Using ip helper-address on a vlan with three subnets

zappo0305 · ‎03-26-2011

I have one vlan with 3 subnets/departments

!

vlan 2

name Finance

!

vlan 3

name Accounting

!

vlan 1

name Sales

!

interface Vlan1

ip address 192.168.3.1 255.255.255.0 secondary   << Accounting
ip address 192.168.2.1 255.255.255.0 secondary   << Finance
ip address 192.168.1.1 255.255.255.0   << Sales
ip helper-address 192.168.1.254     <<<< my dhcp server address

!

I am trying to get each PC in each dapartment to pull the DHCP addresses from the subnets above. Right now all PCs will only pull IP addresses from the Sales subnet. Does anyone know of a way around this?

I want the PCs in Sales will get the ip leases from 192.168.1.x DHCP pool; The PCs in Finance will only get the IP leases from 192.168.2.x, and the PCs in accouinting will only get the ip leases from 192.168.3.x

Do I need to create a separate DHCP scope for each subnet?

All reponse is greatly appreciated.

Jon Marshall · ‎03-26-2011

You do need a separate scope for each subnet but that is not your main problem.

The issue is that the DHCP request that is forwarded by the router will always contain the primary IP of the interface and so only IPs will be handed out from that subnet.

So you can either -

1) statically assign IPs to the secondary subnets

or a better solution

2) do not use secondary addressing at all. Create 2 new vlans, one for Accounting and one for Finance, create L3 vlan interfaces for each new vlan, create the DHCP scope on your DHCP server and then add the ip helper-address to each L3 vlan interface.

Jon

milan.kulik · ‎03-26-2011

Hi,

I'm afraid you can't use ip helper-address to assign IP addresses to PCs from a secondary address scope.

How could your DHCP server recognize to which subnet should a particular PC fall?

The only info available is the router interface forwarding the DHCP request - and that's the same for the primary and all secondary subnets.

You would need to configure a (sub)interface on your router/L3 switch assigned to proper VLAN/subnet to make it working.

You seem to be using some L3 switch, so the configuration would look like:

interface vlan 2

description name Finance

ip address 192.168.2.1 255.255.255.0

ip helper-address 192.168.1.254

!

int vlan 3

description Accounting

ip address 192.168.3.1 255.255.255.0

ip helper-address 192.168.1.254

!

interface vlan 1

description Sales

ip address 192.168.1.1 255.255.255.0

ip helper-address 192.168.1.254

!

And you need to create a separate DHCP scope for each subnet on your DHCP server.

HTH,

Milan

zappo0305 · ‎03-26-2011

Are you sure its not possible?

What if the network growth?

What about "ip dhcp smart-relay" and "ip dhcp relay information option subscriber-id" commands ?

milan.kulik · ‎03-26-2011

Hi,

I never used those options, but according to http://www.cisco.com/en/US/customer/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html#wp1010291

ip dhcp smart-relay "Allows the DHCP relay agent to switch the gateway address (giaddr field of a DHCP packet) to secondary addresses when there is no DHCPOFFER message from a DHCP Server.", i.e., when the DHCP server does not provide any IP address to the primary interface address subnet.

Which means - it would not work for the primary and secondary address subnet at the same time.

According to http://www.cisco.com/en/US/customer/docs/ios/ipaddr/configuration/guide/iad_dhcp_rly_agt.html#wp1100106

"Configuring the Subscriber Identifier Suboption of the Relay Agent Information Option

Perform this task to enable an Internet service provider (ISP) to add a unique identifier to the subscriber-identifier suboption of the relay agent information option.

The unique identifier enables an ISP to identify a subscriber, to assign specific actions to that subscriber (for example, assignment of host IP address, subnet mask, and domain name system DNS), and to trigger accounting."

IMHO, none of DHCP relay options answers a principal question:

How could the DHCP server know which primary/secondary IP pool to use to reply to an DHCP request received from the router?

BR,

Milan

skarthic · ‎03-26-2011

Hi,

Infact the "smart-relay" feature kicks in only when the server doesnot respond to requests that are forwarded with the primary subnet ip as GIADDR.

After three such failures, the relaying device will automatically change the GIADDR val to the ip of the secondary interface and forwards DHCP requests.

The DHCP server will not send back offers only when the pool is exhausted, which means that we cant assign hosts with IP from primary and

secondary subnets simulataneouly.

Regards.

Jon Marshall · ‎03-27-2011

zappo0305 wrote:

Are you sure its not possible?

What if the network growth?

What about "ip dhcp smart-relay" and "ip dhcp relay information option subscriber-id" commands ?

Just one final point on this. Secondary addressing, as Peter noted, should only really be used as a transition tool.

With secondary addressing a broadcast from one of the clients in a secondary subnet is seen by all clients in all subnets attached to that vlan. So when you ask about network growth you absolutely do not want to be growing your network in this way because pretty soon the amount of broadcast traffic within that vlan will affect performance for all members of that vlan on all subnets attached to that vlan.

As pointed out already, a much more scalable network design is to use one vlan per subnet. This not only solves your problem but allows you to grow the network in far more efficient way.

Jon

Peter Paluch · ‎03-27-2011

Hello,

I agree with all the gentlemen here - Jon, Milan and Subramaniya. What you are trying to do principially cannot be done using DHCP Relay - there is nothing to help the DHCP Relay discern into which IP subnet in the same VLAN a particular client belongs. In addition, the secondary addresses should only be used for transitory situations, such as migrating networks, but they do not constitute a good design for stable network.

I also strongly suggest you create additional VLANs for your secondary ranges.

Best regards,

Peter

zappo0305 · ‎03-27-2011

Thank you all gentlemen for your input. I truthly appreciated it.

FYI, it is possible. I found out that you can combine both DHCP scopes into a masterscope on the DHCP server.

Learn something new everyday.

All the best gentlemen

Peter Paluch · ‎03-27-2011

Hello,

Can you be more specific about that masterscope? Do you something like creating a single pool 192.168.0.0/23 for networks 192.168.0.0/24 and 192.168.1.0/24?

Best regards,

Peter

milan.kulik · ‎03-27-2011

Hi,

but that would change the subnet mask used for particular clients, wouldn't it?

As also as Jon pointed out - a particular PC woulod get any address from the scope.

BR,

Milan

Jon Marshall · ‎03-27-2011

zappo0305 wrote:

Thank you all gentlemen for your input. I truthly appreciated it.

FYI, it is possible. I found out that you can combine both DHCP scopes into a masterscope on the DHCP server.

Learn something new everyday.

All the best gentlemen

Just for my info.

If you use a masterscope on the DHCP server i still can't see how you would be able to ensure a certain client was in a certain subnet. Yes you could use 3 subnets per vlan but an individual client could not be guaranteed to get a certain IP from a specific subnet unless of course you map the mac-address on the DHCP server but i'm assuming you aren't doing this ?

Jon