DHCP, DNS, log on traffic across VLAN's

Hi there

Currently, our network is flat and unmanaged. We have a bunch of
Netgear switches across 4 floors.

We're planning to upgrade to Cisco 2960's and a 3550 for L3 switching.
3 VLAN's will be created; VLAN1 (192.168.1.0/24) for desktops/laptops,
VLAN2 for guests (192.168.2.0/24) which will be isolated from the rest
of the network, and VLAN3 for the servers (192.168.3.0/24).

The 3550 will provide routing between VLAN1 and VLAN3. My question is,
how will DNS and DHCP work here? Will the DHCP server in VLAN3 be able
to provide addresses that aren't local to its own subnet (i.e will it
be able to lease addresses in the 192.168.1.0/24 range, when it itself
is in the 192.168.3.0/24 subnet) providing that the 'ip helper' and
'service DHCP' commands are entered. Same with DNS...will it be able to
register addresses in another subnet even though there is a route to
it?

Has anyone implemented this sort of system before? I'm worried that if
we do segment the network to this, then even domain logon traffic can
be affected.

Thanks

In news:(E-Mail Removed) ups.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Hi there
>
> Currently, our network is flat and unmanaged. We have a bunch of
> Netgear switches across 4 floors.
>
> We're planning to upgrade to Cisco 2960's and a 3550 for L3 switching.
> 3 VLAN's will be created; VLAN1 (192.168.1.0/24) for desktops/laptops,
> VLAN2 for guests (192.168.2.0/24) which will be isolated from the rest
> of the network, and VLAN3 for the servers (192.168.3.0/24).
>
> The 3550 will provide routing between VLAN1 and VLAN3. My question is,
> how will DNS and DHCP work here? Will the DHCP server in VLAN3 be able
> to provide addresses that aren't local to its own subnet (i.e will it
> be able to lease addresses in the 192.168.1.0/24 range, when it itself
> is in the 192.168.3.0/24 subnet) providing that the 'ip helper' and
> 'service DHCP' commands are entered. Same with DNS...will it be able
> to register addresses in another subnet even though there is a route
> to it?
>
> Has anyone implemented this sort of system before? I'm worried that if
> we do segment the network to this, then even domain logon traffic can
> be affected.
>
> Thanks

Sure, this is done by many. For DHCP, either provide a DHCP server on each
VLAN, or configure a DHCP relay agent, or allow DHCP broadcasts from the
switch across the VLANS (I believe called 'IP Helpers') and specifiy the
DHCP address, but then you will need to specify the router's IP in the DHCP
relay agent property.


--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Ace Fekay [MVP] wrote:

> In news:(E-Mail Removed) ups.com,
> (E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
> below:
> > Hi there
> >
> > Currently, our network is flat and unmanaged. We have a bunch of
> > Netgear switches across 4 floors.
> >
> > We're planning to upgrade to Cisco 2960's and a 3550 for L3 switching.
> > 3 VLAN's will be created; VLAN1 (192.168.1.0/24) for desktops/laptops,
> > VLAN2 for guests (192.168.2.0/24) which will be isolated from the rest
> > of the network, and VLAN3 for the servers (192.168.3.0/24).
> >
> > The 3550 will provide routing between VLAN1 and VLAN3. My question is,
> > how will DNS and DHCP work here? Will the DHCP server in VLAN3 be able
> > to provide addresses that aren't local to its own subnet (i.e will it
> > be able to lease addresses in the 192.168.1.0/24 range, when it itself
> > is in the 192.168.3.0/24 subnet) providing that the 'ip helper' and
> > 'service DHCP' commands are entered. Same with DNS...will it be able
> > to register addresses in another subnet even though there is a route
> > to it?
> >
> > Has anyone implemented this sort of system before? I'm worried that if
> > we do segment the network to this, then even domain logon traffic can
> > be affected.
> >
> > Thanks
>
> Sure, this is done by many. For DHCP, either provide a DHCP server on each
> VLAN, or configure a DHCP relay agent, or allow DHCP broadcasts from the
> switch across the VLANS (I believe called 'IP Helpers') and specifiy the
> DHCP address, but then you will need to specify the router's IP in the DHCP
> relay agent property.
>
>
> --
> Ace
> Innovative IT Concepts, Inc (IITCI)
> Willow Grove, PA
>

Thanks Ace. For VLAN2, we've decided that the Cisco PIX would carry out
DHCP assignments, and all addresses in VLAN3 (the server VLAN) would be
static, therefore it's only VLAN1 we'd need DHCP services to. We could
configure a DHCP server within VLAN1 or use IP Helper...is any method
preferred, would you say?

How about other server traffic such as DNS, log on traffic, etc...am I
correct in thinking these won't be affected as long as there is a route
between VLAN1 and 3?

In news:(E-Mail Removed) s.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Thanks Ace. For VLAN2, we've decided that the Cisco PIX would carry
> out DHCP assignments, and all addresses in VLAN3 (the server VLAN)
> would be static, therefore it's only VLAN1 we'd need DHCP services
> to. We could configure a DHCP server within VLAN1 or use IP
> Helper...is any method preferred, would you say?
>
> How about other server traffic such as DNS, log on traffic, etc...am I
> correct in thinking these won't be affected as long as there is a
> route between VLAN1 and 3?

I have done it a couple ways. But for the most part, I would rather have a
DHCP server on that LAN. In scenarios such as WAN connectivity with a
reliance on a central controlled DHCP, if the WAN were to be down for any
length of time, it will cause problems. But with VLANs, that's not the case
and could probably go with an IP helper (DHCP agent) to a Windows DHCP. This
way you know that DNS registration (more important for AD, or actually
rather use the term "desired") will work. Using the PIX doesn't work with
DNS registration.

Logon traffic will be affected. You will now need to configure Sites for
each subnet, that is if you want workstation authentication to be controlled
by a specific VLAN's DC. If no DC on VLAN3, then I would add an IP Subnet
object representing that subnet and add it to the VLAN1's Site Name.

Ace

>
> I have done it a couple ways. But for the most part, I would rather have a
> DHCP server on that LAN. In scenarios such as WAN connectivity with a
> reliance on a central controlled DHCP, if the WAN were to be down for any
> length of time, it will cause problems. But with VLANs, that's not the case
> and could probably go with an IP helper (DHCP agent) to a Windows DHCP. This
> way you know that DNS registration (more important for AD, or actually
> rather use the term "desired") will work. Using the PIX doesn't work with
> DNS registration.

VLAN2 will be our hi-security VLAN for guest laptops where we can't be
sure of the anti-virus protection. Our PIX has a logical interface for
this VLAN, so there will only be a connection to the internet - no
talking with our servers. The PIX will assign DHCP addresses, and the
clients will use the ISP's DNS servers for name resolution (coded into
the PIX).

As for VLAN's 1 and 2, there will be routing between them, but we're
seperating them to create smaller broadcast domains. You're saying that
if the DHCP server was on VLAN1 (client VLAN) and the DNS servers on
VLAN3 (server VLAN), even if there was intervlan routing and IP
helpers, that DNS registration won't take place? The DNS and DHCP
servers have to be in the same subnet? To be honest, I wasn't even
aware that DNS and DHCP servers were tied in like that, but I'm not a
Microsoft expert!

> Logon traffic will be affected. You will now need to configure Sites for
> each subnet, that is if you want workstation authentication to be controlled
> by a specific VLAN's DC. If no DC on VLAN3, then I would add an IP Subnet
> object representing that subnet and add it to the VLAN1's Site Name.
>
> Ace

Both DC's will be in VLAN3, we don't want any DC's on VLAN1. At the
moment, we have one VLAN (192.168.1.0/24) and that is the subnet
specified for the site in AD. If we were to move the DC's to
192.168.3.0/24, would be have to change the subnet in AD to the
192.168.3.0 address, or add 192.168.3.0 so that there are two subnets
configured? In Sites and Services, does the IP subnet refer to the
subnet of the DC's or of the clients or both?

Many thanks for your continued help.

> I have done it a couple ways. But for the most part, I would rather have a
> DHCP server on that LAN. In scenarios such as WAN connectivity with a
> reliance on a central controlled DHCP, if the WAN were to be down for any
> length of time, it will cause problems. But with VLANs, that's not the case
> and could probably go with an IP helper (DHCP agent) to a Windows DHCP. This
> way you know that DNS registration (more important for AD, or actually
> rather use the term "desired") will work. Using the PIX doesn't work with
> DNS registration.

VLAN2 will be our hi-security VLAN for guest laptops where we can't be
sure of the anti-virus protection. Our PIX has a logical interface for
this VLAN, so there will only be a connection to the internet - no
talking with our servers. The PIX will assign DHCP addresses, and the
clients will use the ISP's DNS servers for name resolution (coded into
the PIX).

