Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
0
Helpful
0
Replies

VRF Aware DHCP on IOS-XR - VRF crossing to Defualt VRF - no response

ehaparna
Level 1
Level 1

‎05-06-2024 11:28 PM - edited ‎05-13-2024 01:42 AM

Hi All, 

[Edited and updated]

Trying to build a VRF-AWARE Relay agent

That means that a centralized DHCP (Global VRF)  server is allocating IPv4 address to devices in different customer VRFs an IPv4 address. 

I am following what was described by 
IP Addresses and Services Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.3.x- Configuring Multiple Classes with a Pool  

The following topology was created - now updated with two VRFs (VRF 1 and VRF 2 )  with DHCP clients  (PC1 and PC2)

The server is in the default VRF (S1)

figure 1: Topology

ehaparna_0-1715588494498.png

DHCP requests flow to the server but the server does not respond !

In debug I see that message 

             TP3148: wildcard list is not initialized, mode 3

but it seems that the received DHCP requested is parsed correctly at least per my understanding.

 

DHCP requests from VRF 1 (and VRF2) are sent to the global VRF and towards the server.

The server (IOS-XR) receives the DHCP request and is stuck in `INIT_DAPS_WAIT` state.

capture of the binding details shown at the end as well as option-82 capture of the received packet (as seen by the server)

it's not clear to me why it is stuck 

So looking at the user-guide  I found the following, which seems to be in the right direction. I did implement that but it seems to fall short.

Configuring and Enabling the DHCP Relay Agent

Router(config)# dhcp ipv4
/* Configures DHCP for IPv4 and enters the DHCPv4 configuration submode. */

Router(config-dhcpv4)# profile r1 relay
/* Enables DHCP relay profile */

Router(config-dhcpv4-relay-profile)# helper-address vrf A 10.10.10.1 giaddr 40.1.1.2
Router(config-dhcpv4-relay-profile)# broadcast-flag policy check
/* Configures VRF addresses for forwarding UDP broadcasts, including DHCP. */

Router(config-dhcpv4-relay-profile)# relay information option vpn
Router(config-dhcpv4-relay-profile)# relay information option vpn-mode rfc
/* Inserts the DHCP relay agent information option (option-82 field) in forwarded BOOTREQUEST messages to a DHCP server. */


Router(config-dhcpv4-relay-profile)# relay information option allow-untrusted
/* (Optional) Configures the DHCP IPv4 Relay not to discard BOOTREQUEST packets 
that have an existing relay information option and the giaddr set to zero. */

Router(config-dhcpv4-relay-profile)# exit
Router(config-dhcpv4)# interface BVI 1 relay profile r1
Router(config-dhcpv4)# commit
/* Configures DHCP relay on a BVI interface and commits the configuration */

From that definition, I understand that 

helper-address vrf A 10.10.10.1 giaddr 40.1.1.2

VRF A is the target VRF (where the server resides)

10.10.10.1 is the server address

40.1.1.2 is an address in the target VRF (VRF A) that the relay should use when initiating the transaction. 

The lack of the original GIADDR is offset by implying the introduction of sub-option 5 and suboption 11 (or the Cisco proprietary alternatives (I did see that on IOS-XE)

I did implement this and it didn't work

Assuming that IOS-XR does support that use-case and assuming that my CLI understanding is correct, this still falls short.

a. can the VRF be defined as default (Replacing A in the user guide example VRF A)

b. How can this profile be bound to a VRF instance? 

 

Switch config

  ip dhcp snooping vlan 1
  ip dhcp snooping

  interface GigabitEthernet0/1
  negotiation auto
  ip dhcp snooping trust
  !

Relay 1

  interface GigabitEthernet8
  ip dhcp relay information option vpn-id
  ip address 176.11.11.1 255.255.255.0
  !next-hop server
  ip helper-address 10.1.2.2
...

!

  ip dhcp relay information policy keep
  ! to avoid drop of option 82 introduced by snooping
  ip dhcp relay information trust-all

 

R2 - VRF AWARE Relay

  dhcp ipv4
  profile CORP_DHCP relay

  ! server in default VRF with address 1004.11.11 and use giaddr 2.2.2.2  (implies option 82 link-selection and server-id-override)
  helper-address vrf default 100.4.11.11 giaddr 2.2.2.2

  ! add vpn-id to help maybe the return path from server to VRF 1 and to client.
  relay information option VPN
  relay information option vpn-mode rfc
  !
interface GigabitEthernet0/0/0/1 relay profile CORP_DHCP
!

  interface GigabitEthernet0/0/0/1
  vrf 1
  ipv4 address 10.1.2.2 255.255.255.0
  !

 

Server Configuration

pool vrf default ipv4 TEST-POOL
network 176.11.11.0/24
exclude 176.11.11.1 0.0.0.0
!
dhcp ipv4
profile TEST-PROFILE server
lease 0 0 30
pool TEST-POOL
class CLASS_SIMP
match vrf 1
!
requested-ip-address-check disable
!
interface GigabitEthernet0/0/0/0 server profile TEST-PROFILE
!

 

Now that configuration was updated to support VRF 2 too, but I don't want to clutter the configuration

 

---------------------------------------------------------

The server is not responding. 

