|
Home > Archive > alt.certification.cisco > June 2002 > Question: DHCP and VLANS?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Question: DHCP and VLANS?
|
|
| Maritain 2002-06-24, 6:34 pm |
| Guys,
Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows 2000/NT/98
clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
uplinks to e1 on the router (Cisco 2600 series).
One of the clients on VLAN2 initializes with a broadcast (DHCPDISCOVER)
message in order to gain an IP address and subnet mask from the DHCP server
on VLAN1. The client transmits a DHCPDISCOVER message on its local physical
subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
I realize that if a router was providing the segmentation at layer 2, that
the IP Helper Address/UDP forwarding configured in the router would take
care of the BOOTP/DHCP broadcast and send it to the DHCP server.
However, since the broadcast domain on which the clients reside is a closed,
Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
through the Catalysts ports and on to the router?
In other words, how would clients on different VLANS (1,2,3 etc.),
configured on multiple switches share a central DHCP server on VLAN1?
Is the only option to use a DHCP relay agent on each VLAN/subnet or is there
another method?
Thanks in advance for the help,
Maritain
| |
| Hansang Bae 2002-06-24, 6:34 pm |
| In article <ydNO8.68747$Am4.17321118@twister.columbus.rr.com>,
maritain@twmi.rr.com says...
> Guys,
>
> Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows 2000/NT/98
> clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
> switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
> uplinks to e1 on the router (Cisco 2600 series).
[snip]
> However, since the broadcast domain on which the clients reside is a closed,
> Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
> through the Catalysts ports and on to the router?
> In other words, how would clients on different VLANS (1,2,3 etc.),
> configured on multiple switches share a central DHCP server on VLAN1?
>
> Is the only option to use a DHCP relay agent on each VLAN/subnet or is there
> another method?
******************************
******************************
**************
From: Question 83
Date: 02 February 2002
Subject: How do I forward DHCP broadcasts to my DHCP server?
Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>
> We are a Canadian company with an American office. We have a Cisco router
> at each office connected via a T1 line. We have a DHCP server at our
> Canadian office, and we would like it to also delgate IPs to our american
> office. Is this possible? If so, what must be done?
You have some choices.
1) Run DHCP on the remote router. This will prevent the dhcp requests
from coming across the WAN. The downside is that only certain IOSes
support running dhcp and is a bit more work for the router.
2) You can enable bootp forwarding or dhcp relaying. This can be
accomplished by using "ip helper-address DHCP_SERVER_IP_HERE" interface
command. But using helper-address turns on a lot of unnecessary UDP
forwarding so you need to lock it down first.
So:
conf t
no ip forward-protocol udp tftp
no ip forward-protocol udp dns
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
!
interface ethernet0/0
ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HER
E
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
******************************
******************************
********
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
******************************
******************************
********
| |
|
| Isn't this what ip helper does? The router is what divides the broadcast
domains. So if you configure a ip helper on e1 to point to the DHCP server,
it should work.
At least that is what it sounds like to me, unless I am reading it wrong.
"Maritain" <maritain@twmi.rr.com> wrote in message
news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> Guys,
>
> Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
2000/NT/98
> clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
> switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
> uplinks to e1 on the router (Cisco 2600 series).
>
> One of the clients on VLAN2 initializes with a broadcast (DHCPDISCOVER)
> message in order to gain an IP address and subnet mask from the DHCP
server
> on VLAN1. The client transmits a DHCPDISCOVER message on its local
physical
> subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
>
> I realize that if a router was providing the segmentation at layer 2, that
> the IP Helper Address/UDP forwarding configured in the router would take
> care of the BOOTP/DHCP broadcast and send it to the DHCP server.
>
> However, since the broadcast domain on which the clients reside is a
closed,
> Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
> through the Catalysts ports and on to the router?
> In other words, how would clients on different VLANS (1,2,3 etc.),
> configured on multiple switches share a central DHCP server on VLAN1?
>
> Is the only option to use a DHCP relay agent on each VLAN/subnet or is
there
> another method?
>
> Thanks in advance for the help,
>
> Maritain
>
>
>
>
| |
| Bernie 2002-06-24, 6:34 pm |
| On Sun, 16 Jun 2002 02:06:07 GMT, "noone" <someone@somewhere.her>
wrote:
>Isn't this what ip helper does? The router is what divides the broadcast
>domains. So if you configure a ip helper on e1 to point to the DHCP server,
>it should work.
Not exactly. DHCP relay supports some additional vital functions.
Let me pose the problem first.
Your DHCP server has several scopes set up because it serves several
subnets. If it simply receives a request, from a host on a remote
VLAN, then it has no way of knowing which scope to pick an address
from. What if the DHCP server started mix and matching addresses from
different subnets on a VLAN?
I don't recall the names of all the fields in a DHCP request, so I
won't make my description of DHCP relay too technical. Basically when
a router that is configured as a DHCP relay receives a DHCP request,
it puts the IP address of the interface it received the request on
into the DCHP request packet. That way when the DHCP server finally
gets the request, it knows which network the request was issued from
and it can assign an address from the correct scope.
If all you do is configure your router to manually forward certain
types of packets, then the DHCP server will get confused and think the
request was issued on its local network and assign a local address.
That is why technically speaking you want to enable some sort of DHCP
relay agent on a remote router.
>At least that is what it sounds like to me, unless I am reading it wrong.
>"Maritain" <maritain@twmi.rr.com> wrote in message
>news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
>> Guys,
>>
>> Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
>2000/NT/98
>> clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
>> switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
>> uplinks to e1 on the router (Cisco 2600 series).
>>
>> One of the clients on VLAN2 initializes with a broadcast (DHCPDISCOVER)
>> message in order to gain an IP address and subnet mask from the DHCP
>server
>> on VLAN1. The client transmits a DHCPDISCOVER message on its local
>physical
>> subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
>>
>> I realize that if a router was providing the segmentation at layer 2, that
>> the IP Helper Address/UDP forwarding configured in the router would take
>> care of the BOOTP/DHCP broadcast and send it to the DHCP server.
>>
>> However, since the broadcast domain on which the clients reside is a
>closed,
>> Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
>> through the Catalysts ports and on to the router?
>> In other words, how would clients on different VLANS (1,2,3 etc.),
>> configured on multiple switches share a central DHCP server on VLAN1?
>>
>> Is the only option to use a DHCP relay agent on each VLAN/subnet or is
>there
>> another method?
>>
>> Thanks in advance for the help,
>>
>> Maritain
>>
>>
>>
>>
>
--Bernie
| |
| Bernie M 2002-06-24, 6:34 pm |
| "Bernie" <Bernie@weekend.com> wrote in message
news:662031ABE14E8BED.A92E7F01DFDBDD17.4D4AFC891337FE2A@lp.airnews.net...
> On Sun, 16 Jun 2002 02:06:07 GMT, "noone" <someone@somewhere.her>
> wrote:
>
> >Isn't this what ip helper does? The router is what divides the broadcast
> >domains. So if you configure a ip helper on e1 to point to the DHCP
server,
> >it should work.
>
> Not exactly. DHCP relay supports some additional vital functions.
> Let me pose the problem first.
>
> Your DHCP server has several scopes set up because it serves several
> subnets. If it simply receives a request, from a host on a remote
> VLAN, then it has no way of knowing which scope to pick an address
> from. What if the DHCP server started mix and matching addresses from
> different subnets on a VLAN?
>
> I don't recall the names of all the fields in a DHCP request, so I
> won't make my description of DHCP relay too technical. Basically when
> a router that is configured as a DHCP relay receives a DHCP request,
> it puts the IP address of the interface it received the request on
> into the DCHP request packet. That way when the DHCP server finally
> gets the request, it knows which network the request was issued from
> and it can assign an address from the correct scope.
>
> If all you do is configure your router to manually forward certain
> types of packets, then the DHCP server will get confused and think the
> request was issued on its local network and assign a local address.
> That is why technically speaking you want to enable some sort of DHCP
> relay agent on a remote router.
>
>
> --Bernie
AFAIK when "ip helper-address" is configured on an interface the router is
configured as a DHCP relay agent and correctly adds its interface into the
"gateway address" field of the DHCP header. We have been using this basic
configuration for years to provide DHCP across WAN links for many subnets.
BernieM
| |
| Maritain 2002-06-24, 6:34 pm |
| Guys,
I understand your answers. I am clear on the fact of the proper config of
the router as a relay agent, but my real issue is with the broadcast domain
created by the VLAN subnet.
The switch is creating a closed, layer 2 broadcast domain or VLAN - the
clients are on their own VLAN and the DHCP is on another VLAN for security
purposes. Therefore, each is on it's own broadcast domain and it's own
subnet. They are, in turn, separated by a 2600 router, which would normally
handle all Layer 3, inter-VLAN traffic between them. The DHCP server will
have a scope configured for both subnets involved here.
Question posed again: How does a broadcast intended for another VLAN get
through the ports of the switch and on to the router so it can be relayed to
the DHCP servers VLAN/subnet? Does the switch automatically forward the
broadcasts to the router to be switched via relay to the proper VLAN where
the DHCP server is or will the switch block the broadcasted packets and
thereby prevent them from ever getting to the router in the first place?
This is the real problem I see, unless my understanding of clients
broadcasting on VLAN's in incorrect.
