ExtremeSwitching (EXOS)

Expand all | Collapse all

DHCP Forwarding

  • 1.  DHCP Forwarding

    Posted 11-13-2018 20:31
    We have a VLAN that we want isolated from the rest of the network (hosts on this VLAN can only talk to hosts on same VLAN). The problem is, we also want DHCP on this VLAN (traffic should get out of that VLAN just to get DHCP addresses from our server). I have enabled bootprelay on the core router. The problem is: if I enable IPForwarding on this VLAN, it won't be isolated anymore.

    Is there a way to keep IPForwarding disabled while routing DHCP traffic only?

    Thanks in advance.


  • 2.  RE: DHCP Forwarding

    Posted 11-13-2018 20:35
    Hi Alex,

    You would have to have a separate DHCP server for that vlan. One option is to enable it on the router or firewall--just for that vlan.

    Thanks
    Brad


  • 3.  RE: DHCP Forwarding

    Posted 11-13-2018 22:13
    Perhaps a policy to deny all but dhcp originating in that vlan?


  • 4.  RE: DHCP Forwarding

    Posted 11-13-2018 22:15
    Another thought. Can you stretch the vlan to a subinterface on your dhcp and disable other services on that interface?


  • 5.  RE: DHCP Forwarding

    Posted 11-13-2018 20:35
    Thanks for the input Brad. However, having a separate DHCP for that VLAN is not an option, as we want to manage IPs on that scope with our campus DHCP server.


  • 6.  RE: DHCP Forwarding

    Posted 11-13-2018 20:35
    Brad, we were actually able to convince management to setup DHCP services in the core routers just for this VLAN. We've configured and tested this; all looking good.

    TY


  • 7.  RE: DHCP Forwarding

    Posted 11-13-2018 22:13
    Yep, it's looking like I may have to go this route (I was trying to avoid deploying an ACL in our Core router). It'd be nice if Extreme switches could have IPForwarding disabled but bootpr enabled for a particular VLAN 🙂 .



  • 8.  RE: DHCP Forwarding

    Posted 11-13-2018 22:15
    Interesting idea... however, the DHCP server is managed by a different group and they will not allow this setup.