Solved

routing vlans and multiple scope on server 2008 R2

Posted on 2013-11-19
26
988 Views
Last Modified: 2013-12-04
Hi,Can someone explain how to configure properly routing so that i can use a multiple dhcp scope from a DHCP server 2008 on multiple vlans from a cisco catalyst infrastructure.Default gateway for the Lan environment is ASA 5505
I have a CAT3750 stack with VLAN1(native),vlan2,Vlan3.
ip routing is enabled on CAT3750 and also a gateway of last resort is defined which points to lan ip from the ASA firewall.
no default gateway command on the vlan interfaces because i use ip routing
I defined 2 static routes on the ASA firewall for the vlan2&3
A dhcp client only receives a dhcp address from the dhcp scope if i add a manual route on the dhcp server (route add subnet vlan2 mask gateway vlan (= ip address defined on the vlan2 interface on the  catalyst)

Thank you
0
Comment
Question by:antwerp2007
  • 11
  • 8
  • 7
26 Comments
 
LVL 26

Expert Comment

by:Soulja
ID: 39660350
Do you have the ip helper statements on your vlan interfaces. There needs to be on for each vlan interface where the dhcp server DOES NOT reside:

interface vlan x
ip helper-address x.x.x.x


x.x.x.x being the ip address of the dhcp server. You will then not need local routes on the server as it will see unicast coming from the sourced vlan of the dhcp request.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39662531
1/ intervlan routing must be enabled on the catalyst.
2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.
3/ When you have set the ip helper-address accordingly (refer to Soulja's comment), create the corresponding scopes on the DHCP server.
When the server receives a forwarded DHCP DISCOVER packets from one of the VLANs (that the emitting host has set to broadcast address), said packet is forwarded to DHCP server with the vlan interface IP address in GIADDR field (Gateway IP ADDRess). The dhcp server then matches the subnet of GIADDR with one of its scopes and assigns an IP address from that scope, sends the DHCP OFFER packet to the vlan interface which forwards it to the emitting host.
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39665464
Hello thank you both  for the comments.
ip helper address is defined on the vlan interfaces (+ ip adress from the DHCP server 2008/member of native vlan1)
The asa is the default gateway for the DHCP server 2008.
intervlan is enabled on the catalyst 3750x stack (ip routing)

2/ The dhcp server must be able to route packets to all the vlans. If the router for the DHCP server is the catalyst, no problem. If not, you can create a static route to each vlan on the router used by the dhcp server.-> i created the extra internal static routes on the asa firewall (10.70.10.1 /member vlan1)

Please find the config of the equipment attached
I notice that i did not specify an ip helper address on the native vlan,but this in not required because the dhcp server is member of this vlan1?
CiscoAsaconfigExperts.txt
cat3750configVexperts.txt
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 250 total points
ID: 39665560
I have helped similar situations in the past and adding a static route to ASA may be troublesome (it may require some some license upgrade!).
You can try it this way:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html#wp1121521
However, in your ASA config, I can read that:
route inside 10.70.11.0 255.255.255.0 10.70.11.10 1
route inside 10.70.12.0 255.255.255.0 10.70.12.10 1
If these are the routes to the vlans you want, you should be all set.

If this does not work, you may do it another way: set the default route for the catalyst to be the ASA and set the default route for DHCP server to use the catalyst.

No ip helper address is needed for the subnet (vlan) in which the DHCP server resides.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 250 total points
ID: 39665562
The dhcp server default gateway should be the vlan 1 interface of the catalyst switch.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39665568
Your routes on the Asa should next hop to the vlan 1 interface on the catalyst.
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39668263
Hello thank you all for the comments i'll try asap to change the default gateway of the dhcp server and let you know
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39669116
I don't get the point that soulja made in comment http://www.experts-exchange.com/Networking/Misc/Q_28298083.html#a39665568   but I may have misundertood it.
AFAICT, ASA is your access to the outside world, it should not default route to anything inside your LAN. Yet, the routes to the private subnets on the ASA should actually be set so that the packets for these subnets are sent to Catalyst VLAN1 interface

There are 2 (mutually exclusive) options for me, see my comment http://www.experts-exchange.com/Networking/Misc/Q_28298083.html#a39665560
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39669168
I don't mean for the default route on the Asa to be pointed inside.  I am referring to the static routes for return traffic to his internal vlans.
of course the default route for the Asa would be pointed to the isp.
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39669174
OK, Then we are in agreement.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39669179
Default route on Asa pointed to internet.
Default route on catalyst pointed to asa.
static routes to internal vlans on asa pointed to vlan 1 interface of catalyst.
Server gateway set to catalyst vlan 1.
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39684268
Hello both of you,i changed the  dhcp server default gateway as the vlan 1 interface of the catalyst switch and removed the persistent routes i made.This works,it takes about 45 seconds or more to receive an ip address from the DHCP server.It is on all vlan's.The switches are not rebooted so stp topology is already built.
What can cause this delay?Thanks for youre guidance.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39684355
Can you post configs. I have this same setup at home and my dhcp requests take seconds.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 16

Accepted Solution

by:
vivigatt earned 250 total points
ID: 39684367
try to set STP to "PortFast".
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39685290
Ha! Exactly. Port fast isn't configured.
Conf t
spanning tree Port fast default (if you want al ports configured.)

or
Int gix/x
spanning tree Port fast
(Individual interfaces)
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39685362
Thank you is that the same as rstp that is often used inside the vlans
I added an Aeropoint 2600 to vlan2 configured with the ip adress from VLAN2 as default gateway.The switches (meanwile i added 2 CAT2960 switches also) can ping the Cisco AP and the AP can ping the server and vlan ip adresses from all switches.However a WIFI client doesn't receive a DHCP adress and when i give the client a static ip it cannot even ping the ip adress from the AP or anything else?
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39685436
This is another problem now... You have a probem with a WiFi AP. It is not related to DHCP since even with a static address it does not work.
It deserves its own question I think.

