Vlan – Configuring DHCP relay agent with VLAN’s

dhcpvlan

I'm kinda confused. I'm learning VLAN's now. So I decided to make a small lab – I need to make 4 dhcp pools on Router0 (which you can see on the pictures) for VLAN 100, 200, 300, 400 (pool 100 for VLAN 100 and so on). Also, I need to configure a DHCP-relay agent on Router1 so Router0 could give addresses from pools for VLAN 300 and 400.

I don't really understand, how I should configure DHCP-relay agent. I made 4 subinterfaces on Router0 and switched Fa0/1 of Switch1 to trunk mode. I tried making subinterfaces on Fa0/1, which are leading to VLAN 300 and 400 (Fa0/1.300 encapsulation dot1q 300; Fa0/1.400 encapsulation dot1q 400)

But I don't know, what I should do with Fa0/0 of Router1, which addresses I should add to ip helper-address on subinterfaces and how I should configure routes to VLAN's. I would really appreciate your help!

Best Answer

Your network diagram does not clearly show interface/port numbers between devices. Therefore, I am trying to guess as much as I can.

On the right side of your Router1, I see its Int F0/1 is connecting to Int F0/1 of right-side Switch (on which you have two VLANs 300 and 400 configured):

Int F0/1 of right-side Switch should be configured as trunk port (allowed VLANs 300 and 400) and Int F0/1 of Router1 should be configured with two subinterface F0/1.300 and F0/1.400.

You need to assign IP addresses in subnets of VLAN 300 and 400 for subinterface F0/1.300 and F0/1.400 on Router1, for example 10.10.239.253/28 and 10.10.255.253/28, respectively. These are Relay Agent IP addresses in DHCP request packets.

Next, you need to configure the IP address of DHCP server (here is Router0) under Router1's two subinterfaces F0/1.300 and F0/1.400 using ip helper-address IP_Address command.

The IP address of Router0 DHCP server you use here depends on L3 segment/network between your Router1 (Int F0/0 on the left side) and Router0.

Your network has 4 VLANs/subnets. On Router1, you already use F0/1.300 and F0/1.400 subinterfaces (in VLAN 300 and 400), therefore you have to assign an IP address in other VLANs (either VLAN 100 or 200) for Int F0/0 of Router1. Let us say we choose the VLAN 100 and create an subinterface F0/0.100 with IP: 10.10.207.253/28, then we have to configure Int F0/2 of left-side switch (connecting to F0/0 of Router1) to trunk VLAN 100 as well.

Now, the IP address of Router0 DHCP server we use for ip helper-address IP_Address command must be the IP address of subinterface F0/0.100 - 10.10.207.254. Because the relayed DHCP requests from Router1 is routed through VLAN 100 on left-side switch, then hit Router1 on its subinterface F0/0.100.

Lastly, we need to ensure that Router0 knows how to send the traffic back to Router1 DHCP Relay Agent IP addresses (10.10.239.253 and 10.10.255.253) by adding static routes for them with next-hop IP is the IP address of Router 1 F0/0.100 subinterface (10.10.207.253).

I do not put the configuration for Switches here, I assume they are good with all VLANs, trunk and access ports are configured properly.

The updated full configuration on Routers and Switches:

*********************
*****  Router0  *****
*********************
!
ip dhcp excluded-address 10.10.207.253
ip dhcp excluded-address 10.10.239.253
ip dhcp excluded-address 10.10.255.253
!
ip dhcp pool 100
 network 10.10.192.0 255.255.240.0
 default-router 10.10.207.254
ip dhcp pool 200
 network 10.10.208.0 255.255.240.0
 default-router 10.10.223.254
ip dhcp pool 400
 network 10.10.240.0 255.255.240.0
 default-router 10.10.255.254
ip dhcp pool 300
 network 10.10.224.0 255.255.240.0
 default-router 10.10.239.254
!
interface FastEthernet0/0
 description Left-side Switch
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.10.207.254 255.255.240.0
!
interface FastEthernet0/0.200
 encapsulation dot1Q 200
 ip address 10.10.223.254 255.255.240.0
!
interface FastEthernet0/0.300
 encapsulation dot1Q 300
 ip address 10.10.239.254 255.255.240.0
!
interface FastEthernet0/0.400
 encapsulation dot1Q 400
 ip address 10.10.255.254 255.255.240.0
!
ip route 10.10.239.253 255.255.255.255 10.10.207.253 
ip route 10.10.255.253 255.255.255.255 10.10.207.253 
!

*********************
**Left-side  Switch**
*********************
!
vlan 100
!
vlan 200
!
vlan 300
!
vlan 400
!
interface FastEthernet0/1
 description Router0
 switchport trunk allowed vlan 100,200,300,400
 switchport mode trunk
!
interface FastEthernet0/2
 description Router1
 switchport trunk allowed vlan 100
 switchport mode trunk
!
interface FastEthernet0/3
 description PC_VLAN100
 switchport access vlan 100
 switchport mode access
!
interface FastEthernet0/4
 description PC_VLAN200
 switchport access vlan 200
 switchport mode access
!

*********************
*****  Router1  *****
*********************

!
interface FastEthernet0/0
 description Left-side Switch
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.100
 encapsulation dot1Q 100
 ip address 10.10.207.253 255.255.240.0
!
interface FastEthernet0/1
 description Right-side Switch
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.300
 encapsulation dot1Q 300
 ip address 10.10.239.253 255.255.240.0
 ip helper-address 10.10.207.254
!
interface FastEthernet0/1.400
 encapsulation dot1Q 400
 ip address 10.10.255.253 255.255.240.0
 ip helper-address 10.10.207.254
!

*********************
**Right-side Switch**
*********************
!
vlan 300
!
vlan 400
!
interface FastEthernet0/1
 description Router1
 switchport trunk allowed vlan 300,400
 switchport mode trunk
!
interface FastEthernet0/2
 description PC_VLAN300
 switchport access vlan 300
 switchport mode access
!
interface FastEthernet0/3
 description PC_VLAN400
 switchport access vlan 400
 switchport mode access
!

Testing on Router0

Router0#ping 10.10.239.253

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.239.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/5 ms

Router0#ping 10.10.255.253

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.255.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

PC in VLAN 300 (on the right side) can get IP address:

======

In this case, VLANs 300 and 400 are on the right side of the network, You should configure the IP addresses of 10.10.239.253 and 10.10.255.253 are default gateway IPs (Router1 subinterfaces) in DHCP IP Pool 300 and 400 on Router0.

======

I hope it is helpful.

Related Solutions

Routing – VLAN tagging, routing, and general pain

Basics

When you tag a VLAN on a port, it will send out the traffic on that port with the VLAN tag, when the port receives traffic it looks for the tag and places the traffic into that VLAN. You can have multiple tagged VLANs on one port (sometimes called trunk).

When you send out a VLAN untagged on a port it will not add the VLAN tag to the packet and when receiving packets without a VLAN tag it will be placed into that VLAN (on Netgear and others you have to set PVID (Primary VLAN ID))

To your problem

I think you are not far away... - Router port connected to Switch1 should have IP within VLAN 2220. - DHCP Server should have different IP from different Subnet! - Router port Connected to Switch2 should have IP in Subnet of DHCP Server - You should define a DHCP Helper on Router port connected to Switch1 so DHCP Request get forwarded to DHCP Server. Hot to do that is described here: http://kb.netgear.com/app/answers/detail/a_id/21990/~/how-do-i-configure-a-dhcp-l3-relay-using-the-web-interface-on-my-managed-switch%3F

Hope this helps you a little bit further. If not, please post a more detailed network diagram with VLAN IDs and IPs.

Switch – Help with VLANs, ACLs, DHCP on SG-300 Layer 3 switch

You do not need the ip helper-address statement.

As I understand your requirement, you only want to allow printers on vl 2 to be accessed from vl 3. Nothing else on vl 2 can be accessed from vl 3.

ip access-list extended vlan3-in
 remark allow printers.  Repeat this line for each printer
 permit ip any host <printer address>
 remark alternatively, you can only allow the printer port on the VLAN, for ex.
 permit tcp any 192.168.2.0 0.0.0.255 eq 9100
 remark block the rest of vlan 2
 deny ip any 192.168.2.0 0.0.0.255
 remark permit Internet
 permit ip any any

interface vlan 3
service-acl input vlan3-in

If your AP can offer multiple SSIDs, then you can have one SSID for each VLAN. You tag the VLANs and set the switchport to trunk.

If your AP can't offer multiple SSIDs, then make the switch port an access port and don't tag the vlan.

Best Answer

Related Solutions

Routing – VLAN tagging, routing, and general pain

Switch – Help with VLANs, ACLs, DHCP on SG-300 Layer 3 switch

Related Topic