

Julio Carvajal · ‎01-13-2012

Hello,

The issue you are getting is related to a license restriction on your ASA 5505 where with a base license you only have 2 unrestricted interface, in this case I think you already have vlan 1 as inside and vlan2 as outside, and you want to use a dhcp server on a different vlan. The problem is again you have a restricted license. so the 3 vlan can be configured but just passing traffic to one interface.

You will need the following to make it work:

interface ethernet 0/2

no forward interface vlan 1

nameif dmz

ip address x.x.x.x

security level #

Then you can give it a try .

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC