I'm just about to start a small task to break up a single /16 network (my old boss didn't understand subnets properly when an acquisition happened before my time) into /24s for proper segmentation/access control.
I think I understand VRFs enough that the fact my firewall supports them seems like a solution - "old" VRF with the original /16 on it, then as I create the necessary VLANs I can add those interfaces to a "new" VRF with their existing/conflicting IP ranges (as the /16 is assigned to our business unit I can't just pick new addresses), then remove the old VRF once everything's on the correct VLAN and had its vSwitch port group/mask/gateway changed.
What I'm struggling with is how services like DHCP or VPNs work - for example if I have a DHCP pool configured for 192.168.0.0/16, and I also have 192.168.0.0/24 on the new VRF, how would dhcpd know which interface it should be listening on for that subnet since you don't configure dhcpd by interfaces (I believe it just works those out for itself at startup based on the subnets you've defined). Is the idea that you need to run two instances of the DHCP server (one per VRF) which don't conflict with each other?
No comments:
Post a Comment