Showing results for 
Search instead for 
Did you mean: 


DHCP relay via Shared L3Out in Common not working

Hi All,

I have a DHCP server reachable via shared l3out in common tenant default vrf. I configured dhcp provider in Fabric access policy.

I have a user tenant called tenant-dev and vrf vrf-dev and bridge domain bd-100.

In the bridge domain bd-100, i have configured dhcp relay label as infra and used the provider configured in fabric access. 

From the bd gateway in tenant-dev, i can ping the dhcp server but clients in the epg attached to bd-100 not getting dhcp IP. 

Wireshark capture in the client shows dhcp offer broadcast packet is sent out but in the server wireshark, no dhcp discover.

I know the server needs to have dhcp option 82 configured but even if there are any misconfiguration in the server, dhcp discover should reach the server at first place. TAC is on this issue for over a week but no joy.

Any idea. 

Cisco Employee

Hi Majba,

There is a typical ACI behaviour with dhcp relay I am aware about which occurs in case you try to reach DHCP server via another VRF within ACI (Inter VRF).

1. The discover request is sourced from the ip address of the out-going interface IP which in your case would be ip address of the interface from default vrf and not your BD SVI. So please check if you are applying the right filter in wireshark. I would suggest to filter via MAC address of your host.

2. In such cases DHCP option 82 sub-option 5 comes into the picture and which contains the subnet information from which you actually need the IP address from the DHCP server.

3. In case you are running DHCP server on MS then Microsoft Server 2016 is the minimum version which supports DHCP option 82 sub-option 5 (I assume TAC might have already verified).

4. Now if you have MS2016 server running DHCP services then there is typical requirement to have an IP scope defined on the server for the subnet in ACI (L3 out interface subnet) which is the exit point of the VRF otherwise you may see a NACK.


Parallely, you can also verify at your end following the instructions shared in below Technote:


Let me know if you need more clarity on any of the points above.




***Rate all posts that are helpful. Mark it as a solution if that solves your problem, it may help other users who have the same query.***


What would be the source IP address of the discover request if the default VRF is not being used or do you mean the VRF that the L3out is in?


Lets take a look at some generic case that may help to point you in the right direction. 

Assuming you have VRF with BD (DHCP client) and VRF. with BD (DHCP server). Both have L3outs and connected via some sort of router. 

Assuming routing ,Net_EPG and BD L3 done right and you can ping from IP client BD (static IP)  to DHCP server.  So, unicast is OK,. 

Now you have created DHCP policy and apply to Client BD. ACI will not use route above, but create VxLAN from client BD to Server BD.

So server will see request coming from VTAP IP. The one from the scope created initially for ACI (usually something in 10.x.x.x range) 

That is what you should see as a source IP in DHC request on server side. How server knows from what scope assign IP ? Option82.


Better to use bootp as filter in Wireshark in this case to rule out an incorrect filter with regards to the Source IP of the DHCP packets when these should hit the DHCP Server.

Content for Community-Ad