03-28-2023 09:19 AM
I have a Nexus 9300 switch that has my guest network on it. I do not want to route this network on the Nexus because of security reasons so I won't put an address on it. I will route the L3 traffic with my Cisco ASA.
1. Will the switch forward the DHCP request to the server?
2. Will it be the correct address if it doesn't know what DHCP scope to pull it from?
Below is my interface example.
interface Vlan2
description Madonna Guest
no shutdown
ip dhcp relay address 10.200.0.4
ip dhcp relay address 10.200.0.6
03-28-2023 09:34 AM
Hi
You dont need to route the network address you used as Pool on the DHCP. What need to be routed is the DHCP server IP address.
When guest clients request an IP address it will be calling the DHCP server IP address and if this server is direct connected to the Nexus switch, you are fine. Then, the DHCP server will reply with an free IP on the scope. If that IP will be routed or not is up to you.
If the DHCP server is not connected to the Nexus but it is remotly what you can use is ip helper-address on the guest vlan.
03-28-2023 09:42 AM
Hello @mdieken011
-- Will the switch forward the DHCP request to the server?
Yes, by configuring the "ip dhcp relay address" command on the VLAN interface, the switch will forward DHCP requests received on that VLAN to the specified DHCP server addresses. This feature is also known as DHCP relay or IP helper address.
-- Will it be the correct address if it doesn't know what DHCP scope to pull it from?
The DHCP server will allocate an IP address from the configured DHCP scope that matches the VLAN subnet of the DHCP request. The switch does not need to know the specific DHCP scope, as long as the DHCP server is reachable and configured correctly with the appropriate scopes for each VLAN subnet.
However, if the DHCP server is not configured to allocate IP addresses for the guest network VLAN, the DHCP requests will not be successful, and the clients will not receive an IP address. Therefore, you need to ensure that the DHCP server is configured with the appropriate DHCP scopes for each VLAN subnet.
Furthermore, It's also essential to ensure that the DHCP traffic between the switch and the DHCP server is allowed through any firewalls or ACLs that may be in place. Additionally, you should consider implementing DHCP snooping on the switch to prevent rogue DHCP servers from providing incorrect IP addresses to the clients.
03-28-2023 09:57 AM
The dhcp relay need rechability'
Here you dont want to advertise the vlan subnet that ok'
Use ip dhcp relay source
Select source of dhcp relay
And for how dhcp will select the dhcp pool for dhcp request'even if you change the source address of dhcp relay packet still inside the dhcp request there is av mention the vlan interface ip
This will give you both
Using dhcp relay and secure your network
03-28-2023 10:09 AM - edited 03-29-2023 05:21 PM
Thanks MHM
03-28-2023 12:52 PM
Hi,
since gateway will be on FW (ASA) , configure relay on that device. Why do you try to configure relay on switch? Relay in any case need I from that subnet, so dhcp server can understand from which pool to give IP address to client (thanks to giaddr field).
03-29-2023 01:21 AM
I agree with @Kanan that you have to configure the asa with helper-address, since the nexus don't have an ip address, the helper address on nexus is useless. I suggest you remove your "interface vlan 2" on nexus and let the asa do the work. Let the nexus be just a layer2 for vlan 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide