Solved: Re: DHCP RELAY OVER WAN

cse_osama · ‎06-14-2019

Hello

we have requirement to configure Centralized DHCP Server At HQ and we have Issue in One of our Remote Sites

The Design VPN MPLS is as the following RemoteSite-SWL3 >> WAN-ISP-R1 >>WAN-ISP-R2 >> HQ-CORESW

the current configuration is as the following

RemoteSite

interface Vlan2

description ** Users Subnet **
ip address 10.10.60.250 255.255.255.0
ip helper-address 10.10.1.1 ! 1st HQ DHCP Server
ip helper-address 10.10.1.2 ! 2nd HQ DHCP Server
!

Routing between Remote Site and HQ is working fine and we can ping DHCP Server From Remote Site

Currently it is not working Do we need to configure ip helper-address in WAN-ISP-R1 Side Also

waiting for your feedback

Giuseppe Larosa · ‎06-14-2019

Hello cse_obama,

the switch is behaving correctly DHCP relay is working

>>004594: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.1.
004595: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.2.

Are these DHCP relay messages arriving on HQ DHCP servers 10.10.1.1 and 10.10.1.2 ?

Can you check this on routers in HQ providing default gateway to network 10.10.1.0/24 ?

Again you can use an ACL using an entry like

access-list 101 permit udp any host 10.10.1.1 eq 67

access-list 101 permit udp any host 10.10.1.2 eq 67

access-list 101 permit ip any any

Applied outbound on interface(s) towards the two DHCP servers.

Or you can use the following

access-list 102 permit udp any host 10.10.1.1 eq 67

access-list 102 permit udp any host 10.10.1.2 eq 67

debug ip pack detail 102

Again on HQ router(s)

note : instead of source any you can use host <IP-address-to-remote-WAN-router> in ACL 102.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-14-2019

Hello Cse_osama,

your configuration is correct and it is needed only on device facing DHCP clients and receiving the broadcast DHCP request. The ip helper-address configuration allows the network device to performs the DHCP relay function:

change the destination address from 255.255.255.255 to unicast DHCP server address that is routable over an IP network.

The source address is changed to the outgoing interface to DHCP IP address

The internal field gi address is changed to the IP address of the interface receiving the original client DHCP request. This provides the DHCP server the key to know from what scope to pick a free IP address and answering back with a DHCP offer.

However, the client has timeout for waiting to received a DHCP offer.

You need to verify that DHCP relay is working on remote site switch.

You can use debug or an IP ACL with a line like

access-list 101 permit ip any host <DHCP server1>

access-list 101 permit ip any host <DHCP server 2>

access-list 101 permit ip any any

and you can apply the ACL outbound on interface to local WAN router

interface type

ip access-group 101 out

Look for debug ip dhcp ?

options.

Be aware that if you have DHCP snooping enabled on the remote site switch the interface(s) to the WAN router needs to be trusted otherwise the DHCP offers will be dropped.

Hope to help

Giuseppe

cse_osama · ‎06-14-2019

Hello Giuseppe Larosa ,

Thank You for your kind reply , and please keep in mind DHCP Snooping is already Disabled and No ACL are configured what so ever , I already used all kind of debug debug ip dhcp ser packet , debug ip packet , debug ip udp , etc but with no luck in finding the root cause the output of debug in remote site SW

004587: Jun 14 18:43:54: Option 82 not present
004588: Jun 14 18:43:54: DHCPD: tableid for 10.10.60.250 on Vlan2 is 0
004589: Jun 14 18:43:54: DHCPD: client's VPN is .
004590: Jun 14 18:43:54: DHCPD: No option 125
004591: Jun 14 18:43:54: DHCPD: Finding a relay for client 0114.205e.2392.04 on interface Vlan2.
004592: Jun 14 18:43:54: DHCPD: Looking up binding using address 10.10.60.250
004593: Jun 14 18:43:54: DHCPD: setting giaddr to 10.10.60.250.
004594: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.1.
004595: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.2.

I suspected of Blocking traffic case from ISP but I investigated with them I Accessed their WAN-ISP-R1 & R2 and there is no Blocking what so ever No ACL and DHCP Service is enabled on both routers so I am returned to square one any suggestions

Giuseppe Larosa · ‎06-14-2019

Hello cse_obama,

the switch is behaving correctly DHCP relay is working

>>004594: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.1.
004595: Jun 14 18:43:54: DHCPD: BOOTREQUEST from 0114.205e.2392.04 forwarded to 10.10.1.2.

Are these DHCP relay messages arriving on HQ DHCP servers 10.10.1.1 and 10.10.1.2 ?

Can you check this on routers in HQ providing default gateway to network 10.10.1.0/24 ?

Again you can use an ACL using an entry like

access-list 101 permit udp any host 10.10.1.1 eq 67

access-list 101 permit udp any host 10.10.1.2 eq 67

access-list 101 permit ip any any

Applied outbound on interface(s) towards the two DHCP servers.

Or you can use the following

access-list 102 permit udp any host 10.10.1.1 eq 67

access-list 102 permit udp any host 10.10.1.2 eq 67

debug ip pack detail 102

Again on HQ router(s)

note : instead of source any you can use host <IP-address-to-remote-WAN-router> in ACL 102.

Hope to help

Giuseppe