Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
5
Helpful
14
Replies

DHCP Server Placement / DHCP Relay Placement.

TheGoob
VIP
VIP

‎03-06-2024 08:48 AM - edited ‎03-06-2024 08:57 AM

Hello.

I just wanted some input on suggestions. My current way works but, and this may not be related, weird things happen. Such as loss of Internet but all is green. All was fine until I implemented my new way so I’m hoping I just missed something.

My main question regarding description below is, would my 6 DHCP Servers be on the ISR w/ static routes where to reach those networks, or would those 6 DHCP Servers be on the [end] device SG350XG with default route back?

My 2nd question is, if I were to leave my setup as is [ISR with DHCP Servers and routes towards the Networks] then I am questioning my implementation with the DHCP Relay config. Below will be what I currently have.

I also want to mention so that it is implied; no where but the SG350XG is dhcp relay mentioned/configured, so if FPR or ISR is needed relay info as well, I don’t have it. nor do I have in any segment a dhcp helper-address. 

 

 

 

ISR
DHCP Servers for 192.168.1.0 - 192.168.6.0. 
No vlans. 
Static routes to find these networks through next router through 172.16.1.2 [FPR IP]
Each DHCP Server is configured with their relative DHCP default router ip [SVI IP’s on SG350XG].
|  172.16.1.1
|
|
|  172.16.1.2
FPR
0.0.0.0 0.0.0.0 172.16.1.1 default Route [Towards Internet]
Static Routes to each Network to Switch 172.16.2.2 [SG350XG]
|  172.16.2.1
|
|
|  172.16.2.2
SG350XG
DHCP Relay (enable) [Global]
DHCP Relay Address 172.16.1.1 [Global]
vlan 2 192.168.1.1
  DHCP relay enabled
vlan 3 192.168.2.1
  DHCP relay enabled 
vlan 4 192.168.3.1
  DHCP relay enabled
vlan 5 192.168.4.1
  DHCP relay enabled 
vlan 6 192.168.6.1
  DHCP relay enabled 
vlan 7 192.168.5.1

 

 

 

0 Helpful
14 Replies 14

balaji.bandi
Hall of Fame
Hall of Fame

‎03-06-2024 09:40 AM 

no where but the SG350XG is dhcp relay mentioned/configured, so if FPR or ISR is needed relay info as well, I don’t have it.

You need only DHCP relay where the Layer 3 interface and you directing that VLAN to get IP address from DHCP Server.

as long there is no ACL and ACP in the path not blocking DHCP related to packets.

 weird things happen. Such as loss of Internet

this is not related to DHCP at all

when you lost internet, couple of things to check - do you have IP address, are you able to ping gateway ? are you able to ping 8.8.8.8 ?

what kind of issue in your words ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob
VIP
VIP
In response to balaji.bandi

‎03-06-2024 09:52 AM

Hello

I won’t lie and say I completely understand what you’re saying but instead of saying I don’t understand what you’re saying I’ll give this a shot and say what I think you might be saying.

being that of the DHCP servers are on the ISR which is 172.16.1.1, I’m going to make the relay address on the SG 172.16.1.1 because that is the L3 interface IP where the DHCP servers reside. I’m going to assume routing logic that the SG with that relay address knows to go through the FPR to the ISR automatically. This was why I was wondering if I needed any additional relay information on the FPR either on the incoming or outgoing interfaces as well as which specific relay address on the SG that I needed. I wasn’t sure if I needed an IP from each DHCP server or just the IP on the ISR .

as far as issues that I am having I can continue to do as you said pinging gateway ping 8888. But what’s happening is normally when my Internet goes out the red light on my Wi-Fi main station turns red. What’s happening is it stays green but websites will load the first bit and then just spin and spin and spin. Gaming latency goes from 70 milliseconds to 2000 ms. In legitimate troubleshooting I can truly say I did not have this issue until I implemented the FPR between the ISR and the end switch. But then when it works everything works perfect so I really don’t know at this stage 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to TheGoob

‎03-06-2024 11:28 AM

Then you need to audit the config on FTD :

 In legitimate troubleshooting I can truly say I did not have this issue until I implemented the FPR between the ISR and the end switch

you also need to understand FTD traffic flow :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

if that work everything good - when you have  problem ? what is the resolution - you reboot FTD ? or switch  to resolve.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob
VIP
VIP

