Way to forward DHCP requests without using 'ip helper-address'?
Hello,
About 18 months ago, we stopped using VTP and switched to assigning 'allowed VLAN' to individual interfaces. Everything has been working well. At that time, the contractor had me turn off VTP on the core switch (default gateway) and leave VTP in transparent mode on the access and distribution switches. He said going forward, we could stop creating VLAN interfaces and simply just create named VLANs. More recently, perhaps when a client lease expires, a DHCP client will not obtain an ip address in a timely manner, if at all. I suspect this might be due to the lack of an 'ip helper-address' on a VLAN interface. Is that likely? Is the configuration okay as described? And how can I help clients reach the DHCP server?
P.S. The DHCP server is connected to the core stack of switches.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Craig Beck,
The DHCP server is connected to the core stack of switches. Unfortunately, I am unable to share the configurations at this time.
However, I believe you have shed some light on my mis-thinking. Here are my questions:
1. Will creating an SVI create an entry in the VLAN database, and is the VLAN database part of VTP?The DHCP server is connected to the core stack of switches. Unfortunately, I am unable to share the configurations at this time.
However, I believe you have shed some light on my mis-thinking. Here are my questions:
2. VTP in transparent mode will not necessarily negate the isolation created by using 'allowed vlan' on individual port interfaces?
1. Will creating an SVI create an entry in the VLAN database, and is the VLAN database part of VTP?Creating the SVI won't create the VLAN. You need to create the VLAN, then create the SVI. Only creating the VLAN on the individual switch will add it to the database where VTP transparent is used.
2. VTP in transparent mode will not necessarily negate the isolation created by using 'allowed vlan' on individual port interfaces?The allowed VLAN on the port only dictates which tagged traffic can ingress and egress through that port. It's kind of a way of being selective for things like STP. VTP transparent mode only tells the switch to not listen to VTP updates from a VTP server, but still allows VTP to pass through to other switches.
ASKER
skullnobrains,
We are not using promiscuous mode, but I am very much interested in learning if there is a security feature blocking DHCP packets. On the same switch and VLAN, could this occur for one client and not another?
We are not using promiscuous mode, but I am very much interested in learning if there is a security feature blocking DHCP packets. On the same switch and VLAN, could this occur for one client and not another?
We are not using promiscuous mode, but I am very much interested in learning if there is a security feature blocking DHCP packets. On the same switch and VLAN, could this occur for one client and not another?There are things like DHCP snooping which can block DHCP, although it's usually on a per-VLAN basis. I doubt that's the issue here. As I say, it sounds like a routing issue to me. Let's say the DHCP server is on VLAN 10 with IP 10.10.10.10 and the core switch has 10.10.10.1. A client in VLAN 20 with IP 10.20.20.20 would need to route via the core switch to reach the DHCP server. The core switch has IP 10.20.20.1 on VLAN 20, with ip helper-address 10.10.10.10 configured. In order for the DHCP server to send the DHCP Offer and Ack back to the client, it needs to use the core as its default gateway (10.10.10.1).
So, going back to your original question...
I suspect this might be due to the lack of an 'ip helper-address' on a VLAN interface. Is that likely?Yes, if the clients are on a different VLAN to the DHCP server it almost definitely the cause. An ip helper is required in this scenario. This is why I say it's likely a routing issue.
ASKER
Craig Beck,
I think your comments answer my question and an overall concern.
I can create a VLAN interface and still isolate traffic using 'allowed vlan'? I know that sounds odd.
We were trying to reduce traffic in an OT environment but appear to lose DHCP acknowledgements periodically.
I think your comments answer my question and an overall concern.
I can create a VLAN interface and still isolate traffic using 'allowed vlan'? I know that sounds odd.
We were trying to reduce traffic in an OT environment but appear to lose DHCP acknowledgements periodically.
ASKER
I was thinking 'ip helper-address' is associated with VTP because it is applied to VLAN interfaces. This may have been incorrect thinking.
I want to use an 'ip helper-address' to pass DHCP traffic, yet at the same time, I do not want traffic from unnecessary VLANs to be visible to every device on a given switch. I was given the impression from a consultant that using VTP in server mode would make all traffic visible on a switch in VTP client mode. We had some OT devices that were not communicating because of excess IT (office) traffic.
I want to use an 'ip helper-address' to pass DHCP traffic, yet at the same time, I do not want traffic from unnecessary VLANs to be visible to every device on a given switch. I was given the impression from a consultant that using VTP in server mode would make all traffic visible on a switch in VTP client mode. We had some OT devices that were not communicating because of excess IT (office) traffic.
VTP is a layer-2 function. It centrally manages VLANs across switches. An IP helper is a layer-3 function which sits on top of a layer-2 VLAN. The two are completely separate things. Your consultant is correct in that a switch in VTP server mode will control VLANs configured on a switch in VTP client mode. When a switch is in transparent mode it will ignore any VTP updates from a VTP server, but will still pass them to any downstream switch in VTP client mode.
When you use VTP transparent mode on a switch, you have to manually configure any VLANs you want to be present on that switch. To restrict VLANs across your infrastructure, you use the "switchport trunk allowed vlan x,y,z" command on the port between two switches.
When you use VTP transparent mode on a switch, you have to manually configure any VLANs you want to be present on that switch. To restrict VLANs across your infrastructure, you use the "switchport trunk allowed vlan x,y,z" command on the port between two switches.
ASKER
Starting a new post for related issue. When I create a VLAN interface on an access switch and add an ip helper-address, the network slows down noticeably.
ASKER
such dhcp issues can be due to a number of things. one common one would be security features that block the dhcp packets targetted to the provided address either on one of the switch or the host (if promiscuous mode is forbidden) forcing dhcp to switch to broadcast mode which occurs after a while and possibly after the client decides to give up. wireshark or your favorite packet sniffer can help debugging such issues.
side note, it is usually simpler and cleaner to configure dhcp instances in each vlan than bother with helpers though you may have a good reason to do so.