DHCP Relay vs Multi-Homed DHCP Server

dhcpnetwork-designnetworkingvlan

I'm sketching out a new network topology and I'm unsure of how to solve the issue of DHCP between two VLANs.

10.50.2.0/23 will hold the majority of our users, corporate wifi, printers etc.
10.250.3.0/24 will hold a subset of users who need access to our AWS VPN tunnel

I'm planning to use a L3 switch to route between subnets, with ACLs to control which VLAN can access which and in which direction (i.e. 3/24 will be able to access 2/23 but not vice versa).

The issue is DHCP in the 10.50.3.0/24 network. I can either configure a DHCP relay via the switch, or I can give our Windows 2008 R2 DHCP server a NIC in that network.

Which (if either) is the "right" way?

Best Answer

You could also just let your switch be the DHCP server as well.

Multi-homing Windows is frequently a bad idea. Unless you do it perfectly right you can have weird DNS and routing issues.

You are better off using a relay agent.

Related Solutions

Firewall – VLAN ACLs and when to go Layer 3

Keep in mind that, fundamentally, if two hosts are configured with IP addresses in different subnets those hosts will need to communicate through one or more routers with interfaces in their respective subnets in order to communicate. A "layer 3 switch" isn't anything more than a router with the ability to create virtual interfaces that are exposed to the broadcast medium of a VLAN.

re: #1 - To conceptualize VLANs, just imagine that the ports in each VLAN are a physically disperate switch. In a flaw-free VLAN implementation (where traffic can't "leak" between VLANs) that's the effective behavior-- each VLAN acts as a separate switch. ACLs applied at layer 2 will name only MACs (and, if the switch supports quasi-layer 1 ACLs, ports). Any ACLs naming IP addresses, TCP ports, etc, aren't layer 2 ACLs. (There may be switches that have "layer 2.5" functionality whereby they examine the payloads of IP packets without actually being able to route packets, but I'd be wary of such things.)

re: #2 - VLAN tags allow the traffic of multiple VLANs to be carried on a single port, typically called a "trunk". You can conceptualize them as virtually subdividing a connection between two devices into smaller "ports" that each carry the traffic for a single VLAN. There's nothing you can do with "trunking" that you couldn't do by using multiple non-trunked ports, but using trunk ports and tagging packets allows you to carry the traffic of multiple VLANs between physically disperate switches w/o using a large number of physical ports for inter-switch links.

re: #3 - Routing IP between different subnets (irrespective of VLANs-- it's typically convenient to have a 1:1 relationship between VLANs and subnets, but it's not required) requires a routing capability. If you need to route IP between different subnets then you need a router. It could be an embedded layer 3 entity in a switch, or it could be a "router on a stick". Anything that can route IP between different subnets is a router. re: ACLs - Like I said in #1-- I'd be wary of a device that did "quasi layer 3" functions. Either it's a router or it isn't.

A couple decent background questions:

How to block traffic between two specific VLANs

I hate answering my own questions, but as I've now resolved this, this might help someone else.

Firstly, the netmask above is incorrect, I should have used a Wild Card Mask

After some research I found that the correct commands to create the ACL were:

access-list testacl deny ip 10.58.5.0 0.0.0.255 10.58.8.0 0.0.0.255
access-list testacl permit every

...and to apply the ACL, I used the following:

interface vlan 5
ip access-group testacl

After the research I did, I felt confident to apply the ACL to the production switches, and the change worked flawlessly.

Best Answer

Related Solutions

Firewall – VLAN ACLs and when to go Layer 3

How to block traffic between two specific VLANs

Related Topic