cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2455
Views
0
Helpful
11
Replies

Newbie Cisco ^^

fajar
Level 1
Level 1

Hi all,

I have a case like this:

In the LAN, there is already a DHCP server running.

Now, there is a rack of servers coming. In the rack it has Cisco Catalyst 4948E.

I don't want the servers in that particular rack to be affected by the current DHCP in the LAN, because I'm going to setup another DHCP in the that rack to serve servers in the rack.

So here's what I did.

Using Cisco Network Assistant, I block dhcp traffic on port 48.

Port 48 is the port where I connect the LAN to that rack.

It works. DHCP in the LAN doesn't affect servers in the rack

However, soon I realize that it does more than that, or so I thought.

It seems that the 4948E is blocking DHCP traffic on ALL ports, instead of just port 48.

I can tell this because all the VM on server 1 (where the DHCP server resides) can get IP address, while other VM on other hosts cannot.

This is the configuration of the switch:

!

vlan access-map SecWiz_Vlan1 10

action forward

match ip address SecWiz_Gi1_48_in_ip

!

vlan filter SecWiz_Vlan1 vlan-list 1

vlan internal allocation policy ascending

!

ip access-list extended SecWiz_Gi1_48_in_ip

deny udp any any eq bootpc

deny udp any any eq bootps

deny udp any any eq tftp

permit ip any any

!

Thank you,

Fajar

1 Accepted Solution

Accepted Solutions

Hi,

using a VACL like you did will have effect for all ports in the corresponding VLAN( in your case VLAN 1),

if you want to block traffic you must either use a PACL( only works inbound) on a switchport or a RACL on a L3 port( SVI or routed port).

As far as ip helper is concerned this is a feature also called dhcp relay agent which is used when the dhcp server is residing on a different subnet than the dhcp clients( it will translate the DHCP Discover from broadcast to unicast) so it won't help you block DHCP traffic.

I think the best solution is to place these servers in another VLAN and so they won't be able to receive DHCP leases from the server in the other VLAN unless you configured a DHCP relay and had the corresponding scope on the DHCP server.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

11 Replies 11

ebarticel
Level 4
Level 4

If port 48 is not trunkink, maybe you should create a vlan put only port 48 in and apply the settings above to that vlan.

Hope this helps

Eugen

Why don't you just create a server vlan and statically assign ip addresses to that VLAN?

Hi guys,

Thanks for the suggestions so far.

I'm totally newbie. That command I got was from Cisco Network Assistant

So, if there is something I can do using CNA, that's great.

Or if I should CLI, no problem too, as long as it's quite step-by-step

I appreciate your help

Hi Eugen,

What do you mean trunkink?

Btw, I found this in google about

ip helper-address

Seems like I can use that parameter to tell the ports to forward dhcp request to a certain DHCP server.

But if I want to go that way, does it mean I have to setup IP address on each port first?

Hi,

using a VACL like you did will have effect for all ports in the corresponding VLAN( in your case VLAN 1),

if you want to block traffic you must either use a PACL( only works inbound) on a switchport or a RACL on a L3 port( SVI or routed port).

As far as ip helper is concerned this is a feature also called dhcp relay agent which is used when the dhcp server is residing on a different subnet than the dhcp clients( it will translate the DHCP Discover from broadcast to unicast) so it won't help you block DHCP traffic.

I think the best solution is to place these servers in another VLAN and so they won't be able to receive DHCP leases from the server in the other VLAN unless you configured a DHCP relay and had the corresponding scope on the DHCP server.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

I've been reading around and I agree I think putting this one rack into it's own VLAN is the best.

Can pls tell me if my understanding is correct:

1. Create another VLAN, like VLAN 50

2. Assign port 1-47 into VLAN 50

3. Leave port 48 as it is (which is connected to the LAN).

Should I do something on port 48? Will it automatically become a trunk port?

What should I do to make that rack be able to talk to the rest of the LAN?

Thank you.

Hi,

I've never used a 4900 so I can't tell if the default is switchport mode desirable but anyway it's better to create an unconditional trunk with the command switchport mode trunk and only allow the VLANS you want to with the switchport trunk allowed vlan command.

Can you provide a quick diagram of your infrastructure and rephrase exactly what you want to do.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain, thanks for bearing with me.

My original issue come from this:

http://communities.vmware.com/message/1904665#1904665

http://communities.vmware.com/servlet/JiveServlet/showImage/2-1903774-18293/network-isolated-span-host.png

I already have a running DHCP server in "LAN".

I have a new rack with some servers in it and along with it, a Cisco 4948E.

I connect port #48 on that switch to the "LAN".

As the result, DHCP in the LAN picks up DHCP request from VM running in the servers in the rack.

I DON'T WANT THIS. Because I want to set another DHCP server in the rack with different subnet.

So, using Cisco Network Assistant, I FILTER DHCP traffic on port #48 on that switch in the rack. But as you said, in reality it's not filtering based on port (#48), but the whole VLAN (#1). As a result:

1. DHCP server in the "LAN" cannot serve the VM in the rack (GOOD, this is what I want).

2. DHCP server in the rack can only serve VM in the same host as itself (BAD!! because other VM in other server in the rack cannot get IP address).

Do you get what I mean?

So, I think your suggestion to create a different VLAN in the rack would achive what I what.

1. Prevent DHCP in the LAN from interfering servers in the rack.

2. Allow VM in the servers in the rack to get IP address from DHCP server in the rack.

However I have these 2 major concerns:

1. When I setup the different VLAN in the rack, I think it will disrupt the current connection between server in that rack.

I think I have to shutdown all servers first, which I'm not sure I can ask that to the users right now.

2. I need to use PPTP to connect from another LAN to that rack. I'm worried setting up different VLAN would complicate/fail the PPTP.

Thanks for listening

Hi,

I've never used PPTP but as far as disrupting the machines when creating new VLAN then plan a timeout while you do this config.

Regards.

Alain.

Don't forget to rate helpful posts.

Do you have a host server that is a DHCP for VM machines? or VM machines are configured manually? If your VMs are set up with static addresses, or are bridged to the host system and the host system is configured with a static IP, then the easy solutions is to disable VMs DHCP capabilities.

If the host is a Windows machine go to services and stop VMware DHCP and VMware NAT.

If this is not the solution for you, I suggest you follow Alain's recommandations.

Eugen

Hi guys,

I Think that a possible options is apply a MAC ACL, over the Servers VLAN´s bloking the requirements of  bootraps (DHCP),  Traffic from the MAC of the DHCP server to the MAC´s of the servers.  Present in this VLAN. In this link you can find better Information

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Regards

PPACHECO