[c-nsp] Cisco noob -- design guidance request

David L. West nntp at deskoptional.com
Sun Sep 2 00:12:07 EDT 2007 

I'm setting up a new LAN in an office building with multiple tenants who 
will be sharing internet access, DNS/DHCP but have individual VLANS to keep 
them seperate from the other tenants.  I think that the key here is having 
each VLAN have a "helper address" that serves as a DHCP Relay Agent , which 
in turn is how the DHCP server "knows" which range to hand the client.

After a lot of googling, I came up with a configuration that I think will 
allow all the VLANs to share a DNS/DHCP server, and am detailing it here in 
the hopes of getting some indication of whether I'm on the right track.

David L. West
Albuquerque NM USA

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

The basic scheme is:

 VLAN 002 switches, router, and OpenVMPS
 VLAN 010 ISP #1
 VLAN 020 ISP #2
 VLAN 030 Internet access, NAT, firewall, DNS/DHCP
 VLAN 102-227 Tenant networks

The server has a NIC configured with multiple IPs, like so:

 172.16.0.1 / 255.255.255.254 ; Subnet 0 -- Reserved for switches & routers
 172.16.2.0 / 255.255.255.254 ; Subnet 1 -- Reserved for network servers
 172.16.4.0 / 255.255.255.254 ; Subnet 2 -- First tenant subnet (VLAN 102)
 172.16.6.0 / 255.255.255.254 ; Subnet 3 -- First tenant subnet (VLAN 103)
 ...
 172.16.0.255 / 255.255.255.254 Subnet 127 (VLAN 227)

This NIC is connected to a switch port configured like so:

 interface GigabitEthernet0/12
 switchport trunk allowed vlan 30,102-227
 switchport mode trunk
 spanning-tree portfast

The Vlans 102-227 are derived by adding 100 to the subnets above, so VLAN102 
is:

 interface Vlan102
 ip address 172.16.5.254 255.255.254.0
 ip helper-address 172.16.4.1
 no ip route-cache

DHCP is running on the server with a dhcpd.conf like so:

 ddns-update-style interim;
 max-lease-time 86400;
 default-lease-time 21600;
 option ip-forwarding off;

 shared-network Inside {

   subnet 172.16.4.0 netmask 255.255.254.0 {
      range 172.16.4.32 172.16.5.253;
      option subnet-mask 255.255.254.0;
      option broadcast-address 172.16.5.255;
      option routers 172.16.4.1, 172.16.4.2;
      option domain-name-servers 172.16.4.1, 172.16.4.2;
      option nntp-server 172.16.4.1, 172.16.4.2;
      option domain-name "tenant1.mybuilding.com.";
   }

   ... above repeats for each subnet

  }

More information about the cisco-nsp mailing list