Solved: ACI dhcp relay for MS Server 2019 - Page 2

ivanindic · ‎11-29-2019

Hi all,

We are currently trying to setup dhcp relay inside ACI and also the Option 82 on the MS AD SRV 2019. I went through the description in the Cisco technote, which is quite easy for the ACI configuration itself.

What I haven't understood correctly is how to configure the Microsoft DHCP Opton 82. Sub-Options like Agent Circuit ID (1), Agent Remote ID (2) and Link Selection (5) are needed.

Inside MS DHCP per scope (IP subnet) only one value can be assigned for the mentioned sub-options (see attachement). When trying to find out those values from the leafs I recognized that every leaf has other sub-option values.

May you help me understand where I make the mistake. Assigning the dhcp relay per BD means that all leafs have the relay agent configured. Which means I would need to configure all leaf values (sub-option) in my Option 82 on MS DHCP. But I can't as I can only configure one per scope. :-(

Thx a lot for helping me out here.

Br,

Ivan

ivanindic · ‎12-20-2019

Hi all,

We finally discovered the proper solution for our use-case. Let me share it with you:

If you segment your ACI tenants with a firewall inbetween and you need to enable dhcp relay in ACI, you need to configure a DHCP relay per tenant.

Inside the relay policy you need to use the application EPG of the "source network" - not of the destination (DHCP server network).

By selecting the source EPG the dhcp relay will translate the dhcp request broadcast to a unicast with the source IP of the source network (anycast gateway). With this setting the traffic which passes the firewall to reach the DHCP server will not be blocked by the spoofing protection of the firewall.

As already mentioned in the previous replies you don't need to configure Option 82 on the MS 2019 DHCP server. You just need to have a scope for the dhcp server network without available IPs so that the DHCP server will read the Option 82 link-selection value to choose the proper scope to assign an IP to the client.

Attention: Option 82 with link-selection is generated by the DHCP relay which means when the client already got an IP and does a IP lease renewal it will send a direct packet to the DHCP server without Option 82. For this case you need to check the proper configuration on the DHCP server. We are working on it.

The all for your support and wish you a marry x-max and a HNY 2020.

Cheers,

Ivan

6askorobogatov · ‎12-20-2019

Whatever you configured is just a twisted way to create DHCP relay with DHCP server OUTSIDE of the fabric. Normally you just use L3Out in "EPG type". That way DHCP relay will include BD IP source in the frame and server does not need to use option82.

However your DHCP server is in the fabric and this config works because L3OUT and DHCP server are on the same VRF.

DHCP relay configs are:

1. DHCP in the same VRF. No option82 needed to assign IP from the correct scope.

2. DHCP server outside of the fabric. No option82 needed to assign IP from the correct scope.

3. DHCP in the fabric, in another VRF (or TENANT/VRF). VXLAN to DHCP server, no BD IP in the frame, option82 used to select the right scope.

Your config is a combination of 2 &1 and, sure it works, but is not what is intended and also it is not really scalable, you will need to create dedicated DHCP policy for each source BD.

viksing3 · ‎07-23-2020

Thanks ivanindic for the solution. . Are you still using this configuration where you provide client EPG in dhcp provider? This kind of configuration results in a fault on client EPG. Do you see that fault as well?

ivanindic · ‎07-24-2020

Hi viksing3,

We still use it. We have no faults in the console.

Inside a tenant we configured the application epg based dhcp relay (Policies - Protocol - DHCP). Then we have assigned the dhcp-relay-lable to the corresponding bridge domain which has tenant scope. It works fine.

Where do you check your client epg fault? What is the exact fault message? Thx.

Br,

Ivan