My understanding is that when a switch creates a VLAN, it has created a
broadcast domain. Therefore, if a client broadcasts a message on it's home
VLAN, that broadcast wont ever leave that VLAN (i.e. group of switched ports
acting as a segmented LAN); it wont ever get to the router to be relayed in
the first place. Right?
The DHCP broadcast is a special one because there's no IP in place. The
"DHCPDISCOVER" is an all subnets broadcast (destination IP address of
255.255.255.255), with a source IP address of 0.0.0.0.
So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN and into
the routers interface to be relayed if the switches main purpose in
providing the VLAN is to create a closed, broadcast domain for it's
particular clients? You guys catch my drift here?
Thanks once again for the answers,
Maritain
"Maritain" <maritain@twmi.rr.com> wrote in message
news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> Guys,
>
> Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
2000/NT/98
> clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
> switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
> uplinks to e1 on the router (Cisco 2600 series).
>
> One of the clients on VLAN2 initializes with a broadcast (DHCPDISCOVER)
> message in order to gain an IP address and subnet mask from the DHCP
server
> on VLAN1. The client transmits a DHCPDISCOVER message on its local
physical
> subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
>
> I realize that if a router was providing the segmentation at layer 2, that
> the IP Helper Address/UDP forwarding configured in the router would take
> care of the BOOTP/DHCP broadcast and send it to the DHCP server.
>
> However, since the broadcast domain on which the clients reside is a
closed,
> Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
> through the Catalysts ports and on to the router?
> In other words, how would clients on different VLANS (1,2,3 etc.),
> configured on multiple switches share a central DHCP server on VLAN1?
>
> Is the only option to use a DHCP relay agent on each VLAN/subnet or is
there
> another method?
>
> Thanks in advance for the help,
>
> Maritain
>
>
>
>
| |
| Brian V 2002-06-24, 6:34 pm |
| Heya Maritain,
The broadcasts are forwarded thru your router by the use of the "ip
helper-address x.x.x.x" command. You would use this command on the vlan(s)
interface(s), in your case the ethernet interface (or sub-interface) of your
2600, that does not contain the DHCP server. The switch simply forwards
broadcasts within it's vlans, it doesn't care what the packet is. It will
not forward them accross vlans (would kinda defeat the purpose of Vlan's!)
The router then takes over and says; "Hey, I know where this packet wants to
go, let me forward it thru the appropriate interface."
Lets use an example:
Vlan 1 contains your servers as well as the dhcp server, the dhcp servers IP
is 10.10.10.10. All machines in vlan 1 would be able to broadcast to that
server for a DHCP address.
Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally without
the helper command broadcasts would never reach the DHCP server. On Vlan 2's
interface you add the "ip helper-address 10.10.10.10", all broadcasts from
Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart enough
to see the TCP/IP header and realize that it is a request from the
10.10.11.x subnet and will issue the appropriate IP for that subnet.
Hope this explains it for you.
-Brian
"Maritain" <maritain@twmi.rr.com> wrote in message
news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> Guys,
>
> I understand your answers. I am clear on the fact of the proper config of
> the router as a relay agent, but my real issue is with the broadcast
domain
> created by the VLAN subnet.
>
> The switch is creating a closed, layer 2 broadcast domain or VLAN - the
> clients are on their own VLAN and the DHCP is on another VLAN for security
> purposes. Therefore, each is on it's own broadcast domain and it's own
> subnet. They are, in turn, separated by a 2600 router, which would
normally
> handle all Layer 3, inter-VLAN traffic between them. The DHCP server will
> have a scope configured for both subnets involved here.
>
> Question posed again: How does a broadcast intended for another VLAN get
> through the ports of the switch and on to the router so it can be relayed
to
> the DHCP servers VLAN/subnet? Does the switch automatically forward the
> broadcasts to the router to be switched via relay to the proper VLAN where
> the DHCP server is or will the switch block the broadcasted packets and
> thereby prevent them from ever getting to the router in the first place?
> This is the real problem I see, unless my understanding of clients
> broadcasting on VLAN's in incorrect.
>
> My understanding is that when a switch creates a VLAN, it has created a
> broadcast domain. Therefore, if a client broadcasts a message on it's home
> VLAN, that broadcast wont ever leave that VLAN (i.e. group of switched
ports
> acting as a segmented LAN); it wont ever get to the router to be relayed
in
> the first place. Right?
>
> The DHCP broadcast is a special one because there's no IP in place. The
> "DHCPDISCOVER" is an all subnets broadcast (destination IP address of
> 255.255.255.255), with a source IP address of 0.0.0.0.
>
> So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN and
into
> the routers interface to be relayed if the switches main purpose in
> providing the VLAN is to create a closed, broadcast domain for it's
> particular clients? You guys catch my drift here?
>
> Thanks once again for the answers,
>
> Maritain
>
>
>
> "Maritain" <maritain@twmi.rr.com> wrote in message
> news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> > Guys,
> >
> > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
> 2000/NT/98
> > clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
> > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
> > uplinks to e1 on the router (Cisco 2600 series).
> >
> > One of the clients on VLAN2 initializes with a broadcast (DHCPDISCOVER)
> > message in order to gain an IP address and subnet mask from the DHCP
> server
> > on VLAN1. The client transmits a DHCPDISCOVER message on its local
> physical
> > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
> >
> > I realize that if a router was providing the segmentation at layer 2,
that
> > the IP Helper Address/UDP forwarding configured in the router would take
> > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
> >
> > However, since the broadcast domain on which the clients reside is a
> closed,
> > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
> > through the Catalysts ports and on to the router?
> > In other words, how would clients on different VLANS (1,2,3 etc.),
> > configured on multiple switches share a central DHCP server on VLAN1?
> >
> > Is the only option to use a DHCP relay agent on each VLAN/subnet or is
> there
> > another method?
> >
> > Thanks in advance for the help,
> >
> > Maritain
> >
> >
> >
> >
>
>
| |
| Maritain 2002-06-24, 6:34 pm |
| Brian,
"Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally without
the helper command broadcasts would never reach the DHCP server."
"On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP server
is smart enough to see the TCP/IP header and realize that it is a request
from the 0.10.11.x subnet and will issue the appropriate IP for that
subnet."
I'm totally clear on the routers part and how it's supposed to be
configured.
However, once again, how do the DHCP broadcasts get from the VLAN to the
routers e0 port in the first place? How do they leave the VLAN in the first
place?
As you said, "The switch simply forwards broadcasts within it's vlans, it
doesn't care what the packet is. It will not forward them across vlans
(would kinda defeat the purpose of Vlan's!)".
Exactly! So, how does the broadcast leave the switch's ports and enter the
router's ports in the first place? Do you see the problem here?
The VLAN is a closed broadcast domain. Why would the switch, by default,
send DHCP broadcasts out of it's native VLAN to a router's interface? This
relaying of broadcasts by default to a router's interface would defeat the
purpose of the VLAN.
Wouldn't there have to be some configuration on the switches ports to have
them to forward this TYPE of DHCP broadcast to the router's interface in the
first place? The router would THEN do it's job of relaying. But, before
that, the switch must KNOW to switch these types of frames to the router's
interface in the first place. HOW does it KNOW to do this??
This is what I'm confused about.
Yours,
Maritain
"Brian V" <chopper_man@attbi.com> wrote in message
news:xc1P8.51316$nZ3.15257@rwcrnsc53...
> Heya Maritain,
>
> The broadcasts are forwarded thru your router by the use of the "ip
> helper-address x.x.x.x" command. You would use this command on the vlan(s)
> interface(s), in your case the ethernet interface (or sub-interface) of
your
> 2600, that does not contain the DHCP server. The switch simply forwards
> broadcasts within it's vlans, it doesn't care what the packet is. It will
> not forward them accross vlans (would kinda defeat the purpose of Vlan's!)
> The router then takes over and says; "Hey, I know where this packet wants
to
> go, let me forward it thru the appropriate interface."
> Lets use an example:
> Vlan 1 contains your servers as well as the dhcp server, the dhcp servers
IP
> is 10.10.10.10. All machines in vlan 1 would be able to broadcast to that
> server for a DHCP address.
> Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
without
> the helper command broadcasts would never reach the DHCP server. On Vlan
2's
> interface you add the "ip helper-address 10.10.10.10", all broadcasts from
> Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart
enough
> to see the TCP/IP header and realize that it is a request from the
> 10.10.11.x subnet and will issue the appropriate IP for that subnet.
>
> Hope this explains it for you.
> -Brian
>
> "Maritain" <maritain@twmi.rr.com> wrote in message
> news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> > Guys,
> >
> > I understand your answers. I am clear on the fact of the proper config
of
> > the router as a relay agent, but my real issue is with the broadcast
> domain
> > created by the VLAN subnet.
> >
> > The switch is creating a closed, layer 2 broadcast domain or VLAN - the
> > clients are on their own VLAN and the DHCP is on another VLAN for
security
> > purposes. Therefore, each is on it's own broadcast domain and it's own
> > subnet. They are, in turn, separated by a 2600 router, which would
> normally
> > handle all Layer 3, inter-VLAN traffic between them. The DHCP server
will
> > have a scope configured for both subnets involved here.
