No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • DHCP & VLANs

    Hi Guys,

    I've the below scenario that I need to figure a way out :
    - staff network with 70 nodes, VLAN100
    - 8 x external clients using our serviced-office (2 nodes each), total 16 nodes, VLAN201-208, no inter-VLANs traffic allowed
    - 2 x 48port L2 switches stacked into 1 virtual 96-port switch (for all the VLANs)
    - 1 x Fortigate 60C firewall

    Thought of the following ways to assign IPs to these VLANs :
    1. Via Windows Server DCHP with differing scopes for each VLANs
    2. Let Windows assign IPs for VLAN100 and Firewall's DHCP assign IPs for VLANs 201-208
    3. Use 48+24Ports stacked switch for VLAN100 & a L3-Lite switch (eg. HP Procurve 1910) for VLANs 201-208. Let the L3-switch do the DHCP role.

    Much as Method 1 being the simplest to implement, I'm not comfortable with external computers accessing an in-house DC/DHCP/File&Print Server for IPs. I'm deciding between Methods 2 or 3.

    If Method 2, I understand that one higher-end firewall is able to assign a DHCP scope to different ethernet ports on them. Ie. Scope 1 for Port 1 to VLAN201, etc... What is this feature usually known as in the Firewall speak? Also, can anyone confirm whether fortigate 100C is able to perform this job?

    If Method 3, the HP1910 will be VLANed into 8 and I'd need to assign the gateway as the Firewall, correct? Also, I assumed the DHCP on 1910 will be able to assign differing scope to the various VLANs? How will the Firewall be able to route the incoming traffic (diff VLANs, diff scope) from the 1910 to the internet?

    Pardon me for asking so much. I'm not very versed in networking.

    Thank you.
    Last edited by galantico; 29th June 2013, 13:07.

  • #2
    Re: DHCP & VLANs

    Unless the switch is doing the DHCP role, the default gateway is irrelevant to DHCP as you need to relay the requests to your server.

    Which is why I would personally go with option 1, I understand where you are coming from, but if the VLAN is non-routable, or your ACL's are protecting your traffic then you don't have to worry.

    Setup an IP Helper on your VLAN pointing to you internal DHCP server, setup the scope and job done.

    The switch actually relays the DHCP broadcast (broadcast > unicast) so your clients don't actually touch the internal DHCP as such anyway.

    Just my 2c

    * Shamelessly mentioning "Don't forget to add reputation!"