RP/0/RP0/CPU0:S1#show dhcp ipv4 server binding deRP/0/RP0/CPU0:S1#show dhcp ipv4 server binding detail
Thu May 9 16:31:52.536 UTC
MAC Address: 5254.0004.33e7
VRF: default
IP Address: 0.0.0.0
Server IP Address: 10.1.2.2
ReceivedCircuit ID: 0x00-04-00-01-00-00
InsertedCircuit ID: 0x00-04-00-01-00-00
ReceivedRemote ID: 0x00-06-52-54-00-02-0e-e3
InsertedRemote ID: 0x00-06-52-54-00-02-0e-e3
ReceivedVSISO: -
Auth. on received relay info:TRUE
ParamRequestOption: -
SavedOptions: -
Profile: TEST-PROFILE
Selected Profile: TEST-PROFILE
State: INIT_DAPS_WAIT
Lease: 60 secs (00:01:00)
Lease remaining: 59 secs (00:00:59)
Client ID: 0x01-0x52-0x54-0x00-0x04-0x33-0xE7
Access Interface: GigabitEthernet0/0/0/0
Access VRF: default
Subscriber Label: 0x0
Srg State: NONE
Srg Group Id: 0
Event History:
Session Start: May 9 16:26:00.444
PACKET_DISCOVER : 0.001s
DPM_SUCCESS : 0.001stail

 

--------------------------------------------------

 

Updated debug capture

dhcpd[184]: DHCPD: TP563: L3 packet event received
dhcpd[184]: DHCPD: TP2514: L3 RX: vrfid 0x60000000 (1610612736), ifh 0x1000018 (16777240), ifhsec 0x0 (0)
dhcpd[184]: DHCPD: TP564: L3 Packet RX from addr = 22.22.22.22, port = 67, application len 329, vrf 0x60000000 (1610612736), tbl 0xe0000000 (3758096384)
dhcpd[184]: DHCPD: dhcpd_os_get_profile_mac_mismatch_action_pkt: profile TEST-PROFILE mac mismatch action dont drop
dhcpd[184]: DHCPD: pktRx id 770: ---------- IPv4 DHCPD --- dhcpd_iox_l3_conn_hlr -------
dhcpd[184]: DHCPD: pktRx id 770: VRF name (id): default (0x60000000)
dhcpd[184]: DHCPD: pktRx id 770: L3 src: 22.22.22.22:67
dhcpd[184]: DHCPD: pktRx id 770: L3 dst: 100.4.11.11:67
dhcpd[184]: DHCPD: pktRx id 770: metadata: L3 input Intf: GigabitEthernet0_0_0_0
dhcpd[184]: DHCPD: pktRx id 770: metadata: Output Intf: Null
dhcpd[184]: DHCPD: pktRx id 770: metadata: FROM: L3
dhcpd[184]: DHCPD: pktRx id 770: metadata: NETWORK_ORDER
dhcpd[184]: DHCPD: pktRx id 770: op: BOOTREQUEST
dhcpd[184]: DHCPD: pktRx id 770: chaddr: 5254.0000.8a34
dhcpd[184]: DHCPD: pktRx id 770: xid: 0x1b5e6f5b
dhcpd[184]: DHCPD: pktRx id 770: flags: 0x0000 (unicast)
dhcpd[184]: DHCPD: pktRx id 770: ciaddr: 0.0.0.0
dhcpd[184]: DHCPD: pktRx id 770: yiaddr: 0.0.0.0
dhcpd[184]: DHCPD: pktRx id 770: siaddr: 0.0.0.0
dhcpd[184]: DHCPD: pktRx id 770: giaddr: 22.22.22.22
dhcpd[184]: DHCPD: pktRx id 770: cookie: 0x63538263
dhcpd[184]: DHCPD: pktRx id 770: option: MESSAGE_TYPE: DISCOVER
dhcpd[184]: DHCPD: pktRx id 770: option: MAX_MESSAGE_SIZE data: "0x02-40"
dhcpd[184]: DHCPD: pktRx id 770: option: PARAMETER_REQUEST data: "0x01-03-06-0c-0f-1c-2a"
dhcpd[184]: DHCPD: pktRx id 770: option: HOST_NAME data: "localhost"
dhcpd[184]: DHCPD: pktRx id 770: option: VENDOR_CLASS_IDENT data: "udhcp 1.35.0"
dhcpd[184]: DHCPD: pktRx id 770: option: CLIENT_IDENTIFIER data: "0x01-52-54-00-00-8a-34"
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: CIRCUIT_ID: 0x00-04-00-01-00-00
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: REMOTE_ID: 0x00-06-52-54-00-09-66-e2
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: SUBNET_SELECTION_RFC: 0x0a-01-02-00
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: VPN_ID: 0x00-32
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: VPN_ID_CONTROL
dhcpd[184]: DHCPD: pktRx id 770: option: RELAY_INFORMATION: SERVER_ID_OVERRIDE_RFC: 0x0a-01-02-02
dhcpd[184]: DHCPD: dhcpd_is_match_option_filter_drop: profile name: TEST-PROFILE mode: 3
dhcpd[184]: DHCPD: TP3148: wildcard list is not initialized, mode 3
dhcpd[184]: DHCPD: DHCP_INFO: Len:7 Client-ids = Incoming: 0x01-52-54-00-00-8a-34 Existing: 0x01-52-54-00-00-8a-34
dhcpd[184]: DHCPD: dhcpd_iox_l3_conn_hlr: dhcpd_iox_eventQ_enqueue failed
dhcpd[184]: DHCPD: dhcpd_iox_l3_conn_hlr: l3sock read returned error -1

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents