topic Re: Multiple DHCP scopes on single interface in General Topics

Multiple DHCP scopes on single interface

dmwalsh568 — Fri, 17 Feb 2023 16:24:00 GMT

School network here with an old Windows server running DHCP for our 10 VLANs.

Would like to use our PA-3220 firewalls to run DHCP so I can get rid of the old server.

Layer 3 routing happens inside the building network on the top of rack switch (Aruba 6405) DHCP Relay is also enabled on the top of rack switch since the DHCP server is on a separate VLAN to isolate it from other network traffic.

Firewalls are connected via a single interface to the internal network. VLANs are configured on the firewall so it knows about all of them and I have policies enabled to give each VLAN appropriate access to the Internet.

The one document I saw that talked about this issue mentioned creating a virtual router for each scope, but I currently have two virtual routers to enable failover from one ISP feed to another. Wasn't sure how to set up the DHCP scopes without making a mess of the failover VRs.

All suggestions appreciated, even if it's just I should create a case or need to hire a VAR to help me with the config.

Re: Multiple DHCP scopes on single interface

reaper — Mon, 20 Feb 2023 13:16:48 GMT

the dchp scopes will 'live' inside the same VR the interface it's associated to is bound to, so if you have one primary VR thats attached to all your L3 interfaces (in your case vlan interface) all the subnets will be inside that VR's routing table, you'll just need to account for those routes in the other VR by setting a 'next vr' nexthop

but... i'm wondering what the use case is for having your routing set up on your switches while your firewall only has 1 interface connected and is set to layer2. wouldn't it be more logical to set the fw to L3 and perform routing+DHCP there?

Re: Multiple DHCP scopes on single interface

Adrian_Jensen — Tue, 21 Feb 2023 17:01:07 GMT

@reaper The use case would be a superscope setup where, for various reasons, you have your routing in a remote location but you want to consolidate DHCP for management. The most obvious examples would be remote branches and instances where you have a large volume inter-network routing traffic but do not need to filter that traffic on the PA (or filter it with a different devices). I have 20 remote branches and dozens of internal networks with PAs standing between the overall network and the internet/VPN tunnels. Branches are connected by a private WAN across multiple routers, internal corporate inter-LAN traffic can exceed 10Gbs (running on a L3 "switch"), neither is terminated on the PA. Instead, I use a common Windows superscope DHCP server with DHCP relaying enabled on the router which terminates the local network, so I can manage all the DHCP in one central location.

Unfortunately, it doesn't look like it is possible to setup a superscope on the PA, each DHCP instance must be bound to a local interface. See this earlier thread reply from PavelK:

https://live.paloaltonetworks.com/t5/general-topics/configuring-multiple-dhcp-scopes-via-single-layer-3-interface/td-p/443015

Re: Multiple DHCP scopes on single interface

dmwalsh568 — Tue, 21 Feb 2023 21:06:47 GMT

My 3220s are connected via 1Gbps copper lines to the core switch. The Aruba
6405 core switch has dual 10Gbps fiber connections to each IDF and a lot of
our traffic is internal - going between VLANs for printing, connecting to
projectors, etc. I figured there was no sense in forcing most of the
traffic down a shared 1Gbps pipe.

But your reply got me to thinking, and it seems my core switch can do DHCP
service much more easily than futzing around with virtual interfaces and
virtual routes to use a single interface. The core switch already has all
the VLANs and does the layer 3 routing, so adding a DHCP scope to each VLAN
is much easier than doing voodoo on the 3220s.