Solved

Single Windows DNS Server with multiple V-Lans

Posted on 2010-11-17
13
501 Views
Last Modified: 2012-05-10
We are getting some outside CCNA/CCNP guys to help us segment our single V-Lan network. They want to setup our old Cisco 2600 Router to give us several v-lans.  We want to future proof the network as much as possible for growth of each department.  We aren't too knowledgeable about this process but are working hard to learn as much as we can so that we can manage it well when the help is gone.  They are enabling inter-V-Lan Routing so each segment can talk to each other.  They want to let the Cisco router handle DHCP and they aren't sure about internal DNS.

Our first question is: How does internal DNS work with V-Lans and Inter-V-Lan Routing?  The CCNA guys said they would have the Cisco router manage DHCP, but us Microsoft guys cringed at that.  We are not looking forward to learning how to run the Cisco router well enough to troubleshoot IP Address problems if they arise in the future after the help leaves.  Our thought is to set it up so windows servers handle both DNS and DHCP.  Can a single Windows server handle this?  Will there need to be a DNS and DHCP server for each V-Lan?  We are considering approximately 8-9 V-Lans so that may be too many windows servers.  
If we use one Server for DNS and/or DHCP would there have to be a different NIC for each V-Lan?

We are open to any ideas that would allow us to manage our network easily as time goes on.  We aren't opposed to learning the Cisco stuff, but it isn't a quick process and time is of the essence in this situation.

Thanks for any thoughts you can add!
0
Comment
Question by:Nick Daniels
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 2

Expert Comment

by:cranakis
Comment Utility
Just my thoughts and experience.  I would definitely let the router manage the VLans.  Troubleshooting CISCO equipment is not really very hard and for basic issues you will have no problems.  I am sure it can be done in Windows as well but it will put a fair amount of unnecessary load on the machine.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Do NOT allow cisco to run your DHCP if you are running a domain you should always allow Windows to run DHCP in a domain environment. Now with DNS you can run one DNS server for all VLANs. You can do the same for DHCP but you need to make sure that you set up DHCP Relay on the Cisco devices to allow for broadcast of DHCP requests to the DHCP server. You can go with the multiple NIC solution as well but overall you need to configure DHCP to run multiple Subnets with superscopes.

http://technet.microsoft.com/en-us/library/cc757614(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc958938.aspx
0
 

Author Comment

by:Nick Daniels
Comment Utility
Well we fully intend to let the Cisco Router handle the V-Lans, but the question is how does the Cisco deal with Internal DNS?   Is it going to send all our internal NAT Name requests to the ISP Primary DNS Servers?  Or does it have a DNS server built in basically?  Also if it does have some DNS feature is it limited only to NetBios?

Thanks for jumping right in on this one!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

> How does internal DNS work with V-Lans and Inter-V-Lan Routing?  

Same way as it does without really. It's a database of names / IPs, the fact that those IPs might be on different subnets has no impact.

> Can a single Windows server handle this?  

Probably. Unless you have thousands upon thousands of users it will not suffer under the load.

> Will there need to be a DNS and DHCP server for each V-Lan?  

Absolutely not.

DHCP is harder, but they should be able to configure IP helpers for DHCP for you, allowing you to run a single DHCP server with a number of scopes.

> If we use one Server for DNS and/or DHCP would there have to be a different NIC for each V-Lan?

No, the IP helper gets you from the original subnet (as Broadcast) to a single IP address / interface for the DHCP server. The actual address they get is handed out based on the GIADDR field of the DHCP request (not based on the fact that it ended up at the DHCP server).

If you aren't comfortable handling DHCP on Cisco kit you should absolutely push for a solution that you are comfortable with, MS DHCP is perfectly capable of operating in this environment without you needing to manage 8 - 9 servers.

Please do yell if you have any follow-on questions.

HTH

Chris
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Again if you are running a domain then your clients must point to your internal DNS servers no matter what. If you run Windows DNS this allows for Dynamic Updates
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It honestly doesn't matter which you use for DHCP, but I would push for the comfort factor which seems to swing it in favour of MS?

> but the question is how does the Cisco deal with Internal DNS

Addressing this specifically. It does not, at all. The DHCP server (whether that's Cisco or MS) will hand out a DNS server for clients to use. That DNS server must meet the requirements of your AD Domain, and if it's still MS DNS then it will.

The DNS server given to clients will also deal with external name resolution. You want no mention of anything but internal DNS servers inside your network. They should only be present as Forwarders on your DNS server (if you want to use forwarders).

You only really need to be troubled about DNS if you're NATing addresses between these subnets, something I would have a great deal of trouble endorsing. Is that something they wish to do?

Chris
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Nick Daniels
Comment Utility
Chris-Dent:
They haven't used the term "Nat'ing addresses between subnets", but they have discussed the benefits of Inter-V-Lan Routing so that one V-Lan could potentially share a file directly with another, or a printer from another department etc...  Are they different?  

What do you guys think the benefits of Inter-V-Lan Routing are?  Is it worth it?  I know of no drawback as of yet...
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
> Are they different?  

Yes. What they suggest is a good thing in my opinoin, we want inter-vlan routing. It means you'll be able to talk to a client on VLAN-Y from VLAN-X.