Is the previous problem (DHCP with multiple VLANs) solved ?
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39685484
You're right,i will post it in another question for you.the dhcp process takes about 30 seconds now instead of a minute
cat3750X-29112013expertsexch-con.rtf
config-cat2960-1expertsexchange.rtf
config-cat2960-2expertsexch.rtf
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 250 total points
ID: 39685646
I see vlan 2 interface on the second 2960 is shutdown.

I see multiple trunks on each switch. Do each trunk go to a separate switch or are you running multiple trunks to each switch? I would port channel them if so. I would also change my spanning tree mode to rapid post on each switch.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39685649
Correction vlan 1 interface is shut.
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39689428
Hi, i enabled vlan1 on the second 2960, i use multiple trunks to each switch indeed and did not enable ertherchannel beacuse in don't need many bandwidth.NoPortnegotiation is also not  enabled for the moment.Portfast default is set to all switches but it still takes a lot of time.I will make a connection again to the backbone (3750) and proceed on the other switches to determine if there is a difference in time.
Thank you




CAT3750XCORE#
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/23
                                                Gi1/1/1, Gi1/1/2, Gi1/1/3
                                                Gi1/1/4, Gi2/0/1, Gi2/0/2
                                                Gi2/0/3, Gi2/0/4, Gi2/0/5
                                                Gi2/0/6, Gi2/0/7, Gi2/0/8
                                                Gi2/0/9, Gi2/0/10, Gi2/0/11
                                                Gi2/0/12, Gi2/0/13, Gi2/0/14
                                                Gi2/0/15, Gi2/0/16, Gi2/0/17
                                                Gi2/0/18, Gi2/0/19, Gi2/0/20
                                                Gi2/0/23, Gi2/1/1, Gi2/1/2
                                                Gi2/1/3, Gi2/1/4
2    TSLNG-WIFI                       active    Gi1/0/21, Gi1/0/22, Gi2/0/21
                                                Gi2/0/22
3    TSLNG-VOICE                      active
1002 fddi-default                     act/unsup

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
CAT3750XCORE#

CAT3750XCORE#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/24    on               802.1q         trunking      1
Gi2/0/24    on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/24    1-4094
Gi2/0/24    1-4094

Port        Vlans allowed and active in management domain
Gi1/0/24    1-3
Gi2/0/24    1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/24    none
Gi2/0/24    1-3
CAT3750XCORE#

CAT2960_1#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
2    TSLNG-WIFI                       active    Fa0/48
3    TSLNG-VOICE                      active    Fa0/25, Fa0/26, Fa0/27, Fa0/28
                                                Fa0/29, Fa0/30, Fa0/31, Fa0/32
                                                Fa0/33, Fa0/34, Fa0/35, Fa0/36
                                                Fa0/37, Fa0/38, Fa0/39, Fa0/40
                                                Fa0/41, Fa0/42, Fa0/43, Fa0/44
                                                Fa0/45, Fa0/46, Fa0/47
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
CAT2960_1#
Port        Mode             Encapsulation  Status        Native vlan
Gi0/3       on               802.1q         trunking      1
Gi0/4       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/3       1-4094
Gi0/4       1-4094

Port        Vlans allowed and active in management domain
Gi0/3       1-3
Gi0/4       1-3

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/3       1-3
Gi0/4       1-3
CAT2960_1#

CAT2960_2#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1, Gi0/2
2    TSLNG-WIFI                       active
3    TSLNG-VOICE                      active    Fa0/25, Fa0/26, Fa0/27, Fa0/28
                                                Fa0/29, Fa0/30, Fa0/31, Fa0/32
                                                Fa0/33, Fa0/34, Fa0/35, Fa0/36
                                                Fa0/37, Fa0/38, Fa0/39, Fa0/40
                                                Fa0/41, Fa0/42, Fa0/43, Fa0/44
                                                Fa0/45, Fa0/46, Fa0/47, Fa0/48
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
CAT2960_2#

CAT2960_2#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/3       on               802.1q         trunking      1
Gi0/4       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/3       1-4094
Gi0/4       1-4094
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39689924
I see only two trunks on the 3750, so I assume one goes to each 2960 correct? On the 2960, I see two trunks, so I assume the 2960 are connected to one another?
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39691947
Yes,exactely
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 250 total points
ID: 39692235
You may want to make sure there are no loops (or possibility of loops).
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 250 total points
ID: 39692464
A better design would be for you to have a port channel from each 2960 to the 3750, and not connection between the two 2960. You will have additional bandwidth, and most of all you will have redundancy for the uplinks to the 3750. You will also eliminate some unnecessary paths that could cause a loop such as the connection between the 2960's.
0
 
LVL 1

Author Closing Comment

by:antwerp2007
ID: 39695070
Vivigatt and soulja thank you for your assistance on this.
I would like to verify the config further as a function of a branch office that will be made and create questions about this.Would be great if you read them.Regards
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now