IP Addressing via DHCP using both Public and Privite IP's (very advanced question)

MJT2k

Senior member
May 28, 2001
209
0
0
My college is soon to run out of public IP's and they need to start to run NAT. The IT department is trying to figure out how to implement a system that will allow them to hand out both Public and Privite IP's via a DHCP server. I know that this can be down and so does the IT department, "THE CATCH" but they want to go a step farther and set certian MAC addresses to get Public IP's and the rest will get Privite IP's. Also as soon as the addation and remodeling of the campus is 100% complete and all departments stop moving across the building they are going to start to use vLAN's. They currenly can't use vLAN's because they don't have enough IP's to divide up amoung all the vLAN's they would have. The hardest part of this is that they don't want to use Static IP's becuase of the number of systems on campus (400+ at any given time, laptops come and go) and they currently don't have NAT running. The IT department also would like to have a web front end for this setup, so that the IT manager and their workstudies can make changes to the system on an as needed basis. The web front end would be used to add MAC addresses to the config file on what ever DHCP server they end up using.

First question can all this be done or not?

Second question what is the best way of setting this up if it can be done?

-----------------
From rest of world --->| Cisco 3640 | -------> Linux Router/NAT Box/DHCP server ---> vLAN1 ----------------- |
|---> vLAN2
|---> vLAN3 & so on
 

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Well the "standard" dhcp server on Linux (and most unixes AFAIK) is dhcpd from ISC, there's a hardback book called "The DHCP Handbook" (ISBN: 1-57870-137-6) that is about general DHCP but describes setting it up with dhcpd (with some referances NT DHCP server).

I'm 99% sure it's workable, the only thing I'm not sure about is if the DHCP server would need 1 IP for each network it's serving on or not, easily solved with IP aliases on Linux, I don't think so but...


For the web front end, WebMin is really cool and has a module for the ISC dhcpd.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
All they have to do is assign "Scopes."

Pretty much any DHCP server can do Scopes, and provide presistant leases based on a MAC.

FWIW

Scott
 

Garion

Platinum Member
Apr 23, 2001
2,329
6
81
Two comments:

Yes, you can do this. There is, however, a few things to know.

When you setup DHCP, you create "scopes" which are address lists assigned for a network. Scopes can either be totally dynamic or you can reserve certain IP's to be handed out to machines with specific MAC addresses and leave others dynamic. You can assign some networks private IP's and some networks public IP's - It doesn't differentiate, just doles out the IP's that you give it.

When you have a DHCP server on one network that's handing out IP's to machines on another network, it can ONLY give out IP's from one IP network. This is because the request is forwarded by a router or some kind of DHCP helper agent which "tags" the request from being from a specific network. This means that you won't be able to integrate private IP's and public IP's on the same segment. Different router segments, no problem, just not on the same segment with secondary IP's on the router interface. This isn't used that often, but some people try run different IP subnets on the same router interface to save $$. Works OK, but doesn't work well with DHCP.

If you're going to use NAT within your campus network it would be best done using a router, not a full firewall in this case. Most firewalls won't pass through DHCP requests and if you want to keep a single DHCP server you'd be stuck. Do you really need to do NAT inside your network? Your routers should simply treat the public and private IP's in a similar manner - The only place you should have to NAT is at your firewall.

NT does make a good DHCP server that's very easy to use. It's not web-based, but you could run on a Windows 2000 server and use the Terminal Server mode. That would let you remote control the server (much like PC Anywhere) from anywhere on the campus network.

- G
 

crazydave

Senior member
Apr 18, 2000
251
0
0
my school has the network divided up into vlans and they use nortel netid to administer it. individual department network admins have the option of using the campus dhcp and netid to administer their own vlan or setup their own dhcp server. with the ips that are allocated to a vlan, the admin. can filter stuff based on different MACs, etc.... so that sounds like what you want to do and possibly another solution.
 

MJT2k

Senior member
May 28, 2001
209
0
0
Thanks for the input.

Currently the school has 2 main campuses (Willmar & Hutchinson). The one campus (Willmar Campus) will need to implement NAT at the end of this school year (June 2002). I am unsure how many public IP's they have on that campus (something llike 4 full blocks).

My campus has 2nd campuses (Hutchinson) to it the smaller of the 2nd (East Campus) campuses has 128 block of IP's and doesn't need more than that. The larger campus (Main Campus) has the other half of the subnet of the smaller campus going to the CST program (Computer Systems Technology). The rest of the campus has 3 full blocks of IP's, which of 2 are currently in use. They want to play with this setup on my campus because it is smaller and is only 2 buildings instead of 5+ buildings.

My campus has plans for breaking the campus up into vLAN's, 5 total. Each wiring closet will be one vLAN and the CST program will be a vLAN. With the current number of IP's the campus has they are planing to give each vLAN a half block and have one full block to play with. They also want to start using NAT so that they don't have to light up the last block of IP's they have this year (my campus has a laptop lease program in 2.5 programs - 2 programs require laptops and a 3rd has laptops as an option).

They currently are getting low on public IP's and the CST program currently can't use their block of IP's because they are spread out across about 1/4 of the school waiting on the remodeling to be completed of their new section (December at the soonest). Students and staff roam all over campus with laptops and the CST program needs more that 128 IP's at any given time. So having 128 IP's per vLAN doesn't really help. They want to give all the laptops private IP's unless they "need" a public IP for what they are doing. With laptops and the fact some people have DSL or Cable Internet at home they can't use static IP's
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
if you want to handle the roaming set the DHCP lease time to something ridiculous like one hour. I generally use 30 days but if there is going to be a lot of lease/renewals then i'll go less.

or if you're doing an IP address change - then you'll lower it to a few hours.