> >
> > Question posed again: How does a broadcast intended for another VLAN get
> > through the ports of the switch and on to the router so it can be
relayed
> to
> > the DHCP servers VLAN/subnet? Does the switch automatically forward the
> > broadcasts to the router to be switched via relay to the proper VLAN
where
> > the DHCP server is or will the switch block the broadcasted packets and
> > thereby prevent them from ever getting to the router in the first place?
> > This is the real problem I see, unless my understanding of clients
> > broadcasting on VLAN's in incorrect.
> >
> > My understanding is that when a switch creates a VLAN, it has created a
> > broadcast domain. Therefore, if a client broadcasts a message on it's
home
> > VLAN, that broadcast wont ever leave that VLAN (i.e. group of switched
> ports
> > acting as a segmented LAN); it wont ever get to the router to be relayed
> in
> > the first place. Right?
> >
> > The DHCP broadcast is a special one because there's no IP in place. The
> > "DHCPDISCOVER" is an all subnets broadcast (destination IP address of
> > 255.255.255.255), with a source IP address of 0.0.0.0.
> >
> > So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN and
> into
> > the routers interface to be relayed if the switches main purpose in
> > providing the VLAN is to create a closed, broadcast domain for it's
> > particular clients? You guys catch my drift here?
> >
> > Thanks once again for the answers,
> >
> > Maritain
> >
> >
> >
> > "Maritain" <maritain@twmi.rr.com> wrote in message
> > news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> > > Guys,
> > >
> > > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
> > 2000/NT/98
> > > clients on VLAN2 Each VLAN is configured on a different 1924 Catalyst
> > > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's switch
> > > uplinks to e1 on the router (Cisco 2600 series).
> > >
> > > One of the clients on VLAN2 initializes with a broadcast
(DHCPDISCOVER)[col
or=green]
> > > message in order to gain an IP address and subnet mask from the DHCP
> > server
> > > on VLAN1. The client transmits a DHCPDISCOVER message on its local
> > physical
> > > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
> > >
> > > I realize that if a router was providing the segmentation at layer 2,
> that
> > > the IP Helper Address/UDP forwarding configured in the router would[/color]
take[
color=darkred]
> > > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
> > >
> > > However, since the broadcast domain on which the clients reside is a
> > closed,
> > > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast get
> > > through the Catalysts ports and on to the router?
> > > In other words, how would clients on different VLANS (1,2,3 etc.),
> > > configured on multiple switches share a central DHCP server on VLAN1?
> > >
> > > Is the only option to use a DHCP relay agent on each VLAN/subnet or is
> > there
> > > another method?
> > >
> > > Thanks in advance for the help,
> > >
> > > Maritain
> > >
> > >
> > >
> > >
> >
> >
>
>[/color]
| |
| Brian V 2002-06-24, 6:34 pm |
| Maritain,
One of the routers interfaces is IN Vlan 2, it hears the broadcast and
forwards it appropriately. EVERY port in a specific Vlan hears the
broadcast. EVERY Vlan must have a router interface in it if you wish to
route it. You cannot simply have a router interface in ONLY Vlan1, there
MUST be either: 1 router interface per vlan or one sub-interface per vlan
and use a trunk from the switch that carries all vlans to get to that
router.
Switch Vlan1--->e0 <router> e1<----Switch Vlan 2
Vlan 1: 10.10.10.0/24
DHCP Server: 10.10.10.10
Interface E0: 10.10.10.1/24
Vlan 2: 10.10.10.11.0/24
Interface E1: 10.10.11.1/24
ip helper-address 10.10.10.10
or
Switch Vlan1,2,3----trunk---->f0.1, f0.1, f0.3<router>
Vlan1: 10.10.10.0/24
DHCP server: 10.10.10.10
Vlan2: 10.10.11.0/24
Interface f0.1 10.10.10.1/24
Interface f0.2 10.10.11.1/24
ip helper-address 10.10.10.10
Interface f0.3 10.10.12.1/24
ip helper-address 10.10.10.10
etc, etc
Hope this cleared it up.
-Brian
"Maritain" <maritain@tmwi.rr.com> wrote in message
news:9E1P8.71260$Am4.17918755@twister.columbus.rr.com...
> Brian,
>
> "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
without
> the helper command broadcasts would never reach the DHCP server."
>
> "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
> broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP
server
> is smart enough to see the TCP/IP header and realize that it is a request
> from the 0.10.11.x subnet and will issue the appropriate IP for that
> subnet."
>
> I'm totally clear on the routers part and how it's supposed to be
> configured.
>
> However, once again, how do the DHCP broadcasts get from the VLAN to the
> routers e0 port in the first place? How do they leave the VLAN in the
first
> place?
>
> As you said, "The switch simply forwards broadcasts within it's vlans, it
> doesn't care what the packet is. It will not forward them across vlans
> (would kinda defeat the purpose of Vlan's!)".
>
> Exactly! So, how does the broadcast leave the switch's ports and enter the
> router's ports in the first place? Do you see the problem here?
>
> The VLAN is a closed broadcast domain. Why would the switch, by default,
> send DHCP broadcasts out of it's native VLAN to a router's interface? This
> relaying of broadcasts by default to a router's interface would defeat the
> purpose of the VLAN.
>
> Wouldn't there have to be some configuration on the switches ports to have
> them to forward this TYPE of DHCP broadcast to the router's interface in
the
> first place? The router would THEN do it's job of relaying. But, before
> that, the switch must KNOW to switch these types of frames to the router's
> interface in the first place. HOW does it KNOW to do this??
>
> This is what I'm confused about.
>
> Yours,
>
> Maritain
>
>
>
>
>
>
> "Brian V" <chopper_man@attbi.com> wrote in message
> news:xc1P8.51316$nZ3.15257@rwcrnsc53...
> > Heya Maritain,
> >
> > The broadcasts are forwarded thru your router by the use of the "ip
> > helper-address x.x.x.x" command. You would use this command on the
vlan(s)
> > interface(s), in your case the ethernet interface (or sub-interface) of
> your
> > 2600, that does not contain the DHCP server. The switch simply forwards
> > broadcasts within it's vlans, it doesn't care what the packet is. It
will
> > not forward them accross vlans (would kinda defeat the purpose of
Vlan's!)
> > The router then takes over and says; "Hey, I know where this packet
wants
> to
> > go, let me forward it thru the appropriate interface."
> > Lets use an example:
> > Vlan 1 contains your servers as well as the dhcp server, the dhcp
servers
> IP
> > is 10.10.10.10. All machines in vlan 1 would be able to broadcast to
that
> > server for a DHCP address.
> > Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> without
> > the helper command broadcasts would never reach the DHCP server. On Vlan
> 2's
> > interface you add the "ip helper-address 10.10.10.10", all broadcasts
from
> > Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart
> enough
> > to see the TCP/IP header and realize that it is a request from the
> > 10.10.11.x subnet and will issue the appropriate IP for that subnet.
> >
> > Hope this explains it for you.
> > -Brian
> >
> > "Maritain" <maritain@twmi.rr.com> wrote in message
> > news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> > > Guys,
> > >
> > > I understand your answers. I am clear on the fact of the proper config
> of
> > > the router as a relay agent, but my real issue is with the broadcast
> > domain
> > > created by the VLAN subnet.
> > >
> > > The switch is creating a closed, layer 2 broadcast domain or VLAN -
the[c
olor=darkred]
> > > clients are on their own VLAN and the DHCP is on another VLAN for
> security
> > > purposes. Therefore, each is on it's own broadcast domain and it's own
> > > subnet. They are, in turn, separated by a 2600 router, which would
> > normally
> > > handle all Layer 3, inter-VLAN traffic between them. The DHCP server
> will
> > > have a scope configured for both subnets involved here.
> > >
> > > Question posed again: How does a broadcast intended for another VLAN[/color]
get[c
olor=darkred]
> > > through the ports of the switch and on to the router so it can be
> relayed
> > to
> > > the DHCP servers VLAN/subnet? Does the switch automatically forward[/color]
the[c
olor=darkred]
> > > broadcasts to the router to be switched via relay to the proper VLAN
> where
> > > the DHCP server is or will the switch block the broadcasted packets[/color]
and[c
olor=darkred]
> > > thereby prevent them from ever getting to the router in the first[/color]
place? [colo
r=darkred]
> > > This is the real problem I see, unless my understanding of clients
> > > broadcasting on VLAN's in incorrect.
> > >
> > > My understanding is that when a switch creates a VLAN, it has created[/color]
a[col
or=darkred]
> > > broadcast domain. Therefore, if a client broadcasts a message on it's
> home
> > > VLAN, that broadcast wont ever leave that VLAN (i.e. group of switched
> > ports
> > > acting as a segmented LAN); it wont ever get to the router to be[/color]
relayed
> > in
> > > the first place. Right?
> > >
> > > The DHCP broadcast is a special one because there's no IP in place.
The[c
olor=darkred]
> > > "DHCPDISCOVER" is an all subnets broadcast (destination IP address of
> > > 255.255.255.255), with a source IP address of 0.0.0.0.
> > >
> > > So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN[/color]
and
> > into
> > > the routers interface to be relayed if the switches main purpose in
> > > providing the VLAN is to create a closed, broadcast domain for it's
> > > particular clients? You guys catch my drift here?
