08-06-2020 11:21 PM - edited 08-06-2020 11:21 PM
Hi,
I configured DHCP Server on Service-VPN-Interface.
Both routers (4451-X, newest 17-version) do VRRP on this Interface and have the same dhcp-config:
08-10-2020 01:35 AM - edited 08-10-2020 01:36 AM
I've experienced something similar. For me the solution was in the routing policy. The routing policy was sending the DHCP packets out the WAN interface because I had a local break-out set up.
You can verify this with a capture on the device to be sure.
For me, the solution was something like this:
vpn-list VPN_2-GUEST sequence 1 match source-ip 0.0.0.0/32 destination-ip 255.255.255.255/32 action accept sequence 11 match source-data-prefix-list Internet-Breakout-Data-Prefix destination-data-prefix-list Internet-Breakout-Data-Prefix action accept sequence 21 match source-data-prefix-list Internet-Breakout-Data-Prefix destination-data-prefix-list RFC1918-specialRanges-Multicast action drop sequence 31 match source-data-prefix-list Internet-Breakout-Data-Prefix action accept nat use-vpn 0 no nat fallback default-action drop
Hope this helps.
08-11-2020 07:56 AM
Hi Axel,
i solved it with TAC but didnt test if your solution also works.
There is a Technote on this:
Solution:
sequence 11 match destination-port 67-68 protocol 17 action accept
I now understand (also because I had Service-Chaining-Problems) that a Traffic Data Policy takes precedence even over the routing table of an ISR. That means if a data policy has an matching entry to e.g. NAT the traffic via VPN0, even though the destination is locally connected, the Router seems to not check the CEF table, but do the service/nat etc. on this.
For DHCP this is the same and you need the exeption as shown, as this traffic has to reach the control plane of the router.
BR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide