VLANS and DHCP scopes

[badass]

Lets say I have a Windows 2003 DHCP server on VLAN 2
there are VLANS 2,3 4 and 5
The subnets are as follows:
192.168.0.0/24 VLAN 2
192.168.1.0/24 VLAN 3
192.168.2.0/24 VLAN 4
192.168.3.0/24 VLAN 5

On a Cisco stack I set up the IP helper* on VLANs 3,4 and 5 to point to the IP address of my Win2003 DHCP server. There is no IP helper on VLAN 2 since that's where the DHCP server is.
There are 4 scopes set up on said server
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

Now I know that when the IP helper forwards DHCP packets to the DHCP server, it puts its gateway in there. Win2003 DHCP then knows which scope to assign IPA's from because it knows the network addresses from which the request came.
How does it know which scope to use for new clients on the local VLAN (VLAN 2)?
i.e. If I plug a new PC into a port that is assigned to VLAN 2, how will the Windows 2003 server know to aggidn an address from the 192.168.0.0/24 scope rather than any of the other ones?



*Microsoft calls the same thing the DHCP relay agent.

[Jay]

This is a fantastic question...

I have no idea and world also love to know.

I am sure that ports have VLAN tag attached, there will also be a scope statements to seperate each scope to each vlan.... This is a tough one.

Microsoft Corporation

[badass]

Just had a thought - is it related to the IPA/network address of the DHCP server itself?
i.e. since there is no IP address from which the request came, the DHCP server assumes that it should assign an IPA from a scope thats in the same network as the NIC on the DHCP server that the request was recieved by?

[aidanjt]

Each VLAN tunnel has it's own subnet like any other network. It's pretty trivial to deduce which scope to pick when requests are coming in from a particular VLAN. It's the same as having a DHCP box with 4NICs with 4 different scopes for each network, the DHCP server listens on all the addresses say 192.168.n.1/24 (where 'n' is 1-4), any incoming DHCP request is automatically assumed that NICn = Subnet-scope n also. Essentially, VPN is just another network carrier as far as TCP/IP is concerned.

[badass]

Each VLAN tunnel has it's own subnet like any other network. It's pretty trivial to deduce which scope to pick when requests are coming in from a particular VLAN. It's the same as having a DHCP box with 4NICs with 4 different scopes for each network, the DHCP server listens on all the addresses say 192.168.n.1/24 (where 'n' is 1-4), any incoming DHCP request is automatically assumed that NICn = Subnet-scope n also. Essentially, VPN is just another network carrier as far as TCP/IP is concerned.

That makes no sense.
VPN's and VLANs are not connected. At all.
A VLAN has nothing to do with tunnels. That's usually used to refer to a VPN - as in a VPN tunnel.

Anyway, I think I've answered my own question in my previous post.

[badass]

This is a fantastic question...

I have no idea and world also love to know.

I am sure that ports have VLAN tag attached, there will also be a scope statements to seperate each scope to each vlan.... This is a tough one.

Microsoft Corporation

VLAN tags are just for trunk ports - i.e. ports on which data from multiple VLANs can pass. Some server NIC's support connecting to trunk ports so you only need 1 NIC to connect to every VLAN you have on your network. This is useful for example if you are using a server as a router, or it performs some other service that requires it to have direct access to more than 1 subnet.
However, experience tells me to avoid that config if at all possible. For DHCP for example, you are better off fixing the VLAN of the port(s) the server connects to and using an IP helper to forward DHCP requests. The problem with a server connected to a trunk port is a slight misconfiguration or probelms with the server NIC can cause havok with all of your network when otherwise it wouldn;t have cause a problem.

[badass]

I will prove my theory tomorrow. I will set up a test DHCP server and the setup mentioned in my first post in a virtual environment. To prove it just uses either the network address or the IP address of the server NIC that recieved the request, I will set up the 4 scopes, change the IPA of the server NIC and get a device to request a new address and see which scope it comes from.
That will definatively answer the question. Just to make sure its got nothing to do with the server NIC's default gateway, I will put the DG in a different subnet to the IP address. Of course, thats a mental config, but its nice to know the answer for sure, even if it has no relevance in real life

[Jay]

I am confused. Do you have a diferent NIC for each VLan in the server?

[digit]

I'd be using cisco switches to create the VLANS, then use a trunk link to the cisco router. The cisco router would then run DHCP and you'd configure a dhcp pool for each sub interface configured..

AKA switch contains VLAN 1, 2, 3, 4, 5

Sub interfaces on router xxx.xxx.xx.xx.1
Sub interfaces on router xxx.xxx.xx.xx.2
Sub interfaces on router xxx.xxx.xx.xx.3
Sub interfaces on router xxx.xxx.xx.xx.4
Sub interfaces on router xxx.xxx.xx.xx.5

Although i'm guessing I've completly missed the point and your running dhcp on a Windows box for a good reason.

I am confused. Do you have a diferent NIC for each VLan in the server?

If the NIC supports trunking it will be able to determine due to VLAN tagging what data is associated with which VLAN. 802.1q will be the protocol responsible for this, or it could be ISL but I doubt it in this case.

[badass]

I am confused. Do you have a diferent NIC for each VLan in the server?

Firstly, these are all theoretical. The network I manage is considerably more complex than that.
The first case - post 1 I was talking about a server with 1 NIC, but dishing out IPA's for 4 subnets, one of which was its own subnet.

The second case, post 6 was about VLAN trunk ports and tagging. A single NIC in this case would behave like the server has 4 NIC's, each in a different VLAN/subnet.

The third case, for my experiment will be done on VMware server. It will have 2 Virtual servers. The first - the DHCP server will have 1 virtual NIC.
The second will have 2 or more NIC's and be running the DHCP relay agent. The third will be a workstation. I will move it through various virtual switches renewing its IP address and seeing what happens.

[Jay]

If the NIC supports trunking it will be able to determine due to VLAN tagging what data is associated with which VLAN. 802.1q will be the protocol responsible for this, or it could be ISL but I doubt it in this case.

Thats what I said above but it was said that this wasn't used.

[badass]

Although i'm guessing I've completly missed the point and your running dhcp on a Windows box for a good reason.

Its all about the options. The switches/firewalls are not capable of supporting the DHCP options we need for the phones and I doubt they support the options needed for our image deployment as well.