As for VLAN's 1 and 3, there will be routing between them, but we're
seperating them to create smaller broadcast domains. You're saying that

if the DHCP server and the DNS servers are on different VLAN's, and
even if there was intervlan routing and IP helpers, that DNS
registration won't take place? The DNS and DHCP
servers have to be in the same subnet? To be honest, I wasn't even
aware that DNS and DHCP servers were tied in like that, but I'm not a
Microsoft expert!

> Logon traffic will be affected. You will now need to configure Sites for
> each subnet, that is if you want workstation authentication to be controlled
> by a specific VLAN's DC. If no DC on VLAN3, then I would add an IP Subnet
> object representing that subnet and add it to the VLAN1's Site Name.

> Ace

Hmmm...it maybe easier to use our existing VLAN1 for the servers and
leave the AD site configured as it is. VLAN3 will be used for the
clients, but the DC will not be moved, hence we have a situation where
a client is on 192.168.3.0/24 and the DC's are on 192.168.1.0/24. Can
clients still log on? As regards AD Sites and Services, does the subnet
specified relate to the one the DC is on or the one where the clients
are on, or do both have to be specified somewhere?

Periphials such as printers will also be on the Server VLAN. Am I
correct in thinking that as long as there is a route between the Print
Server and the PC, the PC won't have an issue printing?

In news:(E-Mail Removed) oups.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
>> I have done it a couple ways. But for the most part, I would rather
>> have a DHCP server on that LAN. In scenarios such as WAN
>> connectivity with a reliance on a central controlled DHCP, if the
>> WAN were to be down for any length of time, it will cause problems.
>> But with VLANs, that's not the case and could probably go with an IP
>> helper (DHCP agent) to a Windows DHCP. This way you know that DNS
>> registration (more important for AD, or actually rather use the term
>> "desired") will work. Using the PIX doesn't work with DNS
>> registration.
>
> VLAN2 will be our hi-security VLAN for guest laptops where we can't be
> sure of the anti-virus protection. Our PIX has a logical interface for
> this VLAN, so there will only be a connection to the internet - no
> talking with our servers. The PIX will assign DHCP addresses, and the
> clients will use the ISP's DNS servers for name resolution (coded into
> the PIX).
>
> As for VLAN's 1 and 3, there will be routing between them, but we're
> seperating them to create smaller broadcast domains. You're saying
> that
>
> if the DHCP server and the DNS servers are on different VLAN's, and
> even if there was intervlan routing and IP helpers, that DNS
> registration won't take place? The DNS and DHCP
> servers have to be in the same subnet? To be honest, I wasn't even
> aware that DNS and DHCP servers were tied in like that, but I'm not a
> Microsoft expert!

For AD, yes, DNS and DHCP work together. :-) If the PIX DHCP is for guests,
then don't worry about it. For internal hosts, yes, I would rather see you
use a Microsoft DHCP server.


>
>> Logon traffic will be affected. You will now need to configure Sites
>> for each subnet, that is if you want workstation authentication to
>> be controlled by a specific VLAN's DC. If no DC on VLAN3, then I
>> would add an IP Subnet object representing that subnet and add it to
>> the VLAN1's Site Name.
>
>> Ace
>
> Hmmm...it maybe easier to use our existing VLAN1 for the servers and
> leave the AD site configured as it is. VLAN3 will be used for the
> clients, but the DC will not be moved, hence we have a situation where
> a client is on 192.168.3.0/24 and the DC's are on 192.168.1.0/24. Can
> clients still log on? As regards AD Sites and Services, does the
> subnet specified relate to the one the DC is on or the one where the
> clients are on, or do both have to be specified somewhere?

Both. Create a subnet object for the clients' subnet. If there are no DCs on
that subnet, then add that subnet object to the current Site name that the
DCs are sitting on that you want them to authenticate to.

>
> Periphials such as printers will also be on the Server VLAN. Am I
> correct in thinking that as long as there is a route between the Print
> Server and the PC, the PC won't have an issue printing?

Yep! You got it.

Ace

Thanks Ace, you've been very helpful.

In news:(E-Mail Removed) ups.com,
(E-Mail Removed) <(E-Mail Removed)> stated, which I commented on
below:
> Thanks Ace, you've been very helpful.

My pleasure!