Plan for Scaling when Your Firewall Serves DHCP

When your firewall serves DHCP, use these VLAN, addressing, and routing strategies so you can scale the solution.
This section discusses scaling the solution for when the firewall provides DHCP services as described in Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server.

Align Numbers of VLAN Subinterfaces with Physical Interfaces

For consistency, align the VLAN subinterface numbers with the physical interface numbers they serve. For example, interface vlan.1 serves DHCP for the network attached to ethernet1/1. This allows you to associate them with each other faster and troubleshoot issues more easily later.

Conserve IP Addresses for VLAN Subinterfaces

When production IP address space is used for the VLAN interfaces, giving them IP addresses with 32-bit netmasks will conserve address space. You can use addresses from a single network (for example, 1.1.1.0/24) for all the VLAN interfaces. Because these interfaces exist solely to serve DHCP to a local network, the addresses assigned to the VLAN interfaces don’t need to be routable in the rest of the enterprise. Operationally, this means that the same network space and addresses can be used for VLAN interfaces on all firewalls in the enterprise.

Configure a Network Route to all VLAN Interfaces

When configuring this solution for multiple interfaces, the routing configuration changes slightly. On the default (production) virtual router, you can configure a network route to the VLAN interfaces instead of a collection of host routes. In the figure below all of the VLAN interfaces have addresses that can be summarized using a 1.1.1.0/24 route.
On the DHCP virtual router, add network routes for each network for which a VLAN interface serves DHCP and set the default (production) virtual router as the next hop. Adding network rather than host routes for the DHCP relay agents allows the probe feature on the DHCP servers to function.

Recommended For You