Hi
I'm looking at using EVN to isoalte some networks that must go behind a stateful firewall for compliance reasons.

These networks will still require access to shared services like DHCP. I've been testing this in GNS3 with csr1000v (16.05.01b).

As a basic test I had the following setup:

DHCP server on subnet 10.10.10.0/24 in global routing table
Data vrf subnet 10.10.20.0/24 replicated so that it is present in global routing table

The routing tables were as follows:

GLOBAL
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet1
L 10.10.10.1/32 is directly connected, GigabitEthernet1
C + 10.10.20.0/24 is directly connected, GigabitEthernet4
L 10.10.20.1/32 is directly connected, GigabitEthernet4

DATA
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.20.0/24 is directly connected, GigabitEthernet4
L 10.10.20.1/32 is directly connected, GigabitEthernet4

With this setup, dhcp relay works fine for the data vrf (for the test I'm using a csr1000v as the dhcp server - this will be a non-ios server when in production.

I started looking at a setup where the data vrf subnet 10.10.20.0/24 wouldn't be replicated into the global routing table. Instead, I looked at creating a second vrf (called shared) and tried using the shared vrf to proxy dhcp realy traffic from the data vrf to the dhcp server in the global vrf - I ran into a few issues with this. Is this second option viable for shared services or can shared services be configured only between 2 vrfs

Thanks
Andy