2

The situation

I have a windows SBS 2008 box running as DC/DNS/DHCP/Exchange/File Server to a network on 192.168.1.0/24. Suffice it to say that the IP of the SBS box is immutable. At some point in the past my predecessor here attempted to get 2 NICs running with 2 IPs on it (which is so very unsupported) and since then, attempting to change any of the network properties causes it to bluescreen on the prompted-for restart - we have had to restore from snapshots when this happens, there doesn't seem to be a way around it.

We have recently started a project to get rid of SBS and build a real 2008/2012 (tbd) domain with 2 DCs, a seperate VM for Exchange, one for fileshares etc etc (yay!) but the prerequisite is that we transition to a new IP Scope (we will be getting onto a VPN with Head Office, allowing us to offload many of these services onto their network).

This leaves me in kind of a sticky situation - I need to get the routers, workstations, terminals... pretty much everything on the network EXCEPT DC/DNS/DHCP/Exchange/File server onto a different scope, while maintaining connection to those services running on SBS which has to stay on 192.168.1.0/24 .

One further complication on the issue is - we have 2 gateways here. One is used by SBS, the other... pretty much everything else - This is to allow SMTP and HTTPS traffic from outside to hit it.

The Plan

OK so here is what I plan to do - I have set up a VM with a minimal install of Ubuntu 12.04 and a NIC on each network scope. It has static routes set up to reach each network on it's respective interface, and I plan to push out another route via DHCP allowing client on the different scopes to contact each other by routing through the linux box.

So for example I have routes:

Client at 10.0.0.20

destination 192.168.1.0 mask 255.255.255.0 gateway 10.0.0.10 interface 10.0.0.20

Linux Router at 10.0.0.10 & 192.168.1.10

destination 192.168.1.0 mask 255.255.255.0 gateway 0.0.0.0 interface 192.168.1.10

destination 10.0.0.0 mask 255.255.255.0 gateway 0.0.0.0 interface 10.0.0.10

DC at 192.168.1.200

destination 10.0.0.0 mask 255.255.255.0 gateway 192.168.1.10 interface 192.168.1.200

At the same time I will move the internet gateway currently being used by everyone (not the one set up for DC) to the 10.0.0.0/24 network, so the 10.0.0.0/24 clients have a default gateway in their scope and the 192.168.1.0/24 clients (just the DC really) have a default gateway in it's scope (at this point the only remaining things in the 192.168.1.0/24 network are the DC and it's gateway).

The Question

Yes I am getting around to asking something! I want to confirm whether the DC can serve DHCP to these clients while being in a different scope. Research has led me here, which seems to suggest it is not possible without a DHCP Relay server in one case (Assuming I am correctly parsing a "network segment" as fairly analogous to a subnet), but also mentions Super Scope, which sounds like it MIGHT answer the issue (as it assigns address to any devices outside the other scopes... I think).

It seems to me that when a client is requesting an address it doesn't yet have an address anyway, so how can it determine whether it is in the same "network segment" as the DC anyway?

To clarify in a TL;DR kind of format - Can I serve 10.0.0.0/24 addresses as well as other network properties like static routes, DNS and default gateways to clients from a DHCP server sitting at 192.168.1.200/24 ? Do I need to use a Superscope to do so?

Also if you see any other problems with my plan, please don't keep quiet!

The Addendum

using the DHCP-helper tool suggested by @HopelessN00b I was able to get this actioned fairly smoothly! A few things were problematic -

  • The clients are all in the same network segment, there is no need to go through a layer 3 switch to reach the DHCP server. This resulted in all my clients grabbing 192 addresses because they were communicating directly to the server. I wanted to keep the 192 scope listed because a) if I had gotten in this morning to discovered I had screwed up, it would be easy to rollback; and b) As a handy listing of those services still on the 192 subnet; but I was able to get around this dodgily by creating an exclusion range for the scope that matched the full range of scoped addresses (ie, the scope went from 192.168.1.20 to 192.168.1.200, I created an exclusion range from 192.168.1.20 - 192.168.1.200). It makes me feel a little dirty, but it works, and the 192 subnet only needs to survive a few weeks for us to migrate services.
  • There were a few devices which I discovered this morning do not support receiving a static route through the DHCP option 121 (namely: WYSE terminals). They were happily taking 10.61.73.x addresses but had no way to route to terminal server on 192.168.1.x. As the terminal server itself happily took the routes, I set them up statically in the 192 subnet for now, which has resolved their issues.

@us10610 wanted to know the config I used on linux for DHCP-Helper - it was scarily simple - /etc/default/dhcp-helper contains a single line I modified from default: DHCPHELPER_OPTS="-b eth1"

eth1 being the NIC that shares a subnet with the DHCP server. It then happily accepted DHCP UDP from it's other NIC and broadcast them on eth1

Chris O'Kelly
  • 296
  • 6
  • 19
  • 1
    TL;DR comment - you will probably need IP Helper on the 10.0.0.0/24 core switch for example telling it to relay DHCP requests to your DC. Then some L3 routing device to get it there. – PnP Mar 13 '14 at 23:51
  • @PnP So I don't know for sure that I follow perfectly - I don't have a core switch, as such, for 10.0.0.0/24, but I have several SRW2024's and 2 SG300-28P's which are the switches for the network - they have IP addresses, but if I understand correctly those are just for management, so none of them would be specifically the "core" switch for either network... I think (please correct me if I am wrong). The SG-300's have a DHCP relay feature, whcih I can give a VLAN (they all have only one VLAN) and DHCP IP address? So I would need another router (an L3?) to make this work? – Chris O'Kelly Mar 14 '14 at 00:17

2 Answers2

5

You can absolutely use a DHCP server to serve a scope it's not a part of, so long as the traffic can flow between the two subnets.

The trick is that DHCP requests are generally only served out to the broadcast domain the client is on, to so get around that, you place an IP-helper address on the piece of network gear the client is connecting through so that it will forward UDP traffic (such as your clients' DHCP requests) on to the specified IP address (the IP address of your DHCP server).

And I did check before I answered; this is possible on Linux (and Ubuntu) boxes being used as switches or routers, though I'm not sure on the precise syntax and/or what additional packages you might need to do so. I did, however, find this page, which suggests a program to use and how to use it, so that might be a good place for you to start.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Hey, thanks very much for the help! just checking here, I have quite a few switches in place here, we have several switches, as well as WiFi Access Points and the linux box with which I plan to do the subnet<->subnet routing, so the route from client to DC might go Client->WAP->Switch 1->Switch 2->Linux router->Switch 3->DC Server. Would I need to set up the IP Helper on all the switches, WAP's and the Linux router? Instinct tells me the switches and WAP should be invisible at this level of routing and it should just be the Linux box, right? – Chris O'Kelly Mar 14 '14 at 00:27
  • Actually the diagram on that second link very strongly suggests that only the Linux router will need it, not all the intermediary switches. I'll be actually actioning this tomorrow when the office is empty, so I'll give it a go and mark an answer then - thank you again very much for the help! – Chris O'Kelly Mar 14 '14 at 00:47
1

In a network with multiple segments you use the 'IP helper' to implement a directed broadcast to the dhcp server. The 'Helper' is implemented at the layer 3 boundary (router, SVI.....) and is required for each individual segment.

I'm not sure of the syntax on a linux router but on a Cisco multilayer switch or router it would be;

Interface vlan 1099

ip address 10.10.99.1 255.255.255.0

ip helper address 10.10.1.254 (*dhcp server address)

Good luck and please post the linux syntax as I would like to know how it works:)

MichelZ
  • 11,068
  • 4
  • 32
  • 59
us10610
  • 11
  • 1
  • Just wanted to say thankyou for taking the time to answer - I've marked @HopelessN00b's as he provided the tool I used and some more information about how it works, but your pointing out that the ip-helper is required at level 3 gave me confidence in my assumption of where it was needed, and helped me determine the problem when clients were still getting 192 addresses. Thankyou! – Chris O'Kelly Mar 17 '14 at 02:13