dhcp and vlans

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Oct 6 14:20:02 UTC 2009 

Stefan Pandele wrote:

>I want to do the following task and I do not know how:
>
>I have a cisco l3 sw on witch I have many vlans
>on every interface vlan I have an public ip class
>I want to add a secondary private ip class ( 192.168.100.0/24 on 
>vlan 100, 192.168.200.0/24 on vlan 200, and so on) on each interface 
>vlan.

First step - you need to define a shared subnet for each vlan, like this :

shared-subnet "vlan100" {
   subnet a.b.c.0 ...
   subnet 192.168.100.0 ..
}

>after that when a client from vlan 100 have the mac address bind of 
>an ip address form the public subnet of dhcp.conf, dhcp to give 
>him that public ip address.
>if the user change his network adapter then the new mac address 
>won;t be bind of the same ip address.
>in that point I want that dhcp to give him a random ip address from 
>the private ip address class range ( ex 192.168.100.75).



>if the clinet moves into a vlan 200 port, dhcp must give him an ip 
>address from 192.168.200.0/24 class ( ex 192.168.200.14).


You need to clarify exactly what you need here - I can see two 
variations when a device with public IP in vlan100 moves to vlan 200 :

a) it gets a public address.

b) it gets a private address.


a) is probably simplest. You define your subnets thus :
shared-subnet "vlan100" {
   subnet a.b.c.d ...
     pool {
       range a,b,c,x a.b.c.y ;
       allow known-clients ;
     }
   subnet 192.168.100.0 ..
     pool {
       range 192.168.100.x 192.168.100.y ;
       deny known-clients ;
     }
}

And define known clients with host statements IN THE GLOBAL SCOPE :
host "somename" {
   hardware ethernet aa:bb:cc:dd:ee:ff ;
}

Clients with a matching host declaration are "known" and entitled to 
an address from the public range from the vlan they are connected to. 
Others will get a private address.


b) is a little harder, but not much.

You define a class for 'known' hosts for each vlan :

class "vlan100" {
   match ...
}

shared-subnet "vlan100" {
   subnet a.b.c.d ...
     pool {
       range a,b,c,x a.b.c.y ;
       allow members of "vlan100" ;
     }
   subnet 192.168.100.0 ..
     pool {
       range 192.168.100.x 192.168.100.y ;
       deny members of "vlan100" ;
     }
}

A client that matches a class will be allowed a public IP when 
connected to the relevant vlan. When connected anywhere else it will 
get a private address.

Class matching is more flexible - you can match on arbitrary 
expressions, not just MAC address. You could use a single global 
class in option a) to get this level of flexibility.


Your friends are the man pages - dhcpd.conf to start with, and 
dhcp-eval for info about expressions available.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list