DHCP For Voice And Data VLANs With Router-on-a-Stick

Question

Background:

I have 2 Powerconnect 62xx switches stacked with a Watchguard XTM-26 between them and the outside world. Currently all devices connected to the switch are in the same vlan and the default gateway is the watchguard.

We've recently installed Polycomp SoundPoint 335 Voip handsets. Because of port limitations, computers are plugged into the phones, and the phones are plugged into the wall.

For various reasons, I'd like to segment the voice traffic on it's own vlan. The Powerconnect switches have a nice "Voice Vlan" feature that seems to do exactly that: it automatically detects packets coming from the phones and tags them with the vlan id of my choice at the switch.

Where I've run into problems is with my DHCP server. Currently the DHCP server is on a Windows Server 2008 R2 machine attached to the Data VLAN. Initially I figured I'd just use IP Helper / DHCP Relaying. With DHCP relaying enabled, DHCP Discover broadcasts are intercepted from the voice vlan and converted to unicast UDP packets from my switch to the DHCP server on data vlan. The DHCP server processes the request and then tries to respond with a Unicast DHCP Offer packet directed to the ip of the virtual router on the voice vlan .

The packet from the DHCP server on the data vlan to the voice vlan virtual router never makes it to the voice vlan, for a fairly obvious reason: IP is outside the local subnet, so it gets forwarded to the default gateway (on the watchguard) which then bounces it back.

Questions:

• I was told by a dell rep that configuring limiting routing between the vlans as well as to the watchguard would be problematic and that my best option is to go with a full router-on-a-stick configuration. (Routing between vlans and to external net all handled on Watchguard.) Is this accurate? The only traffic that needs to be routed between vlans is DHCP packets, so there's not really a bottleneck issue.

• Is there any reasonable way to configure routing on the managed switch such that udp traffic to and from the dhcp server gets routed across vlans and everything else out-of-subnet gets forwarded on to the watchguard? I've setup routes that seem like they would accomplish this, but it never seems to work quite right.

Answer 1

You have a layer-3 switch...

• This can be accomplished by enabling routing on the switch.
• Create a VLAN interface and IP address on the voice VLAN.
• Your default gw for anything that needs to communicate across VLANs should be that interface ip.
• Same for the data network. Your default gateway should be the switch.
• Add helper-addresses in the voice VLAN for your DHCP server IP.
• Add a route to the switch for 0.0.0.0/0 to go to the Watchguard firewall (e.g. anything not directly connected or with a specific route has a next-hop of the firewall).

I don't have a Dell L3 switch handy, but an HP ProCurve data/voice routing table looks like the following, where:

Firewall/internet gateway is: 192.1.2.250
Voice VLAN 210 - Device default gw is: 172.16.120.1
Data VLAN 201 - Devices default gw is: 192.1.2.1

---

continental-core# sh ip route
                                                  IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          192.1.2.250     201  static               1          1    
  127.0.0.0/8        reject               static               0          0    
  127.0.0.1/32       lo0                  connected            1          0    
  172.16.120.0/24    Continental ... 210  connected            1          0    
  192.1.2.0/24       Continental ... 201  connected            1          0