DHCP and VLAN configuration help needed.
November 30, 2007 9:56 AM   Subscribe

DHCP and switch VLAN configuration help needed.

I have a DHCP server connected to one port of a managed Netgear switch. I'd like to configure VLANs on this switch for separate office areas, each with their own subnet. I know how to do this with static addresses, since I would just manually configure each computer with the appropriate subnet. How can I hand these addresses out automatically with DHCP?

I'm also not sure how to make one port of the switch (connected to the DHCP server/router) part of each VLAN. I understand how to place a port into an untagged or tagged state, and have it be a member of a VLAN with another set of ports.

Much appreciated!
posted by odinsdream to Computers & Internet (9 answers total)
The "tagged" vs. "untagged" description is a little misleading. When a port is "tagged", packets sent out of it will have a VLAN tag attached to them, allowing the connected device to know which VLAN the packet came from. When a port is "untagged", packets are sent out of it unmolested.

Given that, what you want to do is set up all your separate VLANs the way you want, with all ports untagged. The ports are untagged since your normal office devices don't want to see VLAN tags on their packets. You would connect your VLAN-savvy DHCP server to another port, which is "tagged" and a member of all VLANs. Now your DHCP server will get DHCP broadcasts from all of your VLANs, each packet being tagged with the VLAN ID it came from.

That's how it works at the protocol level, anyway; if you give more info on the DHCP server that you're using, I (and other answerers) could probably be more help with the implementation itself.
posted by pocams at 10:13 AM on November 30, 2007

If you truly want to hard-set every IP while still using DHCP, you'll have to set up reservations. This will tie a particular IP to a specific MAC address, so there's going to be a little data entry, but it's not hard.
posted by rhizome at 10:50 AM on November 30, 2007

rhizome, I don't want anything to be static. What I want is for the DHCP server to lease out addresses to all of the subnets, each of which is on a separate VLAN.

pocams; the DHCP server is built into a MikroTik router. I can create multiple DHCP server instances, defining the subnet for each. I can also create new virtual interfaces and associate a DHCP server with that interface.

One interface option is VLAN, which allows me to specify a VLAN ID. If I create VLANs on the Netgear switch, then create a VLAN interface on the router with an identical ID, would that get the two talking?
posted by odinsdream at 11:05 AM on November 30, 2007

If you're hoping to assign DHCP addresses based on which VLAN a request comes in on its going to get a bit tricky.

One way to do this would be to assign all of your VLANs to your servers NIC, with a seperate IP address in the desired subnet on each. You'll then need to configure your DHCP server with scopes for each subnet. You may have to put all your scopes in a shared-network statement.

Another way would be with a layer 3 router/switch. With a Cisco router, you'd put each subnet on its own interface. Each interface has an IP address in that subnet, and is configured as the gateway for that network (in DHCP). You set up the ip helper-address on each interface and point it to your DHCP server. You'll need all the scopes set up and you'll definitely need a shared-network statement.

If you're interested in the second solution let me know via MeFi mail and I can share some example configs.

On preview: looks like neither of these solutions is what you're after (the above depends on ISCs DHCP server, not sure how you'd do it on others).

Basically if more than one VLAN is going to be sent across a physical port packets will need to be tagged. The port on the router that goes to the switch should be a member of all VLANs. Same for the port on the switch. The ports that clients connect to will be a member of a single VLAN and untagged. There may be some trunking option or a default VLAN option you need to use in order for the switch to tag incoming packets.
posted by kableh at 11:12 AM on November 30, 2007

yeah, either your Netgear switch needs to be a bit more of a router and support ip-helper type commands, or your DHCP server needs to support tagged vlans. After that it's simple, you set each vlan on the DHCP server port to egress tagged, a trunk port as it were, your DHCP server has a sub-interface with an IP in each vlan, you then configure the DHCP server as normal.

What OS and what flavor is your DHCP server? I've done this many times with Linux, but have no clue about Windows and 802.1q support.
posted by zengargoyle at 11:16 AM on November 30, 2007

The OS is RouterOS running on a MikroTik. This conversation is helping a lot so far. I believe I'll probably be able to put something together by creating VLAN interfaces on the router, assigning a DHCP server to each VLAN, giving the master interface multiple IP addresses for each subnet, and then creating the VLANs with matching IDs on the Netgear.

I'm a little unsure about "egress tagging" the router port in the switch configuration. If anyone's feeling masochistic this weekend, I'd love some help poking around this thing.
posted by odinsdream at 12:11 PM on November 30, 2007

On the Linksys managed switch I have on my desk it's called Private VLAN ID. Basically, a setting which applies per port and specifies the VLAN ID that should be added to any untagged packets that enter that port. Those packets are then mirrored to any other ports that are members of that VLAN.
posted by kableh at 12:39 PM on November 30, 2007

Thanks so far everyone. I'll try this out over the weekend.
posted by odinsdream at 12:41 PM on November 30, 2007

Worked like a charm, and without this advice it would have probably taken me hours. I set up the VLANs on the Netgear switch and made each port an untagged member. Then, I made the uplink port of the switch a tagged member of each VLAN.

On the router I created new VLAN interfaces attached to the ethernet interface going to the switch, one for each VLAN on the switch. I added an IP address to each VLAN interface. I added a DHCP server instance for each VLAN, giving out DNS and default gateway settings inside each subnet's respective scope.

Thanks very much!
posted by odinsdream at 6:00 PM on December 2, 2007

« Older How to hire a reputable, effective PI in DC Metro...   |   To blow or not to blow? Newer »
This thread is closed to new comments.