> > >
> > > Thanks once again for the answers,
> > >
> > > Maritain
> > >
> > >
> > >
> > > "Maritain" <maritain@twmi.rr.com> wrote in message
> > > news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> > > > Guys,
> > > >
> > > > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
> > > 2000/NT/98
> > > > clients on VLAN2 Each VLAN is configured on a different 1924
Catalyst
> > > > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's
switch
> > > > uplinks to e1 on the router (Cisco 2600 series).
> > > >
> > > > One of the clients on VLAN2 initializes with a broadcast
> (DHCPDISCOVER)[co
lor=darkred]
> > > > message in order to gain an IP address and subnet mask from the DHCP
> > > server
> > > > on VLAN1. The client transmits a DHCPDISCOVER message on its local
> > > physical
> > > > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
> > > >
> > > > I realize that if a router was providing the segmentation at layer[/color]
2,
> > that
> > > > the IP Helper Address/UDP forwarding configured in the router would
> take
> > > > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
> > > >
> > > > However, since the broadcast domain on which the clients reside is a
> > > closed,
> > > > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast
get[c
olor=darkred]
> > > > through the Catalysts ports and on to the router?
> > > > In other words, how would clients on different VLANS (1,2,3 etc.),
> > > > configured on multiple switches share a central DHCP server on[/color]
VLAN1? [colo
r=darkred]
> > > >
> > > > Is the only option to use a DHCP relay agent on each VLAN/subnet or[/color]
is[co
lor=darkred]
> > > there
> > > > another method?
> > > >
> > > > Thanks in advance for the help,
> > > >
> > > > Maritain
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>[/color]
| |
| Hansang Bae 2002-06-24, 6:34 pm |
| In article <9E1P8.71260$Am4.17918755@twister.columbus.rr.com>,
maritain@tmwi.rr.com says...
> "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally without
> the helper command broadcasts would never reach the DHCP server."
>
> "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
> broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP server
> is smart enough to see the TCP/IP header and realize that it is a request
> from the 0.10.11.x subnet and will issue the appropriate IP for that
> subnet."
>
> I'm totally clear on the routers part and how it's supposed to be
> configured.
>
> However, once again, how do the DHCP broadcasts get from the VLAN to the
> routers e0 port in the first place? How do they leave the VLAN in the first
> place?
The above description isn't 100% correct. The IP Helper statment forwards
CERTAIN broadcasts by default. That's why in the example that I provided, I
lock down all the ones that do not require forwarding.
When you use the helper-address statement, the router - upon seeing the
bootp request - fowards the frame to the appropriate dhcp/bootp server. The
router will inject the subnet that the request came from into the GIADDR
field.
When the DHCP/BOOTP server gets the request, it sees that the request came
from XYZ (specified in the GIADDR field) and will reply with the correct
information from the relevant scope.
> As you said, "The switch simply forwards broadcasts within it's vlans, it
> doesn't care what the packet is. It will not forward them across vlans
> (would kinda defeat the purpose of Vlan's!)".
>
> Exactly! So, how does the broadcast leave the switch's ports and enter the
> router's ports in the first place? Do you see the problem here?
Only certain broadcast frames are fowarded.
> The VLAN is a closed broadcast domain. Why would the switch, by default,
> send DHCP broadcasts out of it's native VLAN to a router's interface? This
> relaying of broadcasts by default to a router's interface would defeat the
> purpose of the VLAN.
Native VLAN has nothing whatever to do with dhcp operation. Native VLAN
concept only comes into play when you trunk and in encapsulation (for
dot1q).
> Wouldn't there have to be some configuration on the switches ports to have
> them to forward this TYPE of DHCP broadcast to the router's interface in the
> first place? The router would THEN do it's job of relaying. But, before
> that, the switch must KNOW to switch these types of frames to the router's
> interface in the first place. HOW does it KNOW to do this??
> This is what I'm confused about.
Switch simply has NO concept of IP addresses. It will forward the broacast
frame to ALL ports (except the one in came from). If you don't have a
router with a helper-address, or a dhcp relay, you're simply out of luck.
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
******************************
******************************
********
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
******************************
******************************
********
| |
|
| Unless I've missed something, you're not quite understanding how the router
fits in.
One of your router interfaces must be in VLAN 2 and one in VLAN 1 (Or a
trunk which has the same effect anyway)
Your router is within the broadcast domain. The interface connected to VLAN
2 receives the broadcast, and because of the IP helper address it knows it
has to forward this broadcast (as a unicast) to the DHCP server on VLAN 1
(with a few changes to the packet).
Gaz
"Maritain" <maritain@tmwi.rr.com> wrote in message
news:9E1P8.71260$Am4.17918755@twister.columbus.rr.com...
> Brian,
>
> "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
without
> the helper command broadcasts would never reach the DHCP server."
>
> "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
> broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP
server
> is smart enough to see the TCP/IP header and realize that it is a request
> from the 0.10.11.x subnet and will issue the appropriate IP for that
> subnet."
>
> I'm totally clear on the routers part and how it's supposed to be
> configured.
>
> However, once again, how do the DHCP broadcasts get from the VLAN to the
> routers e0 port in the first place? How do they leave the VLAN in the
first
> place?
>
> As you said, "The switch simply forwards broadcasts within it's vlans, it
> doesn't care what the packet is. It will not forward them across vlans
> (would kinda defeat the purpose of Vlan's!)".
>
> Exactly! So, how does the broadcast leave the switch's ports and enter the
> router's ports in the first place? Do you see the problem here?
>
> The VLAN is a closed broadcast domain. Why would the switch, by default,
> send DHCP broadcasts out of it's native VLAN to a router's interface? This
> relaying of broadcasts by default to a router's interface would defeat the
> purpose of the VLAN.
>
> Wouldn't there have to be some configuration on the switches ports to have
> them to forward this TYPE of DHCP broadcast to the router's interface in
the
> first place? The router would THEN do it's job of relaying. But, before
> that, the switch must KNOW to switch these types of frames to the router's
> interface in the first place. HOW does it KNOW to do this??
>
> This is what I'm confused about.
>
> Yours,
>
> Maritain
>
>
>
>
>
>
> "Brian V" <chopper_man@attbi.com> wrote in message
> news:xc1P8.51316$nZ3.15257@rwcrnsc53...
> > Heya Maritain,
> >
> > The broadcasts are forwarded thru your router by the use of the "ip
> > helper-address x.x.x.x" command. You would use this command on the
vlan(s)
> > interface(s), in your case the ethernet interface (or sub-interface) of
> your
> > 2600, that does not contain the DHCP server. The switch simply forwards
> > broadcasts within it's vlans, it doesn't care what the packet is. It
will
> > not forward them accross vlans (would kinda defeat the purpose of
Vlan's!)
> > The router then takes over and says; "Hey, I know where this packet
wants
> to
> > go, let me forward it thru the appropriate interface."
> > Lets use an example:
> > Vlan 1 contains your servers as well as the dhcp server, the dhcp
servers
> IP
> > is 10.10.10.10. All machines in vlan 1 would be able to broadcast to
that
> > server for a DHCP address.
> > Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> without
> > the helper command broadcasts would never reach the DHCP server. On Vlan
> 2's
> > interface you add the "ip helper-address 10.10.10.10", all broadcasts
from
> > Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart
> enough
> > to see the TCP/IP header and realize that it is a request from the
> > 10.10.11.x subnet and will issue the appropriate IP for that subnet.
> >
> > Hope this explains it for you.
> > -Brian
> >
> > "Maritain" <maritain@twmi.rr.com> wrote in message
> > news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> > > Guys,
> > >
> > > I understand your answers. I am clear on the fact of the proper config
> of
> > > the router as a relay agent, but my real issue is with the broadcast
> > domain
> > > created by the VLAN subnet.
> > >
> > > The switch is creating a closed, layer 2 broadcast domain or VLAN -
the[c
olor=darkred]
> > > clients are on their own VLAN and the DHCP is on another VLAN for
> security
> > > purposes. Therefore, each is on it's own broadcast domain and it's own
> > > subnet. They are, in turn, separated by a 2600 router, which would
> > normally
> > > handle all Layer 3, inter-VLAN traffic between them. The DHCP server
> will
> > > have a scope configured for both subnets involved here.
> > >
> > > Question posed again: How does a broadcast intended for another VLAN[/color]
get[c
olor=darkred]
> > > through the ports of the switch and on to the router so it can be
> relayed
> > to
> > > the DHCP servers VLAN/subnet? Does the switch automatically forward[/color]
the[c
olor=darkred]
> > > broadcasts to the router to be switched via relay to the proper VLAN
> where
> > > the DHCP server is or will the switch block the broadcasted packets[/color]
and[c
olor=darkred]
> > > thereby prevent them from ever getting to the router in the first[/color]
place? [colo
r=darkred]
> > > This is the real problem I see, unless my understanding of clients
> > > broadcasting on VLAN's in incorrect.
> > >
> > > My understanding is that when a switch creates a VLAN, it has created[/color]
a[col
or=darkred]
> > > broadcast domain. Therefore, if a client broadcasts a message on it's
> home
> > > VLAN, that broadcast wont ever leave that VLAN (i.e. group of switched
> > ports
> > > acting as a segmented LAN); it wont ever get to the router to be[/color]
relayed
> > in
> > > the first place. Right?
> > >
> > > The DHCP broadcast is a special one because there's no IP in place.
