• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1863
  • Last Modified:

I need help blocking DHCP on a trunk port

I have 2 Procurve switches connected via gbic fiber. Both switches have DHCP servers in the network segments they handle (10.10.20.x/16 and 10.10.30.x/16). Unfortunately sometimes clients attached to one switch grab an IP address from the dhcp server on the other switches network segment. In essence I need to block DHCP from going across that GBIC wire. How can I configure this?

Any help would really be appreciated.
0
vielmetter
Asked:
vielmetter
  • 4
  • 3
1 Solution
 
Brooklyn_ShogunCommented:
Hello:

From what I am seeing in your question:

"Both switches have DHCP servers in the network segments they handle (10.10.20.x/16 and 10.10.30.x/16)"

If this is the exact setup then your issue is that the network mask is wrong because the network ID would be 10.10.0.0.

1) Check that you have the DHCPs set to a subnet mask of 255.255.255.0
0
 
vielmetterAuthor Commented:
My DHCP's need to talk to each other, they are DC's and they need to be able to communicate with each other across a trust relationship.

Is there a way to make adjustments on the switch that will prevent these packets going back and fourth between switches and networks?
0
 
kyleb84Commented:
What type of switches are they? 2600? 2800? Higher?

If they are, they'll do Routing, and since you can't do ACLs if you make each subnet a routable network, you'll retain your interconnectivity and stop DHCP being broadcast across each switch.

On your first switch, configure it similar to this
- Assuming 24 port switches, and your GBIC is port 24, and your default gateway isn't .254

(10.10.20.0/24)

vlan 1
 name "Network20"
 ip address 10.10.20.254/24
 untagged 1-23
 tagged 24

vlan 3
 name "Network30"
 ip address 10.10.30.253/24
 tagged 24

ip default-gateway x.x.x.x
---------------------

Second switch (10.10.30.0/24):

vlan 1
 name "Network20"
 ip address 10.10.20.253/24
 tagged 24

vlan 3
 name "Network30"
 ip address 10.10.30.254/24
 untagged 1-23
 tagged 24

ip default-gateway 10.10.20.254
------------------------

Set your DHCP servers, and your DC's etc to /24
Set your 10.10.20.0/24 DHCP range to have a default gateway of the Network20 switch 10.10.20.254
Set your 10.10.30.0/24 DHCP range to have a default gateway of the Network30 switch 10.10.30.254
Set your internet gateway to 10.10.20.x/24, and give it a route to the 10.10.30.0/24 network via the Network20 switch (10.10.20.254)
Set the x.x.x.x in your Network20 switch's config to your internet gateway (10.10.20.1?)

- Now DHCP will be blocked from going to either switch
- Your DC's (10.10.20.2 and 10.10.30.2 for example) are connected to their respective switch and they remain connected because their default route is their switch
- Everyone remains to have internet because the Network20 switch will forward on all packets to the default gateway (Your internet router).

-------------------------------

Either do all that, buy a Cisco 877 router to do ACLs, or just disable your DHCP on one DC.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
vielmetterAuthor Commented:
kyleb84, I like your solution and will credit you the points because I think this solution will work. I do have a cisco router with 2 ethernet interfaces. If I use it for to do ACL's (as you suggest above) how would I go about it? what would a basic acl look like to block DHCP? And if I do this aren't I limiting my connection between the two switches from 1000 (GBIC speed) to 100 (router ethernet port speed)? In any case, I'd be curious as to how to create an ACL that blocks DHCP on a cisco router, especially if if both networks are in the same subnet.
0
 
vielmetterAuthor Commented:
Great answer! Not just an idea, but a clear concrete set of steps that will resolve the problem.
Thanks
0
 
kyleb84Commented:
To give a better example, what model is the Cisco router?

The access list would look like this:

access-list 111 deny udp any eq bootps
access-list 111 deny udp any eq bootpc
access-list 111 permit ip any any

Assign it to an interface:

int Vlan1
 ip access-group 111

You would then have to put this router in-line between the switches, and yes, you would lose your Gigabit speeds, unless your DC's are on 100mbit and you throw it in between them and the switches (2 x ciscos required).

Depending on the model, you'd have to make both ports a member of a bridge to keep the same subnet across them.

But in any case, that'd be the general solution.



0
 
kyleb84Commented:
Sorry, should add this command to the bottom of either Switch config to actually turn on routing.

ip routing
0
 
vielmetterAuthor Commented:
My procurve doesn't have the ip default-gateway 10.10.20.254 command. Do I just use 0.0.0.0 0.0.0.0 10.10.20.254 instead? or is that wrong?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now