antwerp2007
asked on
routing vlans and multiple scope on server 2008 R2
Hi,Can someone explain how to configure properly routing so that i can use a multiple dhcp scope from a DHCP server 2008 on multiple vlans from a cisco catalyst infrastructure.Default gateway for the Lan environment is ASA 5505
I have a CAT3750 stack with VLAN1(native),vlan2,Vlan3.
ip routing is enabled on CAT3750 and also a gateway of last resort is defined which points to lan ip from the ASA firewall.
no default gateway command on the vlan interfaces because i use ip routing
I defined 2 static routes on the ASA firewall for the vlan2&3
A dhcp client only receives a dhcp address from the dhcp scope if i add a manual route on the dhcp server (route add subnet vlan2 mask gateway vlan (= ip address defined on the vlan2 interface on the catalyst)
Thank you
I have a CAT3750 stack with VLAN1(native),vlan2,Vlan3.
ip routing is enabled on CAT3750 and also a gateway of last resort is defined which points to lan ip from the ASA firewall.
no default gateway command on the vlan interfaces because i use ip routing
I defined 2 static routes on the ASA firewall for the vlan2&3
A dhcp client only receives a dhcp address from the dhcp scope if i add a manual route on the dhcp server (route add subnet vlan2 mask gateway vlan (= ip address defined on the vlan2 interface on the catalyst)
Thank you
1/ intervlan routing must be enabled on the catalyst.
2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.
3/ When you have set the ip helper-address accordingly (refer to Soulja's comment), create the corresponding scopes on the DHCP server.
When the server receives a forwarded DHCP DISCOVER packets from one of the VLANs (that the emitting host has set to broadcast address), said packet is forwarded to DHCP server with the vlan interface IP address in GIADDR field (Gateway IP ADDRess). The dhcp server then matches the subnet of GIADDR with one of its scopes and assigns an IP address from that scope, sends the DHCP OFFER packet to the vlan interface which forwards it to the emitting host.
2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.
3/ When you have set the ip helper-address accordingly (refer to Soulja's comment), create the corresponding scopes on the DHCP server.
When the server receives a forwarded DHCP DISCOVER packets from one of the VLANs (that the emitting host has set to broadcast address), said packet is forwarded to DHCP server with the vlan interface IP address in GIADDR field (Gateway IP ADDRess). The dhcp server then matches the subnet of GIADDR with one of its scopes and assigns an IP address from that scope, sends the DHCP OFFER packet to the vlan interface which forwards it to the emitting host.
ASKER
Hello thank you both for the comments.
ip helper address is defined on the vlan interfaces (+ ip adress from the DHCP server 2008/member of native vlan1)
The asa is the default gateway for the DHCP server 2008.
intervlan is enabled on the catalyst 3750x stack (ip routing)
2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.-> i created the extra internal static routes on the asa firewall (10.70.10.1 /member vlan1)
Please find the config of the equipment attached
I notice that i did not specify an ip helper address on the native vlan,but this in not required because the dhcp server is member of this vlan1?
CiscoAsaconfigExperts.txt
cat3750configVexperts.txt
ip helper address is defined on the vlan interfaces (+ ip adress from the DHCP server 2008/member of native vlan1)
The asa is the default gateway for the DHCP server 2008.
intervlan is enabled on the catalyst 3750x stack (ip routing)
2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.-> i created the extra internal static routes on the asa firewall (10.70.10.1 /member vlan1)
Please find the config of the equipment attached
I notice that i did not specify an ip helper address on the native vlan,but this in not required because the dhcp server is member of this vlan1?
CiscoAsaconfigExperts.txt
cat3750configVexperts.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your routes on the Asa should next hop to the vlan 1 interface on the catalyst.
ASKER
Hello thank you all for the comments i'll try asap to change the default gateway of the dhcp server and let you know
I don't get the point that soulja made in comment https://www.experts-exchange.com/questions/28298083/routing-vlans-and-multiple-scope-on-server-2008-R2.html?anchorAnswerId=39665568#a39665568 but I may have misundertood it.
AFAICT, ASA is your access to the outside world, it should not default route to anything inside your LAN. Yet, the routes to the private subnets on the ASA should actually be set so that the packets for these subnets are sent to Catalyst VLAN1 interface
There are 2 (mutually exclusive) options for me, see my comment https://www.experts-exchange.com/questions/28298083/routing-vlans-and-multiple-scope-on-server-2008-R2.html?anchorAnswerId=39665560#a39665560
AFAICT, ASA is your access to the outside world, it should not default route to anything inside your LAN. Yet, the routes to the private subnets on the ASA should actually be set so that the packets for these subnets are sent to Catalyst VLAN1 interface
There are 2 (mutually exclusive) options for me, see my comment https://www.experts-exchange.com/questions/28298083/routing-vlans-and-multiple-scope-on-server-2008-R2.html?anchorAnswerId=39665560#a39665560
I don't mean for the default route on the Asa to be pointed inside. I am referring to the static routes for return traffic to his internal vlans.
of course the default route for the Asa would be pointed to the isp.
of course the default route for the Asa would be pointed to the isp.
OK, Then we are in agreement.
Default route on Asa pointed to internet.
Default route on catalyst pointed to asa.
static routes to internal vlans on asa pointed to vlan 1 interface of catalyst.
Server gateway set to catalyst vlan 1.
Default route on catalyst pointed to asa.
static routes to internal vlans on asa pointed to vlan 1 interface of catalyst.
Server gateway set to catalyst vlan 1.
ASKER
Hello both of you,i changed the dhcp server default gateway as the vlan 1 interface of the catalyst switch and removed the persistent routes i made.This works,it takes about 45 seconds or more to receive an ip address from the DHCP server.It is on all vlan's.The switches are not rebooted so stp topology is already built.
What can cause this delay?Thanks for youre guidance.
What can cause this delay?Thanks for youre guidance.
Can you post configs. I have this same setup at home and my dhcp requests take seconds.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ha! Exactly. Port fast isn't configured.
Conf t
spanning tree Port fast default (if you want al ports configured.)
or
Int gix/x
spanning tree Port fast
(Individual interfaces)
Conf t
spanning tree Port fast default (if you want al ports configured.)
or
Int gix/x
spanning tree Port fast
(Individual interfaces)
ASKER
Thank you is that the same as rstp that is often used inside the vlans
I added an Aeropoint 2600 to vlan2 configured with the ip adress from VLAN2 as default gateway.The switches (meanwile i added 2 CAT2960 switches also) can ping the Cisco AP and the AP can ping the server and vlan ip adresses from all switches.However a WIFI client doesn't receive a DHCP adress and when i give the client a static ip it cannot even ping the ip adress from the AP or anything else?
I added an Aeropoint 2600 to vlan2 configured with the ip adress from VLAN2 as default gateway.The switches (meanwile i added 2 CAT2960 switches also) can ping the Cisco AP and the AP can ping the server and vlan ip adresses from all switches.However a WIFI client doesn't receive a DHCP adress and when i give the client a static ip it cannot even ping the ip adress from the AP or anything else?
This is another problem now... You have a probem with a WiFi AP. It is not related to DHCP since even with a static address it does not work.
It deserves its own question I think.
Is the previous problem (DHCP with multiple VLANs) solved ?
It deserves its own question I think.
Is the previous problem (DHCP with multiple VLANs) solved ?
ASKER
You're right,i will post it in another question for you.the dhcp process takes about 30 seconds now instead of a minute
cat3750X-29112013expertsexch-con.rtf
config-cat2960-1expertsexchange.rtf
config-cat2960-2expertsexch.rtf
cat3750X-29112013expertsexch-con.rtf
config-cat2960-1expertsexchange.rtf
config-cat2960-2expertsexch.rtf
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Correction vlan 1 interface is shut.
