Assign an IP to a computer from a specific and single DHCP scope

Question

Hi,
Our users are using both Laptops and desktops on their work.
The laptops are connected to "Users" VLAN and the desktops are connected to "Dev" VLAN.
How can I configure a MAC address to be assigned and get an IP from the DHCP server from a specific and single scope? means that if I'll connect a desktop to a port which is configured with "Users" VLAN, the desktop will not get an IP from that scope but only from the "Dev" scope.
Is it possible to configure on the DHCP side or needs to be configured on the switch side (Juniper)?
Thanks.

Answer 1

Hi Asaf

To configure a specific MAC address to receive an IP address from a particular DHCP scope, you would need to implement DHCP reservations. DHCP reservations allow you to assign a specific IP address to a device based on its MAC address. In your case, you can create a reservation for the MAC address of the desktops that should receive an IP address from the "Dev" scope.

The configuration of DHCP reservations is typically done on the DHCP server side rather than the switch side. Since you mentioned using Juniper switches, it is recommended to configure the reservations on the DHCP server.

Here are the general steps to configure a DHCP reservation on a Windows Server DHCP server:

1. Identify the MAC address of the desktop that should receive an IP address from the "Dev" scope.
2. Access your Windows Server DHCP server.
3. Open the DHCP management console. You can do this by opening the "Server Manager" > "Tools" > "DHCP".
4. Expand the server name, and then expand "IPv4".
5. Right-click on "Reservations" and select "New Reservation".
6. Enter a "Reservation Name" (optional) and specify the MAC address of the desktop.
7. Choose the "IP address" range from the "Dev" scope that you want to assign to the MAC address.
8. Optionally, you can set additional DHCP options specific to the reservation, such as DNS servers, gateway, etc.
9. Click "Add" and then "Close" to complete the reservation configuration.

By configuring the reservation, the DHCP server will always assign the specified IP address from the "Dev" scope to the desktop with the corresponding MAC address, regardless of the VLAN the desktop is connected to.

It's important to note that DHCP reservations are typically used for devices with static MAC addresses, such as desktop computers. If a device has a dynamic MAC address, such as a laptop that can connect to different networks, you may need to consider other methods such as using VLAN-based configurations on the switch or other network management techniques to ensure the appropriate IP address assignment.

Consulting the documentation or seeking guidance from the vendor of your networking equipment, such as Juniper, can provide specific instructions on configuring VLAN-based IP address assignment on the switch side, which can work in conjunction with the DHCP reservation to achieve the desired result.

Answer 2

Hi Pavel

Can you check the below scenario:

It is possible to configure a switch to automatically assign VLANs and DHCP addresses to specific MAC addresses. You can also assign specific switch ports to different VLANs and restrict certain MAC addresses from connecting to the wrong ports.

To implement this configuration, you can follow these steps:

Create two VLANs: one for the "DEV" network and another for the "Users" network. Let's assume VLAN 10 for "DEV" and VLAN 20 for "Users."

Configure the switch ports that connect to the desktops (which should be in the "DEV" network) to access VLAN 10. This can be done by setting the switch port mode to access and assigning VLAN 10 to those ports.

Configure the remaining switch ports that connect to the user devices (laptops) to access VLAN 20. Set the switch port mode to access and assign VLAN 20 to those ports.

Enable VLAN tagging on the switch ports that connect to the desktops. This means that packets sent from the desktops will have the VLAN 10 tag attached.

Configure the switch to route packets with the "DEV" VLAN tag (VLAN 10) directly to the "DEV" network, which should have its own DHCP server. This can be achieved by configuring VLAN interfaces on the switch for both VLANs and assigning the appropriate IP addresses and DHCP server settings to each VLAN interface.

For packets without VLAN tags, route them to the "Users" network, which should also have its own DHCP server and default gateway. Ensure that the VLAN interface for the "Users" network is configured with the correct IP address and DHCP server settings.

Configure the switch to apply access control lists (ACLs) to block specific MAC addresses from connecting to the wrong ports. For example, you can create an ACL that denies traffic from certain MAC addresses on the ports designated for the "Users" network. This will effectively disable the connection for those MAC addresses if they are connected to the wrong port.

By implementing these configurations, the switch will automatically assign VLANs and DHCP addresses to the specific MAC addresses. It will also ensure that the desktops in the "DEV" network communicate within that network, and user devices in the "Users" network communicate within their designated network.

Answer 3

Asaf,

What do you actually want: that the switch automatically assigns VLAN (and then DHCP address) to specific MAC addresses? Assign some switch ports to DEV and some to "Users" and prohibit machines with specific MAC addresses to connect to wrong ports (if a laptop is plugged to "DEV" port, disable this)?

I assume that at least the laptops are configured to send and receive packets without VLAN tags.

If so, you could configure the "DEV" VLAN tag only on the desktops. Then configure the switch so that packets with the "DEV" VLAN tag are routed directly to the DEV network (which has its own DHCP server), and packets without VLAN are routed to the other network, with its own DHCP server and default gateway.

The MAC address can be checked as well, either by the switch or the DHCP server.

Deny policy on a DHCP server will only prevent it from dispensing addresses, but cannot stop machines (that try a bit harder) from using wrong net.

Answer 4

Hi Asaf

If you want to achieve the desired network configuration. To automatically assign VLANs and DHCP addresses to specific MAC addresses, you can follow these steps:

Configure the "DEV" VLAN on the switch: Set up a separate VLAN for the DEV network. This can usually be done through the switch's management interface or command line interface (CLI).

Assign switch ports to the appropriate VLAN: Designate certain switch ports as "DEV" ports and others as "Users" ports. This configuration will ensure that devices connected to the "DEV" ports will be associated with the "DEV" VLAN.

Configure VLAN routing: Set up VLAN routing on the switch so that packets with the "DEV" VLAN tag are directed to the DEV network, and packets without a VLAN tag are routed to the other network.

Set up DHCP servers: Configure a DHCP server for each VLAN. The DEV network should have its own DHCP server, which will provide IP addresses to devices in that VLAN. Similarly, set up a DHCP server for the "Users" network.

Enable MAC address filtering: Enable MAC address filtering on the switch or the DHCP server to ensure that only specific devices are allowed to connect to the designated ports. You can specify the MAC addresses that are permitted on each port and deny access to any unauthorized MAC addresses. This will help prevent devices from connecting to the wrong ports.