At the very least everyone will need to be able to talk to the server VLAN (assuming there is such a thing), that will require inter-vlan routing. Whether or not you extend that across all clients is up to you.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Just on NATing again, with the intent of clarifying.

I would expect them only to use NATing on the borders of your network, chances are you do already. That is, when you make an outbound connection from any machine inside your network I would expect it to come from a single public IP address.

e.g.

   Client1 (192.168.0.1)
   Client2 (192.168.0.2)     ---->     (192.168.0.254) Your Firewall (1.2.3.4)     ---->     The Internet
   Client3 (192.168.0.3)

In this example, the internal IP addresses are NATed to 1.2.3.4 by the Firewall, allowing many clients to talk to stuff outside of your network using a single IP address.

With Inter-VLAN routing in place as well we extend that a bit (with my bad ASCII art):

   Client1 (192.168.0.1 VLAN 1)     ____
   Client2 (192.168.0.2 VLAN 1)           |
                                                        |
   Client3 (192.168.1.1 VLAN 2)            |
   Client4 (192.168.1.2 VLAN 2)     ----  |---->    (192.168.255.254) Your Firewall (1.2.3.4)     ---->     The Internet
   Client5 (192.168.1.3 VLAN 2)            |
                                                         |
   Client6 (192.168.2.1 VLAN 3)     ____|
   Client7 (192.168.2.2 VLAN 3)

In this case Inter-VLAN routing lets each of the clients talk to each other without NATing addresses. Everyone appears as their own IP. Yet, when they chat to the outside world they'd still be NATed by the firewall.

HTH

Chris
0
 

Author Comment

by:Nick Daniels
Comment Utility
I thought that DNS queries would be blocked with broadcast traffic by the segmented V-Lans.  But what I hear you folks saying is that it isn't blocked by the V-Lans at all.  Is that Correct?


So it sounds like for all intents and purposes Inter-VLAN routing makes the various different sub-nets act as one subnet/VLAN as far as DNS and client-to-client connectivity is concerned, but separates broadcast traffic to allow a smoother less congested network.

You have already given so much info, I wonder if you or someone could explain this quote from you earlier a bit more:

"> If we use one Server for DNS and/or DHCP would there have to be a different NIC for each V-Lan?

No, the IP helper gets you from the original subnet (as Broadcast) to a single IP address / interface for the DHCP server. The actual address they get is handed out based on the GIADDR field of the DHCP request (not based on the fact that it ended up at the DHCP server)."

Is it the "Switch" in between the router and the DHCP Server and the Clients that handles this "GIADDR field"?  Where is this done and how does the switch, which is VLAN'd know to give a certain subnet scope to a certain VLAN from the Windows DHCP Server, when it's all coming from one Interface?

For example:
Windows DHCP server NIC ---> Switch port 1(VLAN3)
(Switch ports 1-5 are set to VLAN10 - 192.168.10.0 - which is the management VLAN)
(ports 6-10 are set to VLAN4 - 192.168.4.0 - Accounting Depot)

How does an accounting client that is plugged into port 7 know to get and address from the 192.168.4.0 sub-net?

Great artwork BTW Chris, it was very helpful!
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

DNS traffic isn't broadcast, it's Unicast (point-to-point), so it won't be blocked on the subnet boundary. NetBIOS is Broadcast based, but we don't need to care about that unless you want network browsing. Personally I disable NetBIOS entirely on all the networks I build, no WINS, no broadcast, no browsing, no mess.

> Is it the "Switch" in between the router and the DHCP Server and the Clients that handles this "GIADDR field"?

Yes, it's the IP Helper they'd need to establish on the thing handling inter-vlan routing that must fill in the GIADDR field. It's used by the DHCP server to figure out which of the scopes it should draw a request from (when more than one scope is configured).

Super-scopes were mentioned before and I feel I should touch on that briefly. It's an administrative feature, allows you to stick a bunch of scopes into a folder with a pretty name, it has no practical impact on the operation of your DHCP service.

> How does an accounting client that is plugged into port 7 know to get and address from the 192.168.4.0 sub-net?

When a client sends a request for an address to DHCP it pops a broadcast request off to 255.255.255.255, the big broadcast address in the sky.

The IP Helper picks up this request, pops an IP address into the GIADDR field, then sends it onto the specified DHCP server as Unicast (point-to-point).

The DHCP server creates an offer from a scope from the same scope as the address in the GIADDR field, then it returns the offer to the IPHelper, which, in turn, pops it back down to the client.

Bad diagrams again :)

                    Client7 (Port 7)                           <-- No IP at all yet
                               |
   Broadcast DHCP Discover (255.255.255.255)  <-- This is the first step in the DHCP conversation
                               |
                      192.168.4.254                            <-- This goes into the GIADDR field
                           Switch
                    192.168.255.254                          <-- For the sake of argument this is the server LAN
                               |
                      DHCP Server                             <-- This generates a DHCP Offer to return
                               |
               192.168.4.0 255.255.255.0                <-- This is the matching scope

There are more steps before they finalise the lease, but that's perhaps the most important part here.

Chris
0
 

Author Comment

by:Nick Daniels
Comment Utility
Everyone is always so helpful here, thanks all for the awesome assistance!  It's a huge help.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Glad it helped :)

Chris
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now