HPE Community
Switches, Hubs, and Modems
1752777 Members
6136 Online
108789 Solutions
New Discussion юеВ

Re: DHCP Snooping per VLAN

 
EvRooyen
Occasional Advisor

тАО01-09-2007 07:21 AM

тАО01-09-2007 07:21 AM

DHCP Snooping per VLAN

Hi all, need some help pls?

1) Background:
VLAN 1 = 192.168.x.y/16, switches IP=192.168.20.y/16 (5412) and 192.168.20.z/16 (5406). Firmware = 11.63
VLAN 2 = 10.100.x.y/22, VLAN if = 10.100.1.10/22

DHCP server on VLAN1 that serves PC's, all OK
Mitel VOIP switch on VLAN2 (that hosts all the VOIP phones), and that has DHCP enabled. IP=10.100.1.1, DHP range =10.100.1.150-250

IProuting is enabled on switches.
2) Problem:
Sometimes PC's are getting VOIP addresses assigned.... I have tested this by switching off DHCP on the windows DHCP server and renewing DHCP address from workstation.
I was under the impression DHCP broadcast would stay in the VLAN and not cross??

3) What I have done so far:

* Enabled DHCP snooping global and for VLAN 1-2
* I know snooping is working because:
-> Did not work until I specified the relevant trusted if
-> Did not work until I added the authorized DHCP servers.
* I *have* to add the Mitel as an authorized server otherwise the phones do not get their IP range. In this regard, it seems you cannot specify a DHCP host *per VLAN*, only globally? The same goes for the trusted interface?
* I double checked, the ports on VLAN1 has "NO" for VLAN2.

Am I missing something obvious? I can see 2 options here:

1) Solve this riddle...so DHCP broadcasts will not travel across VLANS
2) Chuck DHCP on the Mitel, and assign that scope to the windows DHCP server. If this is the case I need:
a. The correct Options for the scope (This also assumes that I can do all through the Windows box and no need for DHCP on Mitel...)
b. That DHCP on Windows will in fact assign addresses in the correct scope to the VOIP phones.

Any help or suggestions will be *greatly* appreciated!

Eugene
0 Kudos
4 REPLIES 4
Matt Hobbs
Honored Contributor

тАО01-09-2007 12:12 PM

тАО01-09-2007 12:12 PM

Re: DHCP Snooping per VLAN

You're right, DHCP packets should not be crossing VLANs unless you've got an 'ip helper-address' configured.

It seems like there is some path on the network where VLAN1 and 2 have joined.

What I would look for in VLAN1 is the mac-address of the Mitel DHCP server.

'show mac-address vlan 1'

If you can find the mac-address of the Mitel DHCP server, then you know that it's definitely in the wrong VLAN. From there, keep tracking down the port from switch to switch until you find where it's being leaked from.
0 Kudos
EvRooyen
Occasional Advisor

тАО01-09-2007 03:01 PM

тАО01-09-2007 03:01 PM

Re: DHCP Snooping per VLAN

Thanks Matt!

Blond moment here...I actually *do* have IP-helper set up, forgot to mention it. So on each switch I have set up:

VLAN1 IP-Helper = Windows DHCP server
VLAN2 IP-Helper = Mitel Switch

1) I thought I was doing the right thing, since an interface connected to a port assigned *only* (Untagged) to VLAN1 would then instead of broadcasting, just send the unicast ticket directly on to the DHCP server, and the same for VLAN2's IP Helper. Should I not be doing this?

2) I will go check on where the "leak" is, will sniff as well. If the issue then is because of the helper address, I suppose I can remove the helper address for VLAN2 altogether?
0 Kudos
Matt Hobbs
Honored Contributor

тАО01-09-2007 03:22 PM

тАО01-09-2007 03:22 PM

Re: DHCP Snooping per VLAN

Since you've got a DHCP server on each VLAN, the helper-address isn't really required. What is probably happening is a client is broadcasting out, the ip helper-address is also seeing it and then forwarding a unicast request to the same DHCP server. Effectively doubling the load on the DHCP server - and probably taking a little longer than it should to get an address as the client will have to NAK the second offer.

Try without the helper-addresses first, if the problem still occurs, try and find that Mitel mac-address and if all else fails get the sniffer out.
0 Kudos
EvRooyen
Occasional Advisor

тАО01-09-2007 08:13 PM

тАО01-09-2007 08:13 PM

Re: DHCP Snooping per VLAN

I'm baffled now. This is what I did:

* Took away the IP helper addresses altogether.
* Tested that DHCP for phones & PC's are working, all seems OK.
* Now: when I shut down DHCP on VLAN1 (Windows), and then from a PC request an address, I get a VOIP IP from the DHCP server on VLAN 2.
* I then did a sh mac VLAN1 and it showed the MAC address of the Mitel switch...

I cannot set the VLAN1 Mitel port to "No", as I need to set VLAN2 to "Tagged".

I'm lost here, any ideas??? Please see config of the swith attached. (Note, for this test I am not even using another switch).
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.