02-09-2012 03:58 AM - edited 03-07-2019 04:49 AM
Hi all,
I have a case like this:
In the LAN, there is already a DHCP server running.
Now, there is a rack of servers coming. In the rack it has Cisco Catalyst 4948E.
I don't want the servers in that particular rack to be affected by the current DHCP in the LAN, because I'm going to setup another DHCP in the that rack to serve servers in the rack.
So here's what I did.
Using Cisco Network Assistant, I block dhcp traffic on port 48.
Port 48 is the port where I connect the LAN to that rack.
It works. DHCP in the LAN doesn't affect servers in the rack
However, soon I realize that it does more than that, or so I thought.
It seems that the 4948E is blocking DHCP traffic on ALL ports, instead of just port 48.
I can tell this because all the VM on server 1 (where the DHCP server resides) can get IP address, while other VM on other hosts cannot.
This is the configuration of the switch:
!
vlan access-map SecWiz_Vlan1 10
action forward
match ip address SecWiz_Gi1_48_in_ip
!
vlan filter SecWiz_Vlan1 vlan-list 1
vlan internal allocation policy ascending
!
ip access-list extended SecWiz_Gi1_48_in_ip
deny udp any any eq bootpc
deny udp any any eq bootps
deny udp any any eq tftp
permit ip any any
!
Thank you,
Fajar
Solved! Go to Solution.
02-09-2012 05:03 AM
Hi,
using a VACL like you did will have effect for all ports in the corresponding VLAN( in your case VLAN 1),
if you want to block traffic you must either use a PACL( only works inbound) on a switchport or a RACL on a L3 port( SVI or routed port).
As far as ip helper is concerned this is a feature also called dhcp relay agent which is used when the dhcp server is residing on a different subnet than the dhcp clients( it will translate the DHCP Discover from broadcast to unicast) so it won't help you block DHCP traffic.
I think the best solution is to place these servers in another VLAN and so they won't be able to receive DHCP leases from the server in the other VLAN unless you configured a DHCP relay and had the corresponding scope on the DHCP server.
Regards.
Alain.
 
					
				
		
02-09-2012 04:27 AM
If port 48 is not trunkink, maybe you should create a vlan put only port 48 in and apply the settings above to that vlan.
Hope this helps
Eugen
02-09-2012 04:33 AM
Why don't you just create a server vlan and statically assign ip addresses to that VLAN?
02-09-2012 04:37 AM
Hi guys,
Thanks for the suggestions so far.
I'm totally newbie. That command I got was from Cisco Network Assistant
So, if there is something I can do using CNA, that's great.
Or if I should CLI, no problem too, as long as it's quite step-by-step
I appreciate your help
02-09-2012 04:33 AM
Hi Eugen,
What do you mean trunkink?
Btw, I found this in google about
ip helper-address
Seems like I can use that parameter to tell the ports to forward dhcp request to a certain DHCP server.
But if I want to go that way, does it mean I have to setup IP address on each port first?
02-09-2012 05:03 AM
Hi,
using a VACL like you did will have effect for all ports in the corresponding VLAN( in your case VLAN 1),
if you want to block traffic you must either use a PACL( only works inbound) on a switchport or a RACL on a L3 port( SVI or routed port).
As far as ip helper is concerned this is a feature also called dhcp relay agent which is used when the dhcp server is residing on a different subnet than the dhcp clients( it will translate the DHCP Discover from broadcast to unicast) so it won't help you block DHCP traffic.
I think the best solution is to place these servers in another VLAN and so they won't be able to receive DHCP leases from the server in the other VLAN unless you configured a DHCP relay and had the corresponding scope on the DHCP server.
Regards.
Alain.
02-09-2012 05:09 AM
Hi Alain,
I've been reading around and I agree I think putting this one rack into it's own VLAN is the best.
Can pls tell me if my understanding is correct:
1. Create another VLAN, like VLAN 50
2. Assign port 1-47 into VLAN 50
3. Leave port 48 as it is (which is connected to the LAN).
Should I do something on port 48? Will it automatically become a trunk port?
What should I do to make that rack be able to talk to the rest of the LAN?
Thank you.
02-09-2012 06:01 AM
Hi,
I've never used a 4900 so I can't tell if the default is switchport mode desirable but anyway it's better to create an unconditional trunk with the command switchport mode trunk and only allow the VLANS you want to with the switchport trunk allowed vlan command.
Can you provide a quick diagram of your infrastructure and rephrase exactly what you want to do.
Regards.
Alain.
02-09-2012 06:20 AM
Hi Alain, thanks for bearing with me.
My original issue come from this:
http://communities.vmware.com/message/1904665#1904665


I already have a running DHCP server in "LAN".
I have a new rack with some servers in it and along with it, a Cisco 4948E.
I connect port #48 on that switch to the "LAN".
As the result, DHCP in the LAN picks up DHCP request from VM running in the servers in the rack.
I DON'T WANT THIS. Because I want to set another DHCP server in the rack with different subnet.
So, using Cisco Network Assistant, I FILTER DHCP traffic on port #48 on that switch in the rack. But as you said, in reality it's not filtering based on port (#48), but the whole VLAN (#1). As a result:
1. DHCP server in the "LAN" cannot serve the VM in the rack (GOOD, this is what I want).
2. DHCP server in the rack can only serve VM in the same host as itself (BAD!! because other VM in other server in the rack cannot get IP address).
Do you get what I mean?
So, I think your suggestion to create a different VLAN in the rack would achive what I what.
1. Prevent DHCP in the LAN from interfering servers in the rack.
2. Allow VM in the servers in the rack to get IP address from DHCP server in the rack.
However I have these 2 major concerns:
1. When I setup the different VLAN in the rack, I think it will disrupt the current connection between server in that rack.
I think I have to shutdown all servers first, which I'm not sure I can ask that to the users right now.
2. I need to use PPTP to connect from another LAN to that rack. I'm worried setting up different VLAN would complicate/fail the PPTP.
Thanks for listening
02-09-2012 06:43 AM
Hi,
I've never used PPTP but as far as disrupting the machines when creating new VLAN then plan a timeout while you do this config.
Regards.
Alain.
 
					
				
		
02-09-2012 02:44 PM
Do you have a host server that is a DHCP for VM machines? or VM machines are configured manually? If your VMs are set up with static addresses, or are bridged to the host system and the host system is configured with a static IP, then the easy solutions is to disable VMs DHCP capabilities.
If the host is a Windows machine go to services and stop VMware DHCP and VMware NAT.
If this is not the solution for you, I suggest you follow Alain's recommandations.
Eugen
02-09-2012 03:09 PM
Hi guys,
I Think that a possible options is apply a MAC ACL, over the Servers VLAN´s bloking the requirements of bootraps (DHCP), Traffic from the MAC of the DHCP server to the MAC´s of the servers. Present in this VLAN. In this link you can find better Information
Regards
PPACHECO
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide