Re: Clients cannot access DHCP servers outside the SDA fabric

Soushi Takata · ‎09-09-2025

Thank you for your reply.

I am having trouble with my user VN client being unable to communicate with the DHCP server.
I'm using Catalyst Center 2.3.7.9 to build SDA fabric.
The DHCP server is located outside the SDA fabric and connected via FusionSW.
One machine serves as both a border node and a control plane node.
VRF leak is configured in FusionSW.
The user VN (VRF) of the border node learns route information to the DHCP server.
However, the user VN (VRF) of the Edge node has not learned the DHCP server's route information, and no default route has been set.
On the Edge node, the ip helper-address is set on the VLAN interface to which the client belongs.
On the border node, in the Layer 3 Handoff settings, "Default to all virtual networks" is checked, and "Do not import external routes" is not checked.

How can I register the DHCP server's route information in the Edge node's VRF?

Andrii Oliinyk · ‎09-10-2025

on the ENs u dont need default or any specific route to DHCP-server. Traffic for external dsts will be delivered to BN. on the BN u must have LoXYZ configured with the same IP as AnyCast GW on the EN for the target VLAN. there are basically many variables potentially impacting traffic. i'm not sure f.e. why do u have "Default to all virtual networks" checked? do u really use single L3-handoff transfer for all VNs?
as a 1st action plan check LoXYZ on the BN & try to catch affected DHCP-traffic with EPC.

jedolphi · ‎09-10-2025

Like Andy said, you won't find a default route in VRF RIB on the Edge Node. If it is a LISP Pub/Sub fabric (as all new sites should be!) then you can refer to Cisco Live BRKENS-3826 presentation for LISP CLIs required to check network state. There is also a few SD-Access DHCP-specific troubleshooting docs on Cisco.com you can find with an Internet search.

Andrii Oliinyk · ‎09-10-2025

nice preso, Jerom. thanks

Andrii Oliinyk · ‎09-10-2025

"Note: INFRA_VN uses RIB for endpoint (AP, Extended Node) to external network routing and LISP for the return traffic."
to be more clear on above please: is UC'ed DHCPDISCOVER still being sent by EN to BN VXLAN-encapsulated with INFRA_VN IID in header?

jedolphi · ‎09-11-2025

What does "UC'ed" mean?
INFRA_VN packets sourced from Edge Node (EN) are not sent in VXLAN towards Border Node (BN). INFRA_VN packets from BN to EN are sent in VXLAN. You can confirm by checking CEF on EN and BN, the CEF show commands are in the BRKENS-3826 presentation.

Andrii Oliinyk · ‎09-11-2025

UC'ed means UniCast'ed.
So UC'ed DHCPDISCOVER from INFRA_VN simply gets fwd'ed with SRC IP of ACGateway or IGP egress IP?
Is it the same for DHCPACK?

jedolphi · ‎09-15-2025

Hi Andy, DHCP discover is broadcast by endpoint. It's picked up by DHCP helper on fabric Edge Node and then tunnelled in overlay with an overlay source IP address of the fabric Edge Node Anycast Gateway IP address. DHCP ACK goes in the other direction, so it will have source IP address of DHCP server.

Soushi Takata · ‎09-11-2025

Thank you, Andrii
Thank you, Jedolphi

I understand that the DHCP server prefix information or Default GW information is not required on the EN RIB.
And I also understand that communication with the DHCP server is done using LISP information.
I will check the BRKENS-3826 document.
I looked into it a bit, but I didn't really understand how to check LISP.
I didn't know which IID to look at.
I'll study it.

Andrii Oliinyk · ‎09-11-2025

this one concentrates on SDA DHCP Cisco SD-Access Fabric Edge DHCP Process/Packet Flow and Decoding - Cisco
& i love this one Cisco SDA Part VIII - DHCP challenges in SDA - The ASCII Construct