cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15899
Views
27
Helpful
12
Replies

ftd dhcp relay with fdm

mmacdonald70
Level 1
Level 1

I am running an ASA5506x in FTD mode.  Managing it with FDM.  I can't seem to find an option to create a DHCP relay.  I have found documentation on how to do it with FMC so I assume that it is possible with FTD.  Any idea if there is a way?

1 Accepted Solution

Accepted Solutions

syeda3
Level 1
Level 1

You can create DHCP relay services in Firepower Threat Defense (FTD) through FMC.

http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

View solution in original post

12 Replies 12

syeda3
Level 1
Level 1

You can create DHCP relay services in Firepower Threat Defense (FTD) through FMC.

http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200475-Configure-DHCP-Server-Relay-on-FTD-Using.html

Thanks.  I assume by that answer that we can't add them through FDM or CLI?  I don't have FMC at the moment and I wasn't planning on getting it.

Hello, did you ever find a way to add dhcp relay/helper to FTD? I need the same thing. Thanks

I always assume the requester isn't using FMC, because there are a number of complex challenges with FMC use. I've abandoned FMC in favor of CDO, myself because of the connectivity requirements with FMC.

RFC 1925

I am sure the requirement is to configure it through FDM not FMC. in order to configure dhcp relay, i need to buy a physical server, install FMC, buy FMC license (if any), purchase hardware protection for physical server, pay someone who knows how to manage VMs and reconfigure the whole firewall, because you cannot seamless convert fdm to fmc, just in order to get DHCP reply function? Maybe another good choice is to purchase a firewall from another vendor. 

There's no need to run FMC for this feature.

The dhcprelay feature for FDM-managed FTD devices was available via Flexconfig through version 6.7.

7.0 deprecated that in favor of API-based configuration.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html#Cisco_Generic_Topic.dita_d931d244-1fa3-4144-b861-bc9a810332ce

It will be incorporated into the FDM GUI natively in version 7.1, due out next month.

Filip Po
Level 1
Level 1

I used FlexConfig with Flex Object:

dhcprelay server <dhcp_server_IP> <server_interface_name>
dhcprelay setroute <relay_interface_name>
dhcprelay enable <relay_interface_name>

 

FDM will not let you have any dhcp server (DHCPD) running on vFTD image.

Erase all DHCP server (DHCPD) configuration befor apply dhcprelay to FlexConfig.

 

Filip

 

Question for clarity's sake: When you say "Erase all DHCP server (DHCPD) configuration before apply dhcprelay to FlexConfig", is this for all DHCP pools, or just the one you plan to replace by DHCP-Relay?
RFC 1925

zascherl86
Cisco Employee
Cisco Employee

To help clarify here is the process that you need to follow:

*note <server_interface_name> and  <relay_interface_name> reference the Logical Name - ex. inside

*note you need to put the relay interface information for all interfaces you would like relayed

*note you can only use either relay or internal DHCP server.  You cannot use them at the same time.

 

1. Create the FlexConfig Objects listed above

dhcprelay server <dhcp_server_IP> <server_interface_name>  
dhcprelay setroute <relay_interface_name>
dhcprelay enable <relay_interface_name>

2. add the new DHCP-Realy FlexConfig Object to the FlexConfig Policy

   - the FlexConfig Policy makes the object active

3. disable all dhcp server scopes

4. deploy

5. test

dhcprelay setroute <relay_interface_name>  - this is unnecessary

Mark Richmond
Level 1
Level 1

Hi, I know it's slightly old, but as it's one of the first hits that's flagged in Google, thought I'd mention that flexconfig is not available in v7, going API crazy and it's a  bit more of a mission to implement dhcprelay and a few other commands, snmp, in the FDM for what used to be a very simple few lines

Reverted the test kit to 6.6 instead and completed in seconds.

Review Cisco Networking for a $25 gift card