Network Management

 View Only
last person joined: 2 days ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

DHCP Relay doesnt work in Aruba Switch 2540

This thread has been viewed 44 times
  • 1.  DHCP Relay doesnt work in Aruba Switch 2540

    Posted 22 days ago
    Hello everyone,
    
    We have the following network infrastructure:
    
    DHCP server mounted on a Windows server.
    Perimeter firewall
    Aruba 2540 Switch
    
    Currently the DHCP Relay is on the Firewall and we want to change this DHCP Relay to Aruba switch.
    There are multiple VLANs mounted on the Aruba switch. On the DHCP server we have several ranges configured that correspond to those VLANs.
    
    DHCP Relay was activated on the Aruba switch.
    Then, to test with a VLAN, put this configuration:
    setting
    vlan 102
    ip helper-address "dhcp server ip"
    wr mem
    
    But it does not give ip when connecting a device, however it gives me these statistics:


    any idea why it could be the problem? In which cases is it necessary to activate DHCP option 82?
    With what tool or how can I see where the packages are?
    From the console, I ping the DHCP server and it arrives, however, if I do a traceroute it doesn't make the jumps (it appears with *).
    
    I would appreciate any help, because I am not a network administrator and these issues are a bit complicated for me.
    
    Thanks.
     


  • 2.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 22 days ago
    Hi
    which IP does the VLAN 102 have? (sh run vlan 102)
    Is this IP range also created as a range/scope in the DHCP?
    Is the IP helper switched off in the FW for the VLAN. Both should not be on (per VLAN)

    Thomas



  • 3.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 9 days ago
    Hello,

    This is part of the Aruba Switch configuration:

    ip default-gateway 192.168.102.1
    snmp-server community "public" unrestricted
    vlan 1
    name "DEFAULT_VLAN"
    no untagged 1-28,31,33-34,39,41-46
    untagged 29-30,32,35-38,40,47-52
    ip address dhcp-bootp
    ipv6 enable
    ipv6 address autoconfig
    ipv6 address dhcp full
    exit
    vlan 101
    name "101 - Servers"
    untagged 1-2,6-8,12,15-18
    tagged 13-14,19-24,33-34
    no ip address
    ipv6 enable
    ipv6 address autoconfig
    exit
    vlan 102
    name "102 - PCs General"
    untagged 3,9,25-28
    tagged 13-14,19-24,33-34
    ip address 192.168.102.82 255.255.255.0
    ipv6 enable
    ipv6 address autoconfig
    exit
    ______________

    The Windows DHCP Servers are in the range 192.168.101.x
    The Firewall is the range 192.168.101.x
    Now, FW it's the actual dhcp relay.

    If I config for example the vlan102 with this configuration:
    config
    vlan 102
    ip helper-address 192.168.101.41
    wr mem

    I received IP from the DHCP, but the information passes trought the FW. I know that, because if I put an ip-helper-address doesnt exit, for example 192.168.99.1, I keep getting IP from DHCP, so I deduce that "it is not paying attention to the ip helper that I am configuring", and It continue using the FW to arrive to the DHCP. So I think what I need is to use the inter vlan routing to arrive to the DHCP without using the FW, but a I dont how can I do this, and if this option is the correct.

    I'm sorry if it's not very well understood, but English is not my mother tongue

    Best regards.


  • 4.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hi everybody,

    Could please anybody help me? I think I need to to "inter-vlan-routing" between vlans to goal arrive to the DHCP servers "without needs to arrive to FW", but I dont know how I can do inter-vlan-routing.

    Best regards.


  • 5.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago

    Hello,

    Please give the switch an IPv4 address 192.168.101.XXX in the VLAN 101-server (that's where the DHCP server is after all).

     

    Thomas



    IBYKUS AG für Informationstechnologie, Erfurt / HRB 516855 - D-Jena / Vorstand: Thomas Winter (Vorstandsvorsitzender), Eckehart Klingner, Nikola Spannaus
    Vorsitzender des Aufsichtsrates: Stephan Behr





  • 6.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hi javcity,

    Based on your configuration, it seems that your gateway for VLAN 101 -Server is on Firewall as there is no ip address configured on your switch.
     
    To do inter-vlan routing, you need to assign ip address to the vlan and enable IP routing for 2540. Also, configure a default route using this " ip route 0.0.0.0 0.0.0.0 <firewall interface ip> "

    Just wondering if there is any reason that you would want to put dhcp relay on aruba switch?


  • 7.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago

    Hi,

    Now the configuration is this:




    And the default gateway as 192.168.102.1. This gateway corresponds with ip vlan 102 configured in the FW. Perhaps this is the reason why the requests pass through the firewall, so, what ip have I to put as gateway to the request doesnt pass through the firewall? Is possible to put any different gateway per vlan, or all vlan the may have the same gateway?


    The idea is, if the switch have a request of a know network, the request stay in the switch, and if the request isnt know, the request goes to the FW.

    The reason that we want to put dhcp relay on aruba switch instead the fw (now is configured like this), is because our CIO think that is "more secure" separated this traffic and also the fw has less load.


    Best regards.




  • 8.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hi,

    I would suggest to put the vlan 102 gateway ip on your switch and assign other IP subnet as a transit IP on your firewall interface and default route to that ip. In the end your firewall will only have one interface rather than sub-interface of VLAN 101 and 102.

    Just want to point out that traffic travelling between VLAN 101 and 102 will not be forwarded to firewall for inspection and control if there is any. 

    By the way, your ip routing is disabled so you would need to enable is by entering " ip routing "



  • 9.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hello,

    With "Just want to point out that traffic travelling between VLAN 101 and 102 will not be forwarded to firewall for inspection and control if there is any. "

    you want to mean that, with the current configuration, and after enable "ip routing", the traffice will not be forwarded to the firewall although the current ip gateway is a the FW VLAN 102 ip?

    If I use the ip 192.168.102.82 to access and manage the vlan 102 on the switch, is correct to use the same ip from the gateway? Sorry if is a noob question, but I'm not a network administrator.

    best regards.


  • 10.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hi,

    *If you decide to implement the suggestion that I was giving*
      
    What I am trying to say is that after intervlan routing is enabled on the switch, all the traffic that wants to travel to server VLAN will be able to bypass your firewall and goes directly to your server VLAN. only those does not have route in your switch will go to your firewall (default route). 

    I am not sure if you have any firewall rules to control access from PC VLAN to other servers within the server VLAN.

    Usually when we do implement interVLAN routing, we will point the gateway of user device to the IP address of VLAN on the switch so that switch will then perform routing. Because in order to get to different subnet, packets have to go to gateway first.


    ** Just my opinion: Based on my assumption (Aruba 2540 is a simple Layer 2 switch), the direction of setup that you are going for doesn't really provide any actual benefit (Security wise) rather just complicates stuff and time-consuming (to change setup). Since the end result would mean anyone in VLAN 102 be able to access VLAN 101 - Server as there is no Access control implemented on your switch.** 
     



  • 11.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Thank you for your help. I going to try to test that you said.

    Only one question more that I dont undertand. Why if I do a ping to one IP and it is respond, but if I do a traceroute to the same IP, it cant find the route - hops? I don't understand the reason and it would be very useful to test if a packet travels to the FW or not.



    Best regards.


  • 12.  RE: DHCP Relay doesnt work in Aruba Switch 2540

    Posted 2 days ago
    Hi,


    Just want to clarify more on the transit IP,  you would need to create a vlan (VLAN XX) in your switch, assign ip address (same subnet as your firewall interface subnet) and assign the port connected to firewall to the vlan (VLAN XX). This is to facilitate communication to and fro of your firewall.