‎03-06-2024 11:55 AM

Yeah it seems if I reboot the devices, it works. I’ll look further into that. Any more details on the dhcp portion of it? I can live with intermittent internet, I just wanna have what I program to be correct. 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to TheGoob

‎03-07-2024 12:24 AM

the issue you reported nothing to do with DHCP as i have addressed above in my views.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

TheGoob
VIP
VIP

‎03-07-2024 06:24 AM

I was more referring to the placement of the DHCP Servers being on ISR or [end device] on SG350. Like I mentioned the disconnect issue was an afterthought and my main question was which IP was the relay from your advice, which I now see as the IP of the router which has the servers and then the placement of where the servers should be. 
No biggie, you’ve given great insight so thank you. 

0 Helpful

KJK99
Level 3
Level 3

‎03-07-2024 07:59 AM

@TheGoob 

I do not like the idea of having a DHCP server on my Internet gateway (ISR in your case). Internet gateways, by their nature, usually require more restarts when other networking devices which makes them less stable. I would also not place my DHCP server in front of a firewall (FPR in your case) and more than one hop away. I find such an idea really strange. You can move your DHCP server to the switch (SG350). Since you have inter-VLAN routing enabled on it, you would not even have a need for a DHCP relay. The problem is that there seems to be a bug in the CISCO small business switches that corrupts the DHCP tables when you make SVI changes, although that probably happens only when the DHCP server is active. I have experienced that myself on my CBS350 switches. Best, set up a DHCP server on some server/NAS connected to your routing switch. That is actually not that difficult if you have, for example, a Synology NAS. Of course, in this case, you would need to set up a DHCP relay on your routing switch.

Kris K

TheGoob
VIP
VIP

‎03-07-2024 08:26 AM

I can see your concern with having DHCP Server on SG vs in front of FPR or on ISR. Though I do have several NAS style servers [omv, proxmox] etc I will go the path of keeping onboard SG..Just do not want to rely on my NAS software, also having 6 vlans and dhcp servers.

0 Helpful

KJK99
Level 3
Level 3

‎03-07-2024 08:39 AM

@TheGoob 

Be careful. It may appear to you like many DHCP servers, but there is actually one. It just needs to be enabled and configured in each VLAN separately. All those “multiple” DHCP servers use one set of tables.

Kris K

liviu.gheorghe
VIP
VIP

‎03-07-2024 09:45 AM

@KJK99 makes a good point about the placement of your DHCP server. The idea of moving your DHCP server behind the firewall is also an added bonus to the overall security of the network.

As I see it, you have two options:

1. Configure the DHCP server on the SG350 and remember not to change any SVI in the switch configuration or reload the switch after each change made to the SVI's. If you can upgrade the switch firmware to the latest version, that is even better - maybe the bug mentioned earlier is already fixed. Like everything in this world, this option has advantages and disadvantages. One of the advantages is that it's simple to implement and doesn't require additional hardware. The disadvantage is related to the DHCP bug and the fact that you will have to remember to reload the switch every time you change something to your SVI's. 

2. Second option as suggested by other posters is to move the DHCP on another device - a NAS that supports it, a linux server or even a Raspberry Pi can function as a DHCP server without any issues.

I'm in favour of the second option for obvious reasons.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob
VIP
VIP

‎03-07-2024 10:04 AM

Makes sense. I think for the sake of one less thing to do is to verify/try on the SG and see how it comes together. If I do indeed find these bugs, I have zero issues serving on a NAS Server. 

0 Helpful

liviu.gheorghe
VIP
VIP
In response to TheGoob

‎03-07-2024 12:14 PM

In the meanwhile, can you confirm the model of the switch - I'm guessing it's a SG350XG from one of your config outputs, and the firmware version it's running now.

The latest version for the SG350XG is Release 2.5.9.54. Just want to check if DHCP bug is still unresolved or not and that upgrading the firmware is a viable option.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

TheGoob
VIP
VIP

‎03-07-2024 12:35 PM

Howdy, though I can not tell you what it is by me looking, I did verify last week I had the latest downloadable version. 

0 Helpful

TheGoob
VIP
VIP

‎03-07-2024 04:46 PM

Got home and removed DHCP Server[s] from ISR and created 6 new ones on SG350XG.. Everything seems to be working as it should.

0 Helpful
Customers Also Viewed These Support Documents