DHCP, VLANs and routing


Recommended Posts

Hey. I have a question about DHCP servers on a networknetworks(<100 clients total) with multiple subnets. I would like to have a single dhcp server for all the subnets, and I'm wondering how I could do this the best. I'm trying to setup the firewall as a dhcp server. I would like the L3 Switch to do inter-vlan routing to save the firewall from the internal traffic. With that in mind, how do I get this working?

A cutout of my network-topology idea:

Internet-----Firewall ----trunk(vlan20+vlan30)--------L3 Switch ------2 subnets: vlan20(clients) and vlan30(servers)

I thought about setting up 2 svi's on the l3 switch(one for vlan20 and one for vlan30) so that those svi's could be default gateway for the vlans, and I could do the inter-vlan routing here between the clients and the servers.

If I then setup vlan20 and vlan30 svi on the firewall with dhcp servers, the vlans would get ips, but what about routing against internet or dmz? (i have a dmz-zone with web and mail attached to firewall).

Internet traffic has to be routed in the l3 switch so the packets go to firewall. Do I have to add another cable from the L3 to the Firewall where I set static ip's in a 10.0.0.0/30 subnet(10.0.0.1 firewall and 10.0.0.2 l3), so that the L3 could route from ex. vlan 20 and over to 10.0.0.1 which routes it out? Or is it possible to do everything over the one trunk I already have(which works with link aggregation over 2 cables)?

btw, for a <100 users business, is it necessary with 2x "389 Directory Server+DNS" for redundancy, or is it overkill(is it even possible with 389?)

I hope someone can help me.

If I was very unclear, just ask and I shall answer as fast as I can :)

Link to comment
Share on other sites

I'm not an expert, but I'll describe how our network is.

We have multiple VLANS, with the servers being on VLAN1. One of these servers is a DHCP server, and we have no issues with ~1000 clients across 10+ VLANS being assigned addresses from the server. As long as the switches all carry the server VLAN (VLAN1 in my case), you shouldn't have any problems.

Link to comment
Share on other sites

Thanks for quick answers.. Yes, that part I understand. But how do I set up the routing to make sure that vlan20 and vlan30 are routed using the l3 switch, while internet+dmz traffic are forwarded from the l3 to the firewall? To get inter-vlan routing working, the L3 needs to be default gateway for vlan20 and 30. So how do I set up the rest(to and from internet and dmz)

Link to comment
Share on other sites

Layer 3 supports routing. Everything would get connected to the switch and the default route would be to the firewall. You would use the helper addresses in each vlan and the layer 3 switch would have a ip in each vlan for the gateway for each vlan.

Does that draw a clear enough picture?

Link to comment
Share on other sites

Kinda. So you'd recommend just a static /30 subnet between L3 and firewall, and just 2 vlans: vlan20 and vlan30? If so, what if the firewall's dhcp server doesn't support relay agents(option 82)?

That's why I was looking at trunking between L3 and firewall(so it doesn't rely on relay agents/ip helpers). But is it possible to have the L3 route traffic out then?

Ex for vlan20: default gateway=10.0.20.1(switch), dhcp server=10.0.20.2(firewall). A vlan20-ip wants to contact neowin.net.. What would the route be on the L3? 10.0.20.0(whole subnet) -> 0.0.0.0 through 10.0.20.2(firewall, that will now forward to WAN)? Does this work? can a default gateway route through another ip in the same vlan as the client? Or do I have to create a seperate vlan or subnet (like a static /30) for traffic that's being routed out?

Link to comment
Share on other sites

The dhcp server has to be able to support multiple scopes. A basic soho router can not do this. Use a unix distro or a windows server for this.

Link to comment
Share on other sites

a firewall like a zywall can do that. You set a dhcp server per interface or SVI, so with a trunk between l3 and firewall, it world work as a dhcp server. but again, will routing work when next hop(after default gw) is on the same subnet as both the client and default gateway?

Link to comment
Share on other sites

Yes set the default route in the switch to the firewall and have at it.

You need helpers and a default route.

I would make the router in its own vlan, but that is me.

Link to comment
Share on other sites

O and one more thing, don't trunk to the firewall. You don't need to. You won't have the bandwidth you want to be able to trunk. You would trunk between switches and you would have multiple trunk ports to support more throughput between switches. No point to trunk to a router between a switch, you can't possibly have the bandwidth needed to utilize trunking.

Link to comment
Share on other sites

The layer 3 switch doesn't do DHCP?

sc302 is pretty much correct in what he's stated.

Personally I would have vlan 20 and 30 on the switch, then a default route to the firewall but I would have dhcp on the L3 router just incase something goes wrong with the firewall or the cable between the firewall and switch at least then users will still be able to get an IP address and connectivity internally, it just means there is one less vulnerability.

this I don't get:

but what about routing against internet or dmz? (i have a dmz-zone with web and mail attached to firewall).
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.