IP DHCP Relay

mdieken011 · ‎03-28-2023

I have a Nexus 9300 switch that has my guest network on it. I do not want to route this network on the Nexus because of security reasons so I won't put an address on it. I will route the L3 traffic with my Cisco ASA.

1. Will the switch forward the DHCP request to the server?

2. Will it be the correct address if it doesn't know what DHCP scope to pull it from?

Below is my interface example.

interface Vlan2
description Madonna Guest
no shutdown
ip dhcp relay address 10.200.0.4
ip dhcp relay address 10.200.0.6

Flavio Miranda · ‎03-28-2023

Hi

You dont need to route the network address you used as Pool on the DHCP. What need to be routed is the DHCP server IP address.

When guest clients request an IP address it will be calling the DHCP server IP address and if this server is direct connected to the Nexus switch, you are fine. Then, the DHCP server will reply with an free IP on the scope. If that IP will be routed or not is up to you.

If the DHCP server is not connected to the Nexus but it is remotly what you can use is ip helper-address on the guest vlan.

M02@rt37 · ‎03-28-2023

Hello @mdieken011

-- Will the switch forward the DHCP request to the server?

Yes, by configuring the "ip dhcp relay address" command on the VLAN interface, the switch will forward DHCP requests received on that VLAN to the specified DHCP server addresses. This feature is also known as DHCP relay or IP helper address.

-- Will it be the correct address if it doesn't know what DHCP scope to pull it from?

The DHCP server will allocate an IP address from the configured DHCP scope that matches the VLAN subnet of the DHCP request. The switch does not need to know the specific DHCP scope, as long as the DHCP server is reachable and configured correctly with the appropriate scopes for each VLAN subnet.

However, if the DHCP server is not configured to allocate IP addresses for the guest network VLAN, the DHCP requests will not be successful, and the clients will not receive an IP address. Therefore, you need to ensure that the DHCP server is configured with the appropriate DHCP scopes for each VLAN subnet.

Furthermore, It's also essential to ensure that the DHCP traffic between the switch and the DHCP server is allowed through any firewalls or ACLs that may be in place. Additionally, you should consider implementing DHCP snooping on the switch to prevent rogue DHCP servers from providing incorrect IP addresses to the clients.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎03-28-2023

The dhcp relay need rechability'

Here you dont want to advertise the vlan subnet that ok'

Use ip dhcp relay source

Select source of dhcp relay

And for how dhcp will select the dhcp pool for dhcp request'even if you change the source address of dhcp relay packet still inside the dhcp request there is av mention the vlan interface ip

This will give you both

Using dhcp relay and secure your network

MHM Cisco World · ‎03-28-2023

Thanks MHM

Kanan Huseynli · ‎03-28-2023

Hi,

since gateway will be on FW (ASA) , configure relay on that device. Why do you try to configure relay on switch? Relay in any case need I from that subnet, so dhcp server can understand from which pool to give IP address to client (thanks to giaddr field).

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mlund · ‎03-29-2023

I agree with @Kanan that you have to configure the asa with helper-address, since the nexus don't have an ip address, the helper address on nexus is useless. I suggest you remove your "interface vlan 2" on nexus and let the asa do the work. Let the nexus be just a layer2 for vlan 2.