Ip helper in combination with local dhcp pool

akketuut · ‎08-23-2019

Hello,

I am configuring a cisco 800 series router and would like to achieve the following:

For vlan 1 i want clients to receive an address from the local dhcp pool configured on the router.

For vlan 2 i want them to go to an offsite dhcp server.

This is part of my config:

ip dhcp pool dpool1
import all
network 192.168.20.0 255.255.255.0
dns-server 8.8.8.8
domain-name xxxxx
default-router 192.168.20.1

interface Vlan1
ip address 192.168.20.1 255.255.255.0
ip virtual-reassembly in

interface Vlan2

ip address 192.168.120.1 255.255.255.0

ip helper-address 192.168.0.3

For some reason clients in vlan 2 are getting an ip adress from the local pool (192.168.20.0).

It doesnt make sense to me that the router would hand out an ip address for vlan 1 to a client located on vlan 2...

My layer 2 setup seems correct because the client's mac address is associated with an fastethernet interface that is an accessport in vlan 2.

Is the ip dhcp pool dpool1 cmd overiden the ip helper cmd?

My router has connectivity to the ip helper address.

Is it possible what i would like to achieve?

Thanks in advance.

luis_cordova · ‎08-23-2019

Hi @akketuut ,

The only detail I find is the import all command.
Try to disable it and do a test.

Could you share your switch settings too?

Regards

akketuut · ‎08-26-2019

Hello,

Thanks for you input.

It seems that the config worked after all. The local DHCP scope was used by the clients as an backup solution.

There was an firewall on the other end of the tunnel blocking the traffic.

I should have done an debug first to see what happened to the DORA packets...

Again, Thank you all for your input.

marce1000 · ‎08-23-2019

- You are better off with a separate dhcp server solutions for all vlans : 1) You over-complicate things were this is not needed 2) For good intranet-design separating L2 and L3 services from DHCP services is better.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

akketuut · ‎08-26-2019

Hello,

I understand your suggestion. The reason why i am working with 2 dhcp scopes is that the offsite dhcp server serves VOIP telephones (vlan 2) with several options.
The tunnel is built over an 4G connection. I don't want to rely completely on the 4G connection for the pc's to get their ip address. But i also don't want to mirror the dhcp scope for telephones...

Thanks for your input.

Richard Burts · ‎08-26-2019

Thanks for the update. Glad to know that it is working and that the issue was really a remote firewall.

Thank you for the explanation of why you use a remote DHCP scope and a local DHCP scope. This is exactly the kind of situation I had in mind when I said that sometimes a remote scope and a local scope if very justifiable. You need the remote scope for the phones but do not want your local PCs to be dependent on a remote server in case of network problems. I hope that @marce1000 would accept that logic.

HTH

Rick

HTH

Rick

Georg Pauwen · ‎08-23-2019

Hello,

I wonder what happens when you block anything bootpc/bootps on Vlan 1 coming from Vlan 2, vice versa ?

access-list 101 deny udp 192.168.120.0 0.0.0.255 eq bootpc
access-list 101 deny udp 192.168.120.0 0.0.0.255 eq bootps
access-list 101 permit ip any any

!

access-list 102 deny udp 192.168.20.0 0.0.0.255 eq bootpc
access-list 102 deny udp 192.168.20.0 0.0.0.255 eq bootps
access-list 102 permit ip any any
!
interface Vlan1
ip access-group 101 in

!

interface Vlan2
ip access-group 102 in

Richard Burts · ‎08-24-2019

I find the requirements identified in the original post to be fairly straightforward, vlan 1 PCs should get IP assignment from a local dhcp pool and vlan 2 PCs should get IP assignment from a remote DHCP server. The very limited config information supplied would seem appropriate for this. If it is not working I wonder if there is something in the config that we have not seen that would impact IP assignment. Would the original poster give us the complete config of the router?

We also need some information about the switch. What kind of switch is this? Which switch port connects to the router and which switch port connects to the PC? Would the original poster give us the output of show interface status from the switch?

There is perhaps some basis for a discussion of Best Practices and whether it is better for all IP assignment to be done by a remote dhcp server. (and I can think of some situations in which I would argue for the benefit of some local assignment) But the current question is about something that should work and is not working. I want to solve that before we get into a discussion about whether there is a better design.

HTH

Rick

HTH

Rick

marce1000 · ‎08-24-2019

>I find the requirements identified in the original post to be fairly straightforward, vlan 1 PCs should get IP assignment from a local dhcp pool and vlan 2 PCs should get IP assignment from a remote DHCP server...

- I beg to differ strongly ; I still think it's far better to have single DHCP server , separated from L2 and L3 services.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !