- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-23-2017 09:54 AM
I have a router with 2 VLAN’s. The router is connected to a PaloAlto and behind this PaloAlto I have a server witch serves DHCP. The VLAN interfaces on the router are configured with a helper address to the DHCP server.
We would like to remove all servers (and go fully cloud based). I decided I want the PaloAlto to serve the DHCP function. So: I should define the 2 DHCP scope’s of the routed VLANs to the interface connected to this router. However: It seems I’m restricted to only 1 IP scope per interface. Can I work around this issue?
Side note: I’m not able to attach the routed VLANs directly to the PaloAlto cause off its maximum MAC entries.
11-24-2017 03:13 AM
Just a stab in the dark...
could you not add an unused interface, keep you VLAN current structure but pont one of the helper addresses to the new interface with a scope for that VLAN.
or just find some old hardware and use linux DHCP.
11-27-2017 12:29 AM
I thought about that.
Not able to test at this moment, but does this interface needs an IP address to serve DHCP? At that moment the egress traffic for that VLAN will go directly to that interface since it’s directly connected.
And what about the MAC restrictions? Does the firewall keep those MAC entries in its table?
11-27-2017 12:40 AM
I can't really advise as never had to do this myself.
yes i would assume it needs an ip address so that you can add this as an "ip helper" for VLAN2.
so.... VLAN1 ip helper would point to your existing interface and VLAN2 helper tou your new (not directly connected but routed) interface.
life would have been easier if the DHCP server could be added per subnet or sub-interface on the PA.
you may be able to do something clever with VLan tagging, but not sure if your VLAN switch is capable... good luck anyhows...
Mick.
11-27-2017 01:53 PM
You could create a new virtual router and add the interface to the new VR. That way, traffic in the default VR destined for that subnet won't egress through the DHCP enabled port.
11-29-2017 03:49 AM
Thanks for your reply
I just tested this with a dedicated virtual router, and this seems to work.
However: the leases show up in my ARP table. Is there a way to avoid that? The main reason for the router is the limitation in the ARP table of the Palo Alto
11-29-2017 07:54 AM - edited 11-29-2017 07:54 AM
As far as I know, there's no way to keep those entries from the arp table. They should time out on that interface after 30 minutes and probably not be present again until the hosts try to renew their leases.
What model are you using that can't handle the necessary arp entries?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!