Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1712
Views
0
Helpful
6
Replies

FWSM DHCP-Relay

Mhon Baul
Level 1
Level 1

‎02-23-2011 12:16 AM - edited ‎03-11-2019 12:55 PM

Hi All,

  I'm in th process of configuring FWSM to relay DHCP request from the client pc/ip phone going to our DHCP server. But the thing is, my client pc/ipphone are not connected directly to FWSM instead i have a L3 switch for the data/voice vlan and configure ip-helper address 10.1.1.200 on svi.

The FWSM and L3 switch are connected via P2P. Is there any way that this will work, I know that it says on cisco documentation that clients should be connected to FWSM but I hope there will be workaround or else I will configure DHCP server on the L3 switch which is not a good practice.

I attached my diagram for reference. I will appreciate all your comments/suggestions. Thanks in advance!

Cheers,

Reymon

Labels:
Preview file
25 KB
0 Helpful
6 Replies 6

martin_knorre
Level 1
Level 1

‎02-23-2011 04:40 AM

hi Reamon,

you issued the IP Helper command on every VLAN, so the BC is turned into a Unicast and is directed to the DHCP Server. So you have to allow the Unicast from the Subnet / VRF Instance on the Security Context of the FWSM. And I think that should work, in this case the FWSM is nothing other than a normal firewall --> permit (bootps port:67).

Regards Martin

0 Helpful

Mhon Baul
Level 1
Level 1
In response to martin_knorre

‎02-23-2011 10:51 PM

Hi Martin,

Thanks for your reponse.

I already did what you have said to allow  udp 67/68 from client subnet to dhcp server vice-versa but still no success.

You are correct that the fwsm should be a normal firewall in this way but it's not. Have you tried doing this before, if yes can you please tell me how did you do it?

Thanks and Best Regards

Reymon

0 Helpful

martin_knorre
Level 1
Level 1
In response to Mhon Baul

‎02-23-2011 11:51 PM

Hi Reymon,

sorry we have another structure in our DC, with a security context for every vlan, so we usually assign the relay agent to this context without a Layer 3 instance before the FWSM.

Do you notice the reject of the communication on the Firewall logging?

rgds Martin

0 Helpful

Mhon Baul
Level 1
Level 1
In response to martin_knorre

‎02-24-2011 12:00 AM

Hi Martin,

   So each context has relay agent configured and client pc is connected directly to context vlan, right? The logs that I see is only the bootpc udp 67 coming from client pc subnet but nothing from dhcp server interface.

regards

reymon

0 Helpful

martin_knorre
Level 1
Level 1
In response to Mhon Baul

‎02-24-2011 12:54 AM

Hi Reymon,

so when the answer from the server didn't come back, maybe this is the problem, have you checked the routing? Can you trace a route ?

Regards

Martin         

0 Helpful

Mhon Baul
Level 1
Level 1
In response to martin_knorre

‎02-27-2011 09:21 PM

Hi Martin,

  Traceroute is working on both side. What i did is setup another server and create another vlan for the server and put the server in there. After activating thd dhcp scope, it works fine. The one I notice is that dhcp ps doesn't work when the dhcp server is connected to another router and router to fwsm.

Anyway, this issue is resolve.

Many thanks!

Reymon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card