The[c
olor=darkred]
> > > "DHCPDISCOVER" is an all subnets broadcast (destination IP address of
> > > 255.255.255.255), with a source IP address of 0.0.0.0.
> > >
> > > So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN[/color]
and
> > into
> > > the routers interface to be relayed if the switches main purpose in
> > > providing the VLAN is to create a closed, broadcast domain for it's
> > > particular clients? You guys catch my drift here?
> > >
> > > Thanks once again for the answers,
> > >
> > > Maritain
> > >
> > >
> > >
> > > "Maritain" <maritain@twmi.rr.com> wrote in message
> > > news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> > > > Guys,
> > > >
> > > > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
> > > 2000/NT/98
> > > > clients on VLAN2 Each VLAN is configured on a different 1924
Catalyst
> > > > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's
switch
> > > > uplinks to e1 on the router (Cisco 2600 series).
> > > >
> > > > One of the clients on VLAN2 initializes with a broadcast
> (DHCPDISCOVER)[co
lor=darkred]
> > > > message in order to gain an IP address and subnet mask from the DHCP
> > > server
> > > > on VLAN1. The client transmits a DHCPDISCOVER message on its local
> > > physical
> > > > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
> > > >
> > > > I realize that if a router was providing the segmentation at layer[/color]
2,
> > that
> > > > the IP Helper Address/UDP forwarding configured in the router would
> take
> > > > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
> > > >
> > > > However, since the broadcast domain on which the clients reside is a
> > > closed,
> > > > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast
get[c
olor=darkred]
> > > > through the Catalysts ports and on to the router?
> > > > In other words, how would clients on different VLANS (1,2,3 etc.),
> > > > configured on multiple switches share a central DHCP server on[/color]
VLAN1? [colo
r=darkred]
> > > >
> > > > Is the only option to use a DHCP relay agent on each VLAN/subnet or[/color]
is[co
lor=darkred]
> > > there
> > > > another method?
> > > >
> > > > Thanks in advance for the help,
> > > >
> > > > Maritain
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>[/color]
| |
| Bernie 2002-06-24, 6:34 pm |
| On Sun, 16 Jun 2002 15:18:25 +1000, "Bernie M"
<berniem_nospam@routergod.com> wrote:
Ok, I wasn't aware of that. I had skimmed the posts saw Hansang make
reference to turning on DHCP relaying, and then another post (which I
mistakenly thought was a reply to Hansang) saying to simply turn on
the helper address to forward the broadcast. In hindsight, I should
have read a little closer because Hansang had actually described that
you turn on DHCP relay by setting the helper address.
Oh well, thanks for the clarification.
>AFAIK when "ip helper-address" is configured on an interface the router is
>configured as a DHCP relay agent and correctly adds its interface into the
>"gateway address" field of the DHCP header. We have been using this basic
>configuration for years to provide DHCP across WAN links for many subnets.
>
>BernieM
>
--Bernie
| |
| Maritain 2002-06-24, 6:35 pm |
| Brian,
I understand now. The key piece of info I wasn't getting was the this: "One
of the routers interfaces is IN Vlan 2". None of the books I've read on
routing and switching mentioned this fact (or they did and I missed it, or
they assumed you're supposed to know that! LOL!)
"EVERY Vlan must have a router interface in it if you wish to route it. You
cannot simply have a router interface in ONLY Vlan1, there MUST be either: 1
router interface per vlan or one sub-interface per vlan and use a trunk from
the switch that carries all vlans to get to that router."
This is enlightening! I was under the impression that the switch ITSELF was
the only thing that needed a port on the router. I was thinking that if you
had, say, 3 VLANS on one 1924 switch, that that switch would then uplink to
e0 on the router. I didn't know that a router interface needed to be PART OF
each VLAN. This is new info to me (for one into CCNP study - Switching!
LOL!).
Instead of this: "Switch Vlan1--->e0 <router> e1<----Switch Vlan 2"
I thought it looked more like this: Switch_A = Vlan1, Vlan2, Vlan3--->e0
<router>
e1<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
When if fact, it should look like this:
Switch_A = Vlan1, Vlan2, Vlan3--->e0/1, e0/2, e0/3 <router> e1/1, e1/2,
e1/3<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
Correct? Making a sub-interface PART OF each VLANs broadcast domain.
If you want to have 3 VLANs on a single switch, then you need to have either
3 router interfaces or 3 sub-interfaces configured on one physical interface
configured on the router for each VLAN to support routing between the VLANs.
This is what I've learned from you Brian.
Therefore, in this scenario the router's interface (or sub-interface) is
WITHIN the VLANs broadcast domain. Ah ha! As Gaz stated, "Your router is
within the broadcast domain. The interface connected to VLAN 2 receives the
broadcast, and because of the IP helper address it knows it has to forward
this broadcast (as a unicast) to the DHCP server on VLAN 1 (with a few
changes to the packet)." Thanks Gaz!!
So, since broadcasts are only sent out of the ports that belong to the VLAN
the broadcast originated from, they will be sent, by default, to the routers
interface in light of it's membership to that particular VLAN. Therefore, it
will hear the DHCP request and forward via the helper address.
However, Brian, could you elaborate on this statement: "...and use a trunk
from the switch that carries all vlans to get to that router." This is a
little confusing. It's my understanding that if you're VLANs don't span
multiple switches, you don't need ISL or .q trunking, correct?
Yours,
Maritain
"Brian V" <chopper_man@attbi.com> wrote in message
news:SW2P8.220318$cQ3.8175@sccrnsc01...
> Maritain,
>
> One of the routers interfaces is IN Vlan 2, it hears the broadcast and
> forwards it appropriately. EVERY port in a specific Vlan hears the
> broadcast. EVERY Vlan must have a router interface in it if you wish to
> route it. You cannot simply have a router interface in ONLY Vlan1, there
> MUST be either: 1 router interface per vlan or one sub-interface per vlan
> and use a trunk from the switch that carries all vlans to get to that
> router.
>
> Switch Vlan1--->e0 <router> e1<----Switch Vlan 2
>
>
> Vlan 1: 10.10.10.0/24
> DHCP Server: 10.10.10.10
> Interface E0: 10.10.10.1/24
> Vlan 2: 10.10.10.11.0/24
> Interface E1: 10.10.11.1/24
> ip helper-address 10.10.10.10
>
> or
>
> Switch Vlan1,2,3----trunk---->f0.1, f0.1, f0.3<router>
>
> Vlan1: 10.10.10.0/24
> DHCP server: 10.10.10.10
> Vlan2: 10.10.11.0/24
> Interface f0.1 10.10.10.1/24
> Interface f0.2 10.10.11.1/24
> ip helper-address 10.10.10.10
> Interface f0.3 10.10.12.1/24
> ip helper-address 10.10.10.10
> etc, etc
>
> Hope this cleared it up.
> -Brian
>
>
>
> "Maritain" <maritain@tmwi.rr.com> wrote in message
> news:9E1P8.71260$Am4.17918755@twister.columbus.rr.com...
> > Brian,
> >
> > "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> without
> > the helper command broadcasts would never reach the DHCP server."
> >
> > "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
> > broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP
> server
> > is smart enough to see the TCP/IP header and realize that it is a
request
> > from the 0.10.11.x subnet and will issue the appropriate IP for that
> > subnet."
> >
> > I'm totally clear on the routers part and how it's supposed to be
> > configured.
> >
> > However, once again, how do the DHCP broadcasts get from the VLAN to the
> > routers e0 port in the first place? How do they leave the VLAN in the
> first
> > place?
> >
> > As you said, "The switch simply forwards broadcasts within it's vlans,
it
> > doesn't care what the packet is. It will not forward them across vlans
> > (would kinda defeat the purpose of Vlan's!)".
> >
> > Exactly! So, how does the broadcast leave the switch's ports and enter
the
> > router's ports in the first place? Do you see the problem here?
> >
> > The VLAN is a closed broadcast domain. Why would the switch, by default,
> > send DHCP broadcasts out of it's native VLAN to a router's interface?
This
> > relaying of broadcasts by default to a router's interface would defeat
the
> > purpose of the VLAN.
> >
> > Wouldn't there have to be some configuration on the switches ports to
have
> > them to forward this TYPE of DHCP broadcast to the router's interface in
> the
> > first place? The router would THEN do it's job of relaying. But, before
> > that, the switch must KNOW to switch these types of frames to the
router's
> > interface in the first place. HOW does it KNOW to do this??
> >
> > This is what I'm confused about.
> >
> > Yours,
> >
> > Maritain
> >
> >
> >
> >
> >
> >
> > "Brian V" <chopper_man@attbi.com> wrote in message
> > news:xc1P8.51316$nZ3.15257@rwcrnsc53...
> > > Heya Maritain,
> > >
> > > The broadcasts are forwarded thru your router by the use of the "ip
> > > helper-address x.x.x.x" command. You would use this command on the
> vlan(s)
> > > interface(s), in your case the ethernet interface (or sub-interface)
of
> > your
> > > 2600, that does not contain the DHCP server. The switch simply
forwards
> > > broadcasts within it's vlans, it doesn't care what the packet is. It
> will
> > > not forward them accross vlans (would kinda defeat the purpose of
> Vlan's!)
> > > The router then takes over and says; "Hey, I know where this packet
> wants
> > to
> > > go, let me forward it thru the appropriate interface."
> > > Lets use an example:
> > > Vlan 1 contains your servers as well as the dhcp server, the dhcp
> servers
> > IP
> > > is 10.10.10.10. All machines in vlan 1 would be able to broadcast to
> that
> > > server for a DHCP address.
> > > Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> > without
> > > the helper command broadcasts would never reach the DHCP server. On
Vlan
> > 2's
> > > interface you add the "ip helper-address 10.10.10.10", all broadcasts
> from
> > > Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart
> > enough
> > > to see the TCP/IP header and realize that it is a request from the
> > > 10.10.11.x subnet and will issue the appropriate IP for that subnet.
> > >
> > > Hope this explains it for you.
> > > -Brian
> > >
> > > "Maritain" <maritain@twmi.rr.com> wrote in message
> > > news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> > > > Guys,
> > > >
> > > > I understand your answers. I am clear on the fact of the proper
config
> > of
> > > > the router as a relay agent, but my real issue is with the broadcast
> > > domain
> > > > created by the VLAN subnet.
> > > >
> > > > The switch is creating a closed, layer 2 broadcast domain or VLAN -
> the
> > > > clients are on their own VLAN and the DHCP is on another VLAN for
> > security
> > > > purposes. Therefore, each is on it's own broadcast domain and it's
own[c
olor=darkred]
> > > > subnet. They are, in turn, separated by a 2600 router, which would
> > > normally
> > > > handle all Layer 3, inter-VLAN traffic between them. The DHCP server
> > will
> > > > have a scope configured for both subnets involved here.
> > > >
> > > > Question posed again: How does a broadcast intended for another VLAN
> get
> > > > through the ports of the switch and on to the router so it can be
> > relayed
> > > to
> > > > the DHCP servers VLAN/subnet? Does the switch automatically forward
> the
> > > > broadcasts to the router to be switched via relay to the proper VLAN
> > where
> > > > the DHCP server is or will the switch block the broadcasted packets
> and
> > > > thereby prevent them from ever getting to the router in the first
> place?
> > > > This is the real problem I see, unless my understanding of clients
> > > > broadcasting on VLAN's in incorrect.
> > > >
> > > > My understanding is that when a switch creates a VLAN, it has[/color]
created
> a
> > > > broadcast domain. Therefore, if a client broadcasts a message on
it's
> > home
> > > > VLAN, that broadcast wont ever leave that VLAN (i.e. group of
switched
> > > ports
> > > > acting as a segmented LAN); it wont ever get to the router to be
> relayed
> > > in
> > > > the first place. Right?
> > > >
> > > > The DHCP broadcast is a special one because there's no IP in place.
> The
> > > > "DHCPDISCOVER" is an all subnets broadcast (destination IP address
of[co
lor=darkred]
> > > > 255.255.255.255), with a source IP address of 0.0.0.0.
> > > >
> > > > So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN
> and
> > > into
> > > > the routers interface to be relayed if the switches main purpose in
> > > > providing the VLAN is to create a closed, broadcast domain for it's
> > > > particular clients? You guys catch my drift here?
> > > >
> > > > Thanks once again for the answers,
> > > >
> > > > Maritain
> > > >
> > > >
> > > >
> > > > "Maritain" <maritain@twmi.rr.com> wrote in message
> > > > news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
> > > > > Guys,
> > > > >
> > > > > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
> > > > 2000/NT/98
> > > > > clients on VLAN2 Each VLAN is configured on a different 1924
> Catalyst
> > > > > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's
> switch
> > > > > uplinks to e1 on the router (Cisco 2600 series).
> > > > >
> > > > > One of the clients on VLAN2 initializes with a broadcast
> > (DHCPDISCOVER)
> > > > > message in order to gain an IP address and subnet mask from the[/color]
DHCP[
color=darkred]
> > > > server
> > > > > on VLAN1. The client transmits a DHCPDISCOVER message on its local
> > > > physical
> > > > > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
> > > > >
> > > > > I realize that if a router was providing the segmentation at layer
> 2,
> > > that
> > > > > the IP Helper Address/UDP forwarding configured in the router[/color]
would
> > take
> > > > > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
> > > > >
> > > > > However, since the broadcast domain on which the clients reside is
a[col
or=darkred]
> > > > closed,
> > > > > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast
> get
> > > > > through the Catalysts ports and on to the router?
> > > > > In other words, how would clients on different VLANS (1,2,3 etc.),
> > > > > configured on multiple switches share a central DHCP server on
> VLAN1?
> > > > >
> > > > > Is the only option to use a DHCP relay agent on each VLAN/subnet[/color]
or
> is
> > > > there
> > > > > another method?
> > > > >
> > > > > Thanks in advance for the help,
> > > > >
> > > > > Maritain
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
| |
| fmerrill@triad.rr.com 2002-06-24, 6:35 pm |
|
It looks like you are grasping this fine now!
Keep at it!
Good Luck!
On Mon, 17 Jun 2002 13:16:04 GMT, "Maritain" <maritain@twmi.rr.com>
wrote:
>Brian,
>
>I understand now. The key piece of info I wasn't getting was the this: "One
>of the routers interfaces is IN Vlan 2". None of the books I've read on
>routing and switching mentioned this fact (or they did and I missed it, or
>they assumed you're supposed to know that! LOL!)
>
>"EVERY Vlan must have a router interface in it if you wish to route it. You
>cannot simply have a router interface in ONLY Vlan1, there MUST be either: 1
>router interface per vlan or one sub-interface per vlan and use a trunk from
>the switch that carries all vlans to get to that router."
>
>This is enlightening! I was under the impression that the switch ITSELF was
>the only thing that needed a port on the router. I was thinking that if you
>had, say, 3 VLANS on one 1924 switch, that that switch would then uplink to
>e0 on the router. I didn't know that a router interface needed to be PART OF
>each VLAN. This is new info to me (for one into CCNP study - Switching!
>LOL!).
>
>Instead of this: "Switch Vlan1--->e0 <router> e1<----Switch Vlan 2"
>
>I thought it looked more like this: Switch_A = Vlan1, Vlan2, Vlan3--->e0
><router>
>e1<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
>
>When if fact, it should look like this:
>Switch_A = Vlan1, Vlan2, Vlan3--->e0/1, e0/2, e0/3 <router> e1/1, e1/2,
>e1/3<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
>
>Correct? Making a sub-interface PART OF each VLANs broadcast domain.
>
>If you want to have 3 VLANs on a single switch, then you need to have either
>3 router interfaces or 3 sub-interfaces configured on one physical interface
>configured on the router for each VLAN to support routing between the VLANs.
>This is what I've learned from you Brian.
>
>Therefore, in this scenario the router's interface (or sub-interface) is
>WITHIN the VLANs broadcast domain. Ah ha! As Gaz stated, "Your router is
>within the broadcast domain. The interface connected to VLAN 2 receives the
>broadcast, and because of the IP helper address it knows it has to forward
>this broadcast (as a unicast) to the DHCP server on VLAN 1 (with a few
>changes to the packet)." Thanks Gaz!!
>
>So, since broadcasts are only sent out of the ports that belong to the VLAN
>the broadcast originated from, they will be sent, by default, to the routers
>interface in light of it's membership to that particular VLAN. Therefore, it
>will hear the DHCP request and forward via the helper address.
>
>However, Brian, could you elaborate on this statement: "...and use a trunk
>from the switch that carries all vlans to get to that router." This is a
>little confusing. It's my understanding that if you're VLANs don't span
>multiple switches, you don't need ISL or .q trunking, correct?
>
>
>Yours,
>
>Maritain
>
>
>
>
>
>
>
>
>
>
>
>
>"Brian V" <chopper_man@attbi.com> wrote in message
>news:SW2P8.220318$cQ3.8175@sccrnsc01...
>> Maritain,
>>
>> One of the routers interfaces is IN Vlan 2, it hears the broadcast and
>> forwards it appropriately. EVERY port in a specific Vlan hears the
>> broadcast. EVERY Vlan must have a router interface in it if you wish to
>> route it. You cannot simply have a router interface in ONLY Vlan1, there
>> MUST be either: 1 router interface per vlan or one sub-interface per vlan
>> and use a trunk from the switch that carries all vlans to get to that
>> router.
>>
>> Switch Vlan1--->e0 <router> e1<----Switch Vlan 2
>>
>>
>> Vlan 1: 10.10.10.0/24
>> DHCP Server: 10.10.10.10
>> Interface E0: 10.10.10.1/24
>> Vlan 2: 10.10.10.11.0/24
>> Interface E1: 10.10.11.1/24
>> ip helper-address 10.10.10.10
>>
>> or
>>
>> Switch Vlan1,2,3----trunk---->f0.1, f0.1, f0.3<router>
>>
>> Vlan1: 10.10.10.0/24
>> DHCP server: 10.10.10.10
>> Vlan2: 10.10.11.0/24
>> Interface f0.1 10.10.10.1/24
>> Interface f0.2 10.10.11.1/24
>> ip helper-address 10.10.10.10
>> Interface f0.3 10.10.12.1/24
>> ip helper-address 10.10.10.10
>> etc, etc
>>
>> Hope this cleared it up.
>> -Brian
>>
>>
>>
>> "Maritain" <maritain@tmwi.rr.com> wrote in message
>> news:9E1P8.71260$Am4.17918755@twister.columbus.rr.com...
>> > Brian,
>> >
>> > "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
>> without
>> > the helper command broadcasts would never reach the DHCP server."
>> >
>> > "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
>> > broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP
>> server
>> > is smart enough to see the TCP/IP header and realize that it is a
> request
>> > from the 0.10.11.x subnet and will issue the appropriate IP for that
>> > subnet."
>> >
>> > I'm totally clear on the routers part and how it's supposed to be
>> > configured.
>> >
>> > However, once again, how do the DHCP broadcasts get from the VLAN to the
>> > routers e0 port in the first place? How do they leave the VLAN in the
>> first
>> > place?
>> >
>> > As you said, "The switch simply forwards broadcasts within it's vlans,
> it
>> > doesn't care what the packet is. It will not forward them across vlans
>> > (would kinda defeat the purpose of Vlan's!)".
>> >
>> > Exactly! So, how does the broadcast leave the switch's ports and enter
> the
>> > router's ports in the first place? Do you see the problem here?
>> >
>> > The VLAN is a closed broadcast domain. Why would the switch, by default,
>> > send DHCP broadcasts out of it's native VLAN to a router's interface?
> This
>> > relaying of broadcasts by default to a router's interface would defeat
> the
>> > purpose of the VLAN.
>> >
>> > Wouldn't there have to be some configuration on the switches ports to
> have
>> > them to forward this TYPE of DHCP broadcast to the router's interface in
>> the
>> > first place? The router would THEN do it's job of relaying. But, before
>> > that, the switch must KNOW to switch these types of frames to the
> router's
>> > interface in the first place. HOW does it KNOW to do this??
>> >
>> > This is what I'm confused about.
>> >
>> > Yours,
>> >
>> > Maritain
>> >
>> >
>> >
>> >
>> >
>> >
>> > "Brian V" <chopper_man@attbi.com> wrote in message
>> > news:xc1P8.51316$nZ3.15257@rwcrnsc53...
>> > > Heya Maritain,
>> > >
>> > > The broadcasts are forwarded thru your router by the use of the "ip
>> > > helper-address x.x.x.x" command. You would use this command on the
>> vlan(s)
>> > > interface(s), in your case the ethernet interface (or sub-interface)
> of
>> > your
>> > > 2600, that does not contain the DHCP server. The switch simply
> forwards
>> > > broadcasts within it's vlans, it doesn't care what the packet is. It
>> will
>> > > not forward them accross vlans (would kinda defeat the purpose of
>> Vlan's!)
>> > > The router then takes over and says; "Hey, I know where this packet
>> wants
>> > to
>> > > go, let me forward it thru the appropriate interface."
>> > > Lets use an example:
>> > > Vlan 1 contains your servers as well as the dhcp server, the dhcp
>> servers
>> > IP
>> > > is 10.10.10.10. All machines in vlan 1 would be able to broadcast to
>> that
>> > > server for a DHCP address.
>> > > Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
>> > without
>> > > the helper command broadcasts would never reach the DHCP server. On
> Vlan
>> > 2's
>> > > interface you add the "ip helper-address 10.10.10.10", all broadcasts
>> from
>> > > Vlan 2 are now forwarded to the DHCP server. The DHCP server is smart
>> > enough
>> > > to see the TCP/IP header and realize that it is a request from the
>> > > 10.10.11.x subnet and will issue the appropriate IP for that subnet.
>> > >
>> > > Hope this explains it for you.
>> > > -Brian
>> > >
>> > > "Maritain" <maritain@twmi.rr.com> wrote in message
>> > > news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
>> > > > Guys,
>> > > >
>> > > > I understand your answers. I am clear on the fact of the proper
> config
>> > of
>> > > > the router as a relay agent, but my real issue is with the broadcast
>> > > domain
>> > > > created by the VLAN subnet.
>> > > >
>> > > > The switch is creating a closed, layer 2 broadcast domain or VLAN -
>> the
>> > > > clients are on their own VLAN and the DHCP is on another VLAN for
>> > security
>> > > > purposes. Therefore, each is on it's own broadcast domain and it's
> own
>> > > > subnet. They are, in turn, separated by a 2600 router, which would
>> > > normally
>> > > > handle all Layer 3, inter-VLAN traffic between them. The DHCP server
>> > will
>> > > > have a scope configured for both subnets involved here.
>> > > >
>> > > > Question posed again: How does a broadcast intended for another VLAN
>> get
>> > > > through the ports of the switch and on to the router so it can be
>> > relayed
>> > > to
>> > > > the DHCP servers VLAN/subnet? Does the switch automatically forward
>> the
>> > > > broadcasts to the router to be switched via relay to the proper VLAN
>> > where
>> > > > the DHCP server is or will the switch block the broadcasted packets
>> and
>> > > > thereby prevent them from ever getting to the router in the first
>> place?
>> > > > This is the real problem I see, unless my understanding of clients
>> > > > broadcasting on VLAN's in incorrect.
>> > > >
>> > > > My understanding is that when a switch creates a VLAN, it has
>created
>> a
>> > > > broadcast domain. Therefore, if a client broadcasts a message on
> it's
>> > home
>> > > > VLAN, that broadcast wont ever leave that VLAN (i.e. group of
> switched
>> > > ports
>> > > > acting as a segmented LAN); it wont ever get to the router to be
>> relayed
>> > > in
>> > > > the first place. Right?
>> > > >
>> > > > The DHCP broadcast is a special one because there's no IP in place.
>> The
>> > > > "DHCPDISCOVER" is an all subnets broadcast (destination IP address
> of
>> > > > 255.255.255.255), with a source IP address of 0.0.0.0.
>> > > >
>> > > > So, how does this "DHCPDISCOVER" broadcast get out of its home VLAN
>> and
>> > > into
>> > > > the routers interface to be relayed if the switches main purpose in
>> > > > providing the VLAN is to create a closed, broadcast domain for it's
>> > > > particular clients? You guys catch my drift here?
>> > > >
>> > > > Thanks once again for the answers,
>> > > >
>> > > > Maritain
>> > > >
>> > > >
>> > > >
>> > > > "Maritain" <maritain@twmi.rr.com> wrote in message
>> > > > news:ydNO8.68747$Am4.17321118@twister.columbus.rr.com...
>> > > > > Guys,
>> > > > >
>> > > > > Scenario: Windows 2000 DHCP Server on VLAN1 and multiple Windows
>> > > > 2000/NT/98
>> > > > > clients on VLAN2 Each VLAN is configured on a different 1924
>> Catalyst
>> > > > > switch. VLAN1's switch uplinks to e0 on the router and VLAN2's
>> switch
>> > > > > uplinks to e1 on the router (Cisco 2600 series).
>> > > > >
>> > > > > One of the clients on VLAN2 initializes with a broadcast
>> > (DHCPDISCOVER)
>> > > > > message in order to gain an IP address and subnet mask from the
> DHCP
>> > > > server
>> > > > > on VLAN1. The client transmits a DHCPDISCOVER message on its local
>> > > > physical
>> > > > > subnet (VLAN - Broadcast Domain) over UDP port 67 (BootP server).
>> > > > >
>> > > > > I realize that if a router was providing the segmentation at layer
>> 2,
>> > > that
>> > > > > the IP Helper Address/UDP forwarding configured in the router
> would
>> > take
>> > > > > care of the BOOTP/DHCP broadcast and send it to the DHCP server.
>> > > > >
>> > > > > However, since the broadcast domain on which the clients reside is
>a
>> > > > closed,
>> > > > > Layer 2 VLAN broadcast domain, how does the DHCPDISCOVER broadcast
>> get
>> > > > > through the Catalysts ports and on to the router?
>> > > > > In other words, how would clients on different VLANS (1,2,3 etc.),
>> > > > > configured on multiple switches share a central DHCP server on
>> VLAN1?
>> > > > >
>> > > > > Is the only option to use a DHCP relay agent on each VLAN/subnet
>or
>> is
>> > > > there
>> > > > > another method?
>> > > > >
>> > > > > Thanks in advance for the help,
>> > > > >
>> > > > > Maritain
>> > > > >
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
| |
| Brian V 2002-06-24, 6:35 pm |
| Heya Maritain,
You got it ! However;
1, You CAN have a vlan span multiple switches.
2, Your router must have a FastEthernet cabable of supporting trunking or a
crapload of ethernet inerfaces to route the vlans.
Lets say you have switch "A" that you want vlans 1,2 and 3 on, that switch
can also have vlans 4,5 and 6 on it, you simply don't configure any ports on
it:
<router>f0.1, 0.2, 0.3, 0.4, 0.5 and 0.6----Trunk-->Switch
"A"----Trunk---->Switch "B"
Switch "A" has all 6 vlans configured, but is only using 1-3
Switch "B" only has 1, 4, 5 and 6 on it, or it could use all 6.
As long as the trunking is set up your configurations are pretty much
unlimited. All trunks must know about all vlans to be carried.
Take care,
Brian
"Maritain" <maritain@twmi.rr.com> wrote in message
news ilP8.72701$Am4.18677972@twister.columbus.rr.com...
> Brian,
>
> I understand now. The key piece of info I wasn't getting was the this:
"One
> of the routers interfaces is IN Vlan 2". None of the books I've read on
> routing and switching mentioned this fact (or they did and I missed it, or
> they assumed you're supposed to know that! LOL!)
>
> "EVERY Vlan must have a router interface in it if you wish to route it.
You
> cannot simply have a router interface in ONLY Vlan1, there MUST be either:
1
> router interface per vlan or one sub-interface per vlan and use a trunk
from
> the switch that carries all vlans to get to that router."
>
> This is enlightening! I was under the impression that the switch ITSELF
was
> the only thing that needed a port on the router. I was thinking that if
you
> had, say, 3 VLANS on one 1924 switch, that that switch would then uplink
to
> e0 on the router. I didn't know that a router interface needed to be PART
OF
> each VLAN. This is new info to me (for one into CCNP study - Switching!
> LOL!).
>
> Instead of this: "Switch Vlan1--->e0 <router> e1<----Switch Vlan 2"
>
> I thought it looked more like this: Switch_A = Vlan1, Vlan2, Vlan3--->e0
> <router>
> e1<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
>
> When if fact, it should look like this:
> Switch_A = Vlan1, Vlan2, Vlan3--->e0/1, e0/2, e0/3 <router> e1/1, e1/2,
> e1/3<----Switch_B = Vlan 4, Vlan 5, Vlan 6.
>
> Correct? Making a sub-interface PART OF each VLANs broadcast domain.
>
> If you want to have 3 VLANs on a single switch, then you need to have
either
> 3 router interfaces or 3 sub-interfaces configured on one physical
interface
> configured on the router for each VLAN to support routing between the
VLANs.
> This is what I've learned from you Brian.
>
> Therefore, in this scenario the router's interface (or sub-interface) is
> WITHIN the VLANs broadcast domain. Ah ha! As Gaz stated, "Your router is
> within the broadcast domain. The interface connected to VLAN 2 receives
the
> broadcast, and because of the IP helper address it knows it has to forward
> this broadcast (as a unicast) to the DHCP server on VLAN 1 (with a few
> changes to the packet)." Thanks Gaz!!
>
> So, since broadcasts are only sent out of the ports that belong to the
VLAN
> the broadcast originated from, they will be sent, by default, to the
routers
> interface in light of it's membership to that particular VLAN. Therefore,
it
> will hear the DHCP request and forward via the helper address.
>
> However, Brian, could you elaborate on this statement: "...and use a trunk
> from the switch that carries all vlans to get to that router." This is a
> little confusing. It's my understanding that if you're VLANs don't span
> multiple switches, you don't need ISL or .q trunking, correct?
>
>
> Yours,
>
> Maritain
>
>
>
>
>
>
>
>
>
>
>
>
> "Brian V" <chopper_man@attbi.com> wrote in message
> news:SW2P8.220318$cQ3.8175@sccrnsc01...
> > Maritain,
> >
> > One of the routers interfaces is IN Vlan 2, it hears the broadcast and
> > forwards it appropriately. EVERY port in a specific Vlan hears the
> > broadcast. EVERY Vlan must have a router interface in it if you wish to
> > route it. You cannot simply have a router interface in ONLY Vlan1, there
> > MUST be either: 1 router interface per vlan or one sub-interface per
vlan
> > and use a trunk from the switch that carries all vlans to get to that
> > router.
> >
> > Switch Vlan1--->e0 <router> e1<----Switch Vlan 2
> >
> >
> > Vlan 1: 10.10.10.0/24
> > DHCP Server: 10.10.10.10
> > Interface E0: 10.10.10.1/24
> > Vlan 2: 10.10.10.11.0/24
> > Interface E1: 10.10.11.1/24
> > ip helper-address 10.10.10.10
> >
> > or
> >
> > Switch Vlan1,2,3----trunk---->f0.1, f0.1, f0.3<router>
> >
> > Vlan1: 10.10.10.0/24
> > DHCP server: 10.10.10.10
> > Vlan2: 10.10.11.0/24
> > Interface f0.1 10.10.10.1/24
> > Interface f0.2 10.10.11.1/24
> > ip helper-address 10.10.10.10
> > Interface f0.3 10.10.12.1/24
> > ip helper-address 10.10.10.10
> > etc, etc
> >
> > Hope this cleared it up.
> > -Brian
> >
> >
> >
> > "Maritain" <maritain@tmwi.rr.com> wrote in message
> > news:9E1P8.71260$Am4.17918755@twister.columbus.rr.com...
> > > Brian,
> > >
> > > "Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> > without
> > > the helper command broadcasts would never reach the DHCP server."
> > >
> > > "On Vlan 2's interface you add the "ip helper-address 10.10.10.10, all
> > > broadcasts from Vlan 2 are now forwarded to the DHCP server. The DHCP
> > server
> > > is smart enough to see the TCP/IP header and realize that it is a
> request
> > > from the 0.10.11.x subnet and will issue the appropriate IP for that
> > > subnet."
> > >
> > > I'm totally clear on the routers part and how it's supposed to be
> > > configured.
> > >
> > > However, once again, how do the DHCP broadcasts get from the VLAN to
the[c
olor=darkred]
> > > routers e0 port in the first place? How do they leave the VLAN in the
> > first
> > > place?
> > >
> > > As you said, "The switch simply forwards broadcasts within it's vlans,
> it
> > > doesn't care what the packet is. It will not forward them across vlans
> > > (would kinda defeat the purpose of Vlan's!)".
> > >
> > > Exactly! So, how does the broadcast leave the switch's ports and enter
> the
> > > router's ports in the first place? Do you see the problem here?
> > >
> > > The VLAN is a closed broadcast domain. Why would the switch, by[/color]
default,
> > > send DHCP broadcasts out of it's native VLAN to a router's interface?
> This
> > > relaying of broadcasts by default to a router's interface would defeat
> the
> > > purpose of the VLAN.
> > >
> > > Wouldn't there have to be some configuration on the switches ports to
> have
> > > them to forward this TYPE of DHCP broadcast to the router's interface
in
> > the
> > > first place? The router would THEN do it's job of relaying. But,
before
> > > that, the switch must KNOW to switch these types of frames to the
> router's
> > > interface in the first place. HOW does it KNOW to do this??
> > >
> > > This is what I'm confused about.
> > >
> > > Yours,
> > >
> > > Maritain
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Brian V" <chopper_man@attbi.com> wrote in message
> > > news:xc1P8.51316$nZ3.15257@rwcrnsc53...
> > > > Heya Maritain,
> > > >
> > > > The broadcasts are forwarded thru your router by the use of the "ip
> > > > helper-address x.x.x.x" command. You would use this command on the
> > vlan(s)
> > > > interface(s), in your case the ethernet interface (or sub-interface)
> of
> > > your
> > > > 2600, that does not contain the DHCP server. The switch simply
> forwards
> > > > broadcasts within it's vlans, it doesn't care what the packet is. It
> > will
> > > > not forward them accross vlans (would kinda defeat the purpose of
> > Vlan's!)
> > > > The router then takes over and says; "Hey, I know where this packet
> > wants
> > > to
> > > > go, let me forward it thru the appropriate interface."
> > > > Lets use an example:
> > > > Vlan 1 contains your servers as well as the dhcp server, the dhcp
> > servers
> > > IP
> > > > is 10.10.10.10. All machines in vlan 1 would be able to broadcast to
> > that
> > > > server for a DHCP address.
> > > > Vlan 2 contains your users, Vlan 2's subnet is 10.10.11.X, normally
> > > without
> > > > the helper command broadcasts would never reach the DHCP server. On
> Vlan
> > > 2's
> > > > interface you add the "ip helper-address 10.10.10.10", all
broadcasts
> > from
> > > > Vlan 2 are now forwarded to the DHCP server. The DHCP server is
smart
> > > enough
> > > > to see the TCP/IP header and realize that it is a request from the
> > > > 10.10.11.x subnet and will issue the appropriate IP for that subnet.
> > > >
> > > > Hope this explains it for you.
> > > > -Brian
> > > >
> > > > "Maritain" <maritain@twmi.rr.com> wrote in message
> > > > news:rn0P8.71241$Am4.17864132@twister.columbus.rr.com...
> > > > > Guys,
> > > > >
> > > > > I understand your answers. I am clear on the fact of the proper
> config
> > > of
> > > > > the router as a relay agent, but my real issue is with the
broadcast
> > > > domain
> > > > > created by the VLAN subnet.
> > > > >
> > > > > The switch is creating a closed, layer 2 broadcast domain or
VLAN -
> > the
> > > > > clients are on their own VLAN and the DHCP is on another VLAN for
> > > security
> > > > > purposes. Therefore, each is on it's own broadcast domain and it's
> own
> > > > > subnet. They are, in turn, separated by a 2600 router, which
would
> > > > normally
> > > > > handle all Layer 3, inter-VLAN traffic between them. The DHCP
server
> > > will
> > > > > have a scope configured for both subnets involved here.
> > > > >
> > > > > Question posed again: How does a broadcast intended for another
VLAN
> > get
> > > > > through the ports of the switch and on to the router so it can be
> > > relayed
> > > > to
> > > > > the DHCP servers VLAN/subnet? Does the switch automatically
forward
> > the
> > > > > broadcasts to the router to be switched via relay to the proper
VLAN[
color=darkred]
> > > where
> > > > > the DHCP server is or will the switch block the broadcasted[/color]
packets
> > and
> > > > > thereby p | | |