DHCP server with multiple scopes: Which scope is used? Can I force a scope? [on hold]

        Forgive me if the DHCP nomenclature is common, but Windows DHCP Server allows creation of multiple "scopes", where a "scope" is effectively a subnet, within which a range of assignable addresses can be defined.  It also has "superscopes", which are effectively a collection of "scopes".
Consider a single DHCP server with two defined scopes, named "LAN" and "VPN", configured with the intent that my remote-access VPN clients obtain an address from one, and my LAN users obtain an address from the other; how do I stop the LAN connections getting an address from the "VPN" Scope? I know I can coerce the VPN clients to get an address from the "VPN" Scope, because the VPN device acts as a relay which is configured to request from the specific Scope (Cisco ASA: tunnel-group/dhcp-server and group-policy/dhcp-network-scope) — I haven't Wiresharked, but I presume the ASA sets GIADDR in its requests, or something. But how do I stop any old LAN client (Windows, Linux, etc.), on the same L2 as the DHCP server, from getting an address in either scope? Do I have to VLAN away my DHCP server and have the ASA do dhcprelay? Because, I can't use both dhcprelay and tunnel-policy/dhcp-server — it's a known limitation of the ASA. (I'd prefer solutions that are known to work in both Windows 2003 Server and Windows 2008 R2 Server DHCP, but will accept Windows Server 2016, as we are mid-migration) NB: I'm specifically looking to avoid having address allocation be done in more than one place, so defining an ip local pool on the ASA is out.

Leave Your Comment

Leave a Reply

%d bloggers like this: