HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
cancel
Showing results for 
Search instead for 
Did you mean: 

do you need an interface configured on the switch in the vlan for dhcp relay

 
pnobels
Occasional Contributor

do you need an interface configured on the switch in the vlan for dhcp relay

Hi,

i'm using a HP1920 (or ,5120, 5500 or 5800 if you like).

I assume you need to configure an interface and ip on the switch in the vlan where you want to relay dhcp?

Example :

interface Vlan-interface24
ip address 192.168.24.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1

interface Vlan-interface204
ip address 192.168.204.174 255.255.255.0

The interface in vlan 204 is used for layer 3 routing.  Vlan 24 thus stops at this switch.  Without ip address this dhcp relay does not work?

Reason behind this is i want to route all trafic in vlan 24 to a Checkpoint firewall and prefer to keep dhcp relay on the switch (we use a Windows dhcp server).  Now if i want to achieve this, my firewall will have for example address 192.168.24.253.  This is the gateway for the dhcp server offer.  But a smart person could replace that gateway on his pc by 192.168.24.254, and thus bypass the firewall.

 

Or is it possible to write an acl to only allow dhcp trafic on that ip 192.168.24.254?  

1 REPLY
Ian Vaughan
Honored Contributor

Re: do you need an interface configured on the switch in the vlan for dhcp relay

Hello,

Yes you need a Layer3 interface with an IP on it to do DHCP relay / IP helper as what you are doing really is turning the DHCP broadcast on the vlan into a directed unicast to travel over the routed interfaces to a specific server somewhere else on the network.

Does the firewall not offer any IP helper / DHCP relay? That way you wouldn't need any L3 on VLAN 24 and you could have it purely as L2.

Yes you could write an ACL that would only allow the L3 from vlan24 on the switch to access solely the dhcp server as a destination and deny all others so that it couldn't be used as a backdoor into the rest of the network.

On 5510 and 5800 you could do something creative with vpn-instances if you were so inclined but, thinking about it, you would have to relocate your DHCP-server so maybe not.

Let us know how you get on.

Thanks

Ian

Thanks

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me