ASKER
Hi, i enabled vlan1 on the second 2960, i use multiple trunks to each switch indeed and did not enable ertherchannel beacuse in don't need many bandwidth.NoPortnegotiatio
Thank you
CAT3750XCORE#
VLAN Name Status Ports
---- --------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/23
Gi1/1/1, Gi1/1/2, Gi1/1/3
Gi1/1/4, Gi2/0/1, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/23, Gi2/1/1, Gi2/1/2
Gi2/1/3, Gi2/1/4
2 TSLNG-WIFI active Gi1/0/21, Gi1/0/22, Gi2/0/21
Gi2/0/22
3 TSLNG-VOICE active
1002 fddi-default act/unsup
VLAN Name Status Ports
---- --------------------------
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT3750XCORE#
CAT3750XCORE#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 1
Gi2/0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/24 1-4094
Gi2/0/24 1-4094
Port Vlans allowed and active in management domain
Gi1/0/24 1-3
Gi2/0/24 1-3
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/24 none
Gi2/0/24 1-3
CAT3750XCORE#
CAT2960_1#sh vlan brief
VLAN Name Status Ports
---- --------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 TSLNG-WIFI active Fa0/48
3 TSLNG-VOICE active Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT2960_1#
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/4 1-4094
Port Vlans allowed and active in management domain
Gi0/3 1-3
Gi0/4 1-3
Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1-3
Gi0/4 1-3
CAT2960_1#
CAT2960_2#sh vlan brief
VLAN Name Status Ports
---- --------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 TSLNG-WIFI active
3 TSLNG-VOICE active Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Fa0/48
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT2960_2#
CAT2960_2#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/4 1-4094
Thank you
CAT3750XCORE#
VLAN Name Status Ports
---- --------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/23
Gi1/1/1, Gi1/1/2, Gi1/1/3
Gi1/1/4, Gi2/0/1, Gi2/0/2
Gi2/0/3, Gi2/0/4, Gi2/0/5
Gi2/0/6, Gi2/0/7, Gi2/0/8
Gi2/0/9, Gi2/0/10, Gi2/0/11
Gi2/0/12, Gi2/0/13, Gi2/0/14
Gi2/0/15, Gi2/0/16, Gi2/0/17
Gi2/0/18, Gi2/0/19, Gi2/0/20
Gi2/0/23, Gi2/1/1, Gi2/1/2
Gi2/1/3, Gi2/1/4
2 TSLNG-WIFI active Gi1/0/21, Gi1/0/22, Gi2/0/21
Gi2/0/22
3 TSLNG-VOICE active
1002 fddi-default act/unsup
VLAN Name Status Ports
---- --------------------------
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT3750XCORE#
CAT3750XCORE#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 1
Gi2/0/24 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi1/0/24 1-4094
Gi2/0/24 1-4094
Port Vlans allowed and active in management domain
Gi1/0/24 1-3
Gi2/0/24 1-3
Port Vlans in spanning tree forwarding state and not pruned
Gi1/0/24 none
Gi2/0/24 1-3
CAT3750XCORE#
CAT2960_1#sh vlan brief
VLAN Name Status Ports
---- --------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 TSLNG-WIFI active Fa0/48
3 TSLNG-VOICE active Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT2960_1#
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/4 1-4094
Port Vlans allowed and active in management domain
Gi0/3 1-3
Gi0/4 1-3
Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1-3
Gi0/4 1-3
CAT2960_1#
CAT2960_2#sh vlan brief
VLAN Name Status Ports
---- --------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 TSLNG-WIFI active
3 TSLNG-VOICE active Fa0/25, Fa0/26, Fa0/27, Fa0/28
Fa0/29, Fa0/30, Fa0/31, Fa0/32
Fa0/33, Fa0/34, Fa0/35, Fa0/36
Fa0/37, Fa0/38, Fa0/39, Fa0/40
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Fa0/48
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
CAT2960_2#
CAT2960_2#sh int trunk
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/4 1-4094
I see only two trunks on the 3750, so I assume one goes to each 2960 correct? On the 2960, I see two trunks, so I assume the 2960 are connected to one another?
ASKER
Yes,exactely
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Vivigatt and soulja thank you for your assistance on this.
I would like to verify the config further as a function of a branch office that will be made and create questions about this.Would be great if you read them.Regards
I would like to verify the config further as a function of a branch office that will be made and create questions about this.Would be great if you read them.Regards
interface vlan x
ip helper-address x.x.x.x
x.x.x.x being the ip address of the dhcp server. You will then not need local routes on the server as it will see unicast coming from the sourced vlan of the dhcp request.