Separating DHCP possible in WRV200?

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ShrewLWD, Apr 16, 2007.

  1. ShrewLWD

    ShrewLWD LI Guru Member

    Hi everyone!

    Is it possible to have this router sit in a small business environment that runs its own DHCP, but run its own DHCP for a VLAN?

    For instance, say our business has a Server and 2 LAN member clients. We also want to offer guests one LAN and wireless ability, but don't want them getting DHCP from the server. Can I setup VLANS like this?

    VLAN 1
    Port 1 - Server
    Port 2 - Member client
    Port 3 - Member Client
    All DHCP from Server

    VLAN 2
    Port 4 - Open plug in lobby
    All DHCP from Router

    Any assistance would be appreciated!
  2. ShrewLWD

    ShrewLWD LI Guru Member

    No bytes?
  3. sirsquishy

    sirsquishy LI Guru Member

    Why not just rely DHCP off the server from your Linksys router ( or whatever you are running ) and let the server know that any requests that come in from the Routers IP get a Range of X.X.X.X.
  4. ShrewLWD

    ShrewLWD LI Guru Member

    Wouldn't that mean the server would have to be in the same VLAN as the guest VLAN?
  5. Toxic

    Toxic Administrator Staff Member

    Perhaps you could you assign Static IP addresses to the hardware you require from the router using MAC address. all other hardware would be ignored or just give each hardware its own Static IP address. (full stop)
  6. ShrewLWD

    ShrewLWD LI Guru Member

    I guess I don't understand what I am missing here then with this device. How can it sell itself as offering VLANS (including isolation) but still need it to come back to the same device for DHCP info?

    Is there another device out there that would offer true VLAN separation?
  7. Sfor

    Sfor Network Guru Member

    All VLAN communication is going through the router. So, the router is a common node (point) of all VLANs. So, excluding the router itself from a VLAN does not seem to be a logical option. That's why, I doubt the device able to exclude itself from a VLAN formed by it, exists. In any case the VLAN without access to the router functions will loose the Internet access. So, there is not much sense in designing such an ability.

    The simplest solution would be to set another wireless router with it's own DHCP server just for the guests. The "guest" LAN will be separated from the business LAN, that way.

    But, I see yet another solution:
    - switch off the WRV200 DHCP server.
    - connect a LAN switch or hub to the LAN port 4
    - connect another DHCP server to the switch
    - connect the lobby open plug to the switch

    The result will be two separated networks with two different DHCP servers. The problem is, both DHCP servers will have to use different IP ranges. In other case the router will not be able to work correctly.
  8. ifican

    ifican Network Guru Member

    Let me see if i can remember this right without having to breakout my device to look. The device does offer vlan support but not vlan tagging as is what you are probably used to dealing with. All ip's will come out of the same scope but the router keeps an internal table of what ip's belong to what vlans. So if you make ports 1,2 and 4 say vlan 10, and make port 3 vlan 20. All machines on ports 1,2 and 4 can communicate however port 3 is isolated. Now as previously stated you can use switches to make more ports available to a particular vlan. As for the wireless I know there is a setting that will keep the wireless clients segregated (ap isolation i believe it is) but what i dont know is if that is something that you can also make as granular as allow ssid 1 to connect to vlan 20 but not 10. That is something that i would have to test, perhaps someone out there might know the answer to that one.
  9. Sfor

    Sfor Network Guru Member

    The VLAN config page allows to define 5 VLANS.

    Each VLAN can be assigned to a particular ports and SSID. So, it should be possible to make VLANs from LAN and WLAN ports, as well.

    TCP/IP is not the only protocol stack available. So, just by keeping track of what IP belongs to what VLAN is not a way to make VLANS. Much better way is to keep track of MAC, as MAC is the real address the packets are sent to in the ethernet based networks.
  10. ShrewLWD

    ShrewLWD LI Guru Member

    Here is my concern...

    If I leave DHCP turned on in the router, I don't care if all the SSID's get DHCP from it. What I want to know is if I can block other machines on the local network from getting DHCP from it, rather than the main server.

    Assume a win2003 DC server is plugged into a switch, providing service to 15 clients. I want to plug this router in as the gateway for the network, so it also gets plugged into that switch. What's to stop client machines from inadvertantly getting a DHCP number from this box, rather than the server? I would be using a different IP range to separate the Wireless devices from the LAN, so if they get the wrong IP, all kinds of programs will break.

  11. Sfor

    Sfor Network Guru Member

    I think you should add another router between the small business environment and the internet gateway. The both networks will be separated, that way.

    It is not possible to separate the built in DHCP server from the Internet gateway. The only way to block the access to the DHCP server leaving the Internet access is to add another router, as far as I know. DHCP protocol is not able to go through a router, while Internet access will go through it.
  12. ifican

    ifican Network Guru Member

    As far as this device is concerned this is indeed the best way to think about vlans. Now something else came to mind in regards to your last question concerning dhcp. If someone plugged into the wrong port, then yes they will get an ip from the router. However i dont see why you cannot simply make a bunch of access restriction for all machines that you want to allow access too and then make a global restriction denying everyone else. That should take care of your concern about machines getting the wrong ip. But in my opinion its still going to be just as much work as you are still going to get a call because now nothing works. Over time with a little education most users would be ok with understanding what happened and know to look for it or not do it again.
  13. TomSweet

    TomSweet LI Guru Member

    I don't know if it will be possible to isolate the two separate DHCP servers to one VLAN or the other. I can suggest you try a test using the DHCPLOC utility from the Windows Support Tools.

    I have a similar setup at home:
    Wireless | Advanced Wireless Settings | AP Isolation Enabled
    VLAN1 (internal)
    Ports 1-3, SSID1
    Wireless Security is set to allow wireless PC's on same SSID to see each other.
    VLAN2 (houseguests)
    Wireless Security is set to disallow wireless PC's on same SSID to see each other.

    All IP addresses are from the same subnet. I have other parameters not relevant here. Tests indicate guest hosts have no access to internal hosts, but I have not tested to the extent you would need to be comfortable.

    Looking at the routing choices in the WRV200, there are only two interfaces, the WAN, and the "LAN/Wireless". You probably aren't going to be able to handle DHCP requests the way you want because there would be two DHCP servers in the "LAN/Wireless" broadcast domain, and you can't control which DHCP server will receive or respond to any given request first. It would be interesting to know if enabling the "port-based VLAN" further segregates the "LAN/Wireless" broadcast domain into more broadcast domains.

    Having each VLAN be its own broadcast domain would likely solve the problem of visitors getting their DCHP info from only the router. However, you'd still have multiple DHCP servers on your internal LAN, your server and the WRV200. You might be able to find a way to configure your internal workstations to only accept dhcp offers from specifically authorized servers. I didn't find anything on a quick search, but I'd suspect it might be possible through netsh.

    I did come across a potentially very useful MS blog, A.J. Anto, a developer in DHCP in the Windows team.

    Best of luck,
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice