Wired

last person joined: 6 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

How to prevent DHCP traffic from passing between VLANs

Jump to Best Answer
  • 1.  How to prevent DHCP traffic from passing between VLANs

    Posted Jul 02, 2018 02:29 PM

     We have 2930f switches in several buildings and we are routing between the buildings through the 2930s.

    Each building has it's own subnet and DHCP server. Each 2930 has 2 VLANS setup VLAN 20 for the LAN inside the building and VLAN 1 for the connection between the buildings. we have the routing setup and working great however DHCP is being passed from VLAN 20 through VLAN 1 to the LAN VLAN of the other buildings. Thus it;s a crap shoot as to what DHCP server answers the client first. I thought that adding the " no DHCP-relay" to the config would stop DHCP from being passed however it is still happening. Any help would be appreciated. Thanks 



  • 2.  RE: How to prevent DHCP traffic from passing between VLANs

    Posted Jul 03, 2018 07:11 AM

    Hi,

     

    In the 2930s switches  which is doing routing in each bluiding, try giving "ip helper-address x.x.x.x" in each vlan.

    The IP address you mention should be of the desired DHCP server from which you would like the end users of the bluiding to recieve the IP.

     

    I hope this help, if not please feel free to write to us.

     

    If you like my posts, kudo's are welcome.

    If it solves your problem, please click 'Accept as Solution'.

     

    Thanks

    KASHIF ALI KHAN

    ACSA

    NETWORKING TECHNICAL CONSULTANT (Aruba GSC)

    E-mail: kashif.ali.khan@hpe.com | | SKYPE:kashif.ali.khan@hpe.com

     

     



  • 3.  RE: How to prevent DHCP traffic from passing between VLANs

    Posted Jul 09, 2018 01:01 PM

    Kashif

    We added the IP helper address to all for the switches on VLAN 20 pointing to the DHCP server with no success. we are still getting address from other buildings.



  • 4.  RE: How to prevent DHCP traffic from passing between VLANs

    Posted Jul 09, 2018 02:56 PM

    Do you have a network diagram of the environment you can share?

     

    If the client device is getting an address via DHCP that is incorrect for the VLAN it's connected to, then it sounds like DHCP is not being relayed as expected. Either there's another device performing the relay, who thinks the VLAN is on a different subnet, or the DHCP server that's assigning the client an address is directly connected somehow and thinks that VLAN is the wrong subnet.

     

    Starting with the client device, determine where the DHCP assignment is coming from, then work back towards that server to understand how the client is reaching the DHCP server.



  • 5.  RE: How to prevent DHCP traffic from passing between VLANs

    Posted Jul 03, 2018 11:17 AM

    Hi,

     

    difficult to tell without seeing the configs.

    - udp broadcast forwarding for port 67/68 could cause this

    - assigning all VLANs to the uplinks would cause this

    - maybe more...

     

    Can you provide config?

     

    Regards, Jö

     



  • 6.  RE: How to prevent DHCP traffic from passing between VLANs

    Posted Jul 09, 2018 12:55 PM

    Here is the config from one of the 2930s.

    They are all configured the same aside from the IPs and 1 of the routing statements. 

    Would entering a udp broadcast statment on VLAN 20 for ports 67 & 68 pointing to the DHCP server work or a no udp broadcast for dhcp pointing back to the VLAN 20 DHCP server, do the trick?

     

    Running Configuration

    ; JL258A Configuration Editor; Created on release #WC.16.05.0007

    ; Ver #12:08.1d.9b.3f.bf.bb.ef.7c.59.fc.6b.fb.9f.fc.ff.ff.37.ef:ba

    hostname "Aruba-2930F-8G-LINC"

    module 1 type jl258a

    no dhcp-relay

    time daylight-time-rule continental-us-and-canada

    time timezone -6

    ip route 0.0.0.0 0.0.0.0 10.20.0.2

    ip route 10.2.0.0 255.255.0.0 10.20.0.2

    ip route 10.2.15.10 255.255.255.255 blackhole

    ip route 10.3.0.0 255.255.0.0 10.20.0.3

    ip route 10.3.1.91 255.255.255.255 blackhole

    ip route 10.4.0.0 255.255.0.0 10.20.0.4

    ip route 10.5.0.0 255.255.0.0 10.20.0.5

    ip route 10.6.0.0 255.255.0.0 10.20.0.6

    ip route 10.9.0.0 255.255.0.0 10.20.0.9

    ip route 10.10.0.0 255.255.0.0 10.20.0.1

    ip routing

     

    interface 1

    no power-over-ethernet

    exit

     

    interface 2

    no power-over-ethernet

    exit

     

    interface 3

    no power-over-ethernet

    exit

     

    interface 4

    no power-over-ethernet

    exit

     

    interface 5

    no power-over-ethernet

    exit

     

    interface 6

    no power-over-ethernet

    exit

     

    interface 7

    no power-over-ethernet

    exit

     

    interface 8

    no power-over-ethernet

    exit

     

    snmp-server community "public" unrestricted

    snmp-server location "Lincoln"

     

    vlan 1

    name "DEFAULT_ELAN"

    no untagged 2-10

    untagged 1

    ip address 10.20.0.7 255.255.255.0

    exit

     

    vlan 20

    name "Linc-LAN"

    untagged 2-10

    tagged 1

    ip address 10.7.1.1 255.255.0.0

    ip helper-address 10.7.1.2

    exit

     



  • 7.  RE: How to prevent DHCP traffic from passing between VLANs
    Best Answer

    Posted Jul 09, 2018 04:26 PM

    Thanks everyone.

    We realized that all of the LAN VLANs had the same ID. We changed the ID to be unique in each building and problem solved.