DHCP helper with a single subnet and multiple scopes

Question

First, a little bit about what we're trying to do.

1. We are migrating from being multiple LANs (multiple subnets) connected over slow VPN links to a single MAN (single subnet) connected with gigabit fiber
2. We are going to VLAN each site to control cross-site "chatter"
3. We have a single "datacenter" that will host the servers for all sites
4. The networks will NOT be routed and, again, will be a single subnet
5. Our switches support DHCP helper
6. Our DHCP server is a Windows box running Server 2003, but may be upgraded to 2008

So, my question is this:

With DHCP helper on the switches forwarding DHCP requests, is the address that the DHCP server returns based off of subnet or scope?

So, for instance, if I configured multiple scopes like this:

• scope 1: 10.1.0.1 through 10.1.20.254
• scope 2: 10.2.0.1 through 10.2.20.254

and both of these scopes were in the same subnet (mask of 255.0.0.0), would the DHCP server hand out an IP to a machine from either scope at random because the subnet is the same, or would it hand out an IP from, say, scope 1 because the DHCP request was forwarded from a switch with an IP that falls within scope 1?

I've read conflicting information on this topic, some say scope while others say subnet (sometimes using them interchangeably in the same reply)

Any help would be appreciated.

Answer 1

Woah, there. What you're saying contradicts itself. You say "single subnet" in one point, but then "VLAN each site" in the second point. Then you say "the networks will NOT be routed". Are you sure you know what you're saying here?

Typically 802.1q VLANs are deployed in a one-to-one relationship with IP subnets. Each 802.1q VLAN acts as an independent Ethernet broadcast domain and, as such, broadcasts from one VLAN (like, say, a machine ARP'ing for another machine in the local subnet) won't be forwarded between the VLANs. Splitting a single IP subnet across multiple VLANs requires a "smart" bridge that can do proxy ARP.

How are you planning to get ARP to work between these various VLANs?

If you really want to eliminate "cross-site 'chatter'" then what you really want is a subnet for each physical location, a router at each location connected to the "MAN" to route traffic to the other locations, and "ip-helper" functionality in each router to forward DHCP requests from the various locations to the central DHCP server.

What it sounds like you don't want is a single big subnet with a bunch of bridges running proxy ARP, in my opinion. Your DHCP inquiry really, really speaks to an underlying desire (though you don't know it) to have per-location subnets with DHCP scopes for each.

To speak to your question specifically re: DHCP: A DHCP "scope" is a range of IP addresses and options that a DHCP server will "hand out". The DHCP server chooses the scope to choose an address based on either the network interface the request is received from (if it's a broadcast request) or the address of the DHCP relay agent (if it's a relayed request).

Some background: Best way to segment traffic, VLAN or subnet?

Answer 2

Please provide a diagram and I will revise my answer to truly answer your question. Your explanation is a bit all over the place. You say you're going to have multiple vlans but in the same breath say that you're only going to have one subnet. Each VLAN by nature must be its own subnetwork or inter-vlan routing will not happen. DHCP helper is used to forward DHCP requests from hosts on one subnet to a DHCP server on another, the IP and subnet mask of the interface that forwards the request is what is used to determine which scope to select for address distribution. So you see, you either need to make up your mind that you're truly going to have only one subnet, or you will continue to maintain multiple. It is not typical for the WAN and the LAN to become one big broadcast domain. You probably don't even need VLANs, a simple routed uplink with a default VLAN behind each site may be sufficient.

Answer 3

From my understanding of how DHCP works, the server normally hands out IP addresses based on the IP of the interface that received the request. Before I go any further, I think I need to clarify some keywords. A "scope" (in Windows speak) is effectively a subnet definition, and it can contain one or more address pools from which the server can assign addresses. The main difference is that a scope can contain specific settings (such as NTP servers, routers, DNS servers, etc.) which differ from scope to scope.

Since in your case there would only be one interface (since everybody is on the same subnet), this means it would use the scopes quite randomly. That would then probably cause havoc with your VLANs.

The way to avoid this is by using specific conditions to tell the DHCP server which scope to use for particular requests. I am not aware of any filters you could use for your scenario (in Windows DHCP, the ISC DHCP server is a lot more flexible in that regard, but even there you would probably struggle to define suitable conditions).

Therefore I would rather suggest you use one DHCP server per site, and disable the DHCP helper.

Answer 4

If you put the sites on seperate vlans then they will not be able to communicate without routing so there would be no difference in having them on different subnets anyway.

Why do you want them all on one subnet? It seems to me that you are trying to use networking in a way that was not intended and causing yourself problems in the process.