Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
48400
Views
46
Helpful
1
Comments

Differences between DHCP relay on the Nexus7000/NXOS and IP Helper on the 6500/IoS

Adam Casella
Level 1
Level 1

‎01-18-2011 01:33 PM - edited ‎03-01-2019 04:36 PM

 

 

Introduction:

 

DHCP Relay Agent: Routers, by default, will not forward broadcast packets. Since DHCP client messages use the destination IP address of 255.255.255.255 (all Nets Broadcast), DHCP clients will not be able to send requests to a DHCP server on a different subnet unless the DHCP/BootP Relay Agent is configured on the router. The DHCP/BootP Relay Agent will forward DHCP requests on behalf of a DHCP client to the DHCP server. The DHCP/BootP Relay Agent will append its own IP address to the source IP address of the DHCP frames going to the DHCP server. This allows the DHCP server to respond via unicast to the DHCP/BootP Relay Agent. The DHCP/BootP Relay Agent will also populate the Gateway IP address field with the IP address of the interface on which the DHCP message is received from the client. The DHCP server uses the Gateway ip address field to determine the subnet from which the DHCPDISCOVER, DHCPREQUEST, or DHCPINFORM message originates.

 

NX-OS's implementation of a DHCP relay on a Nexus 7000 differs from that of how we implement the DHCP helper address on the 6500 and other IoS based platforms.

 

On the Nexus 7000 we use an VACL to redirect all DHCP broadcast traffic to the CPU when the DHCP relay function is implemented.  When this redirect occurs the Nexus 7000 does NOT broadcast these DHCP broadcast packets to all ports within the VLAN as one would expect.  This is done based on the fact that it is believed that if a DHCP relay agent is configured, than the DHCP server does not exist on the local vlan and there is no need to broadcast this traffic locally.

 

This is different than what occurs on the 6500.  On the 6500 all DHCP broadcast are leaked to the CPU and flooded to all ports within the vlan.

 

On the N7k you can view the redirect VACL in hardware via the following command, 'show system internal access-list vlan X input statistics'.  Below shows what the ACL redirect  would look like for a relay agent configrued on SVI 10.  This only shows the redirect VACL for module 2.  If you have mulitple modules in the device, this VACL redirect would be configured for every module (this is because there is a forwarding engine on every module on a N7k):

 

7000-1# sh system internal access-list vlan 10 input statistics

 

slot  2
=======

 

Tcam 1 resource usage:
----------------------
Label_b = 0x801
Bank 0
------
    IPv4 Class
      Policies: DHCP Snooping()  [Merged]
      Entries:
        [Index] Entry [Stats]
        ---------------------
[0003] redirect(0x800) udp 0.0.0.0/0 255.255.255.255/32 eq 68  [0]
[0004] redirect(0x800) udp 0.0.0.0/0 255.255.255.255/32 eq 67  [0]
[0005] redirect(0x800) udp 0.0.0.0/0 eq 68 255.255.255.255/32  [0]
[0006] redirect(0x800) udp 0.0.0.0/0 eq 67 255.255.255.255/32  [0]
[0007] permit ip 0.0.0.0/0 0.0.0.0/0  [0]

 

The issue with not broadcasting the DHCP discover when a relay agent is configured is that in certain scenarios this can break functionality, when a local servers need to hear the DHCP broadcast packet.  This can also occur if the server is not directly attached to the N7k, but to get to the server the traffic must pass through a N7k with the DHCP relay agent configured for that vlan.


In order to get around scenarios where the local DHCP discover needs to be heard by a specific device on the local subnet as well as the DHCP server an additional DHCP relay-agent address would need to be configured on the SVI of that vlan.  This relay-agent address would need to point to the local device that needs to hear this traffic.  Since DHCP traffic is redirected to all relay-agents configured the DHCP discover would be sent to the DHCP server(12.3.4.6) as well as the local server(10.0.0.2).  An example of this can be been below:

 

Interface vlan 12
ip address 10.0.0.1 255.255.255.0
ip dhcp relay 12.3.4.6  <---DHCP server
ip dhcp relay 10.0.0.2 <---IP address of local server.

 

If multiple devices on that subnet need to hear this traffic, you can specify a local a relay-agent as the directed broadcast address of the local subnet.  This will cause the DHCP traffic to be flooded throughout the local subnet (as destination 10.0.0.255) as well as being sent to the DHCP server(12.3.4.6):

 

Interface vlan 12
ip address 10.0.0.1 255.255.255.0
ip dhcp relay 12.3.4.6  <---DHCP server
ip dhcp relay 10.0.0.255 <---Local subnet broadcast

 

Since the relay-agent is simply forwarding this traffic to the configured address, this will allow this traffic to get to the correct location.

 

Below is a step-by-step walk through of the DHCP Process on the N7k and 6500 discussing the difference above.

 

DHCP relay-agent process on the N7k:

 

  1. DHCP discover is sent by the client
  2. When this packet ingresses the N7k it is redirected to the CPU/relay agent by the ingress forwarding engine and is not broadcast on the vlan.
  3. The relay agent redirects the DHCP discover to the DHCP server.
  4. DHCP server responds to the IP address of the relay-agent in the  giaddr field of the discover/request packet with a DHCP offer, which is relayed to the client.
  5. DHCP client responds with DHCP request (whether it be an unicast or broadcast response), this is redirected to the relay-agent and forwarded on to the DHCP server.
  6. DHCP server ACK's the request, which is sent to the relay-agent.  This is then relayed to the client, finishing the DHCP process.

 

DHCP helper address process on the 6500:

 

  1. DHCP discover is sent by the client
  2. When this packet ingresses the 6500 it is leaked to the CPU/relay agent based on a destination index, which includes the vlan broadcast.
  3. The relay agent redirects the DHCP discover to the DHCP server.
  4. DHCP server responds to the IP address of the relay-agent in the giaddr field of the discover/request packet with a DHCP offer, which is relayed to the client.
  5. DHCP client responds with DHCP request (whether it be an unicast or broadcast response), this is redirected to the relay-agent and forwarded on to the DHCP server.
  6. DHCP server ACK's the request, which is sent to the relay-agent.  This is then relayed to the client, finishing the DHCP process.
Labels:
Comments
fujitsuservices
Level 1
Level 1
‎10-11-2013 07:32 AM

A good explanation of how the Nexus 7k handles DHCP broadcasts. It should be added that you can broadcast to the local LAN by turning on 'ip directed-broadcast' under the SVI interface and then configure a DHCP relay address for the boadcast address for the local subnet.

If you have more than one DHCP server locally then you need to only enter the one command.

Example configuration

Interface vlan 12
ip address 10.0.0.1 255.255.255.0

ip directed-broadcast
ip dhcp relay 10.0.0.255 <--- Local subnet broadcast

ip dhcp relay 1.2.3.4  <---DHCP server of remote VLAN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card