Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
5
Helpful
2
Replies

DHCP Server on ISR not working

alex.fritzsche
Level 4
Level 4

‎08-06-2020 11:21 PM - edited ‎08-06-2020 11:21 PM

Hi,

 

I configured DHCP Server on Service-VPN-Interface.

Both routers (4451-X, newest 17-version) do VRRP on this Interface and have the same dhcp-config:

 
Edges4451#sh run | s dhcp
no ip dhcp use class
ip dhcp use vrf remote
ip dhcp use hardware-address client-id
ip dhcp excluded-address vrf 10 172.19.1.1 172.19.1.10
ip dhcp pool vrf-10-GigabitEthernet0/0/2.951
vrf 10
network 172.19.1.0 255.255.255.0
default-router 172.19.1.1
dns-server 172.19.1.1
domain-name test.test
Edges4451#
 
Routers see no Discovers:
 
Edges4451h#show ip dhcp server stat
Memory usage 18712
Address pools 1
Database agents 0
Automatic bindings 0
Manual bindings 0
Expired bindings 0
Malformed messages 0
Secure arp entries 0
Renew messages 0
Workspace timeouts 0
Static routes 0
Relay bindings 0
Relay bindings active 0
Relay bindings terminated 0
Relay bindings selecting 0
 
Message Received
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
 
Message Sent
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
 
Message Forwarded
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
 
DHCP-DPM Statistics
Offer notifications sent 0
Offer callbacks received 0
Classname requests sent 0
Classname callbacks received 0
 
I also tested it with only one interface and without VRRP.
Is there something more needed to activate DHCP??
BR
Alex
Labels:
0 Helpful
2 Replies 2

Axel Robbe
Level 1
Level 1

‎08-10-2020 01:35 AM - edited ‎08-10-2020 01:36 AM

I've experienced something similar. For me the solution was in the routing policy. The routing policy was sending the DHCP packets out the WAN interface because I had a local break-out set up.

 

You can verify this with a capture on the device to be sure.

 

For me, the solution was something like this:

 

 

 vpn-list VPN_2-GUEST                                                                                                                                                  
  sequence 1                                                                                                                                                           
   match                                                                                                                                                               
    source-ip      0.0.0.0/32                                                                                                                                          
    destination-ip 255.255.255.255/32                                                                                                                                  
   action accept                                                                                                                                                       
  sequence 11                                                                                                                                                          
   match                                                                                                                                                               
    source-data-prefix-list      Internet-Breakout-Data-Prefix                                                                                                         
    destination-data-prefix-list Internet-Breakout-Data-Prefix                                                                                                         
   action accept                                                                                                                                                       
  sequence 21                                                                                                                                                          
   match                                                                                                                                                               
    source-data-prefix-list      Internet-Breakout-Data-Prefix                                                                                                         
    destination-data-prefix-list RFC1918-specialRanges-Multicast                                                                                                       
   action drop                                                                                                                                                         
  sequence 31                                                                                                                                                          
   match                                                                                                                                                               
    source-data-prefix-list Internet-Breakout-Data-Prefix                                                                                                              
   action accept                                                                                                                                                       
    nat use-vpn 0                                                                                                                                                      
    no nat fallback                                                                                                                                                    
  default-action drop

Hope this helps.

alex.fritzsche
Level 4
Level 4
In response to Axel Robbe

‎08-11-2020 07:56 AM

Hi Axel,

 

i solved it with TAC but didnt test if your solution also works.

 

There is a Technote on this:

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/214145-dhcp-server-does-not-work-on-a-router-ru.html

 

Solution:

sequence 11                                                                                          
   match                                                                                               
    destination-port 67-68                                                                             
    protocol         17                                                                                
   action accept

I now understand (also because I had Service-Chaining-Problems) that a Traffic Data Policy takes precedence even over the routing table of an ISR. That means if a data policy has an matching entry to e.g. NAT the traffic via VPN0, even though the destination is locally connected, the Router seems to not check the CEF table, but do the service/nat etc. on this.

For DHCP this is the same and you need the exeption as shown, as this traffic has to reach the control plane of the router.

 

BR

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents