The BOOTREPLY from the DHCP

diondohmen · ‎02-23-2015

hi peeps,

I am curious how the following concept really works...

I have an SVI which looks like this:

interface Vlan200
ip vrf forwarding GUEST
ip address 10.200.0.254 255.255.255.0
ip helper-address global 10.10.10.10

As you can see, this SVI is member of VRF GUEST. We have a DHCP server living in VLAN10, which is not a member of any VRF, but instead lives in the global routing table.

I would like to hand out IP addresses to the clients within VRF GUEST, so Cisco recommends using the "ip helper-address global" command. If i've understood this command right, this means that you're able to relay DHCPREQ's from VRF GUEST to the DHCP server living in the global routing table. This looks like some kind of leaking. When the DHCPREQ's are received by the DHCP server, how is it going to respond, and how will the switch know, that these DHCPOFFERS need to be routed(leaked) from VLAN10 to VLAN200?

any help is appreciated...

Richard Burts · ‎02-23-2015

I do not have experience with the global feature of the helper-address command and so it is possible that there is something about it that I do not understand correctly. But from a knowledge in general of how helper-address command works I would believe that the answer to your question is that when IOS is preparing to forward the DHCP request it puts its own IP address into the gateway addr field of the request. The DHCP server looks at the gateway addr field to determine which scope to use and to determine how to forward the DHCP offer. So IOS will look for the interface address which will be the destination of the DHCP offer and will send it to the guest VRF.

HTH

Rick

HTH

Rick

diondohmen · ‎02-23-2015

Thnx for your quick response Rick. I agree on your point of view. Let's say, I wouldn't leak any routes in between global and VRF Guest, would the DHCP server still be able to hand out addresses to users within Vlan200?

Richard Burts · ‎02-23-2015

That is a good question and I am not sure what the correct answer is. We need someone who knows more about this feature than I do to provide the authoritative answer to this.

HTH

Rick

HTH

Rick

networkguy13111 · ‎08-25-2016

It is a handy feature and it works in this way:

1. client DHCP DISCOVER in the vrf VLAN and the the SVI 200 get it. As the ip helper address is configured here, the switch knows it is going to relay this DISCOVER packet to the server.

2. The switch now check the "global" routing table to find the closest interface IP towards the DHCP server. It sends a unicast DHCP request to DHCP server with the closest interface IP, and with DHCP relay IP address as VLAN 200 SVI IP. There are some features you may change this relay IP address but I haven't tested it.

3. from step because it is unicast happening in global routing space, no vrf/vpn/tag is required, purely unicast, the DHCP server should be able to get it as normal DHCP request. It then OFFER the request as unicast, with DESTINATION IP set as the relay IP address (SVI 200 IP).

4. From step 3 we understand the DHCP server need to reach the SVI 200 IP in regarding of routing. You can do redistribute a static host route into your IGP to achieve that.

5. In my test once the DHCP offer packets arrived on the switch who relays the request, it is all good then. It does not require real communication from the VPN and the DHCP server. (you may not be able to ping each other, but it is fine if the packet can hit the switch).

PS: My test was on Cisco ASR920 with inter-AS BGP option B type VPN. It additionally requires the ASR920 to do BGP export map kinda route leaking. On our VRF lite kinda 4500X the route leaking is not required. In regarding of the "ip helper-address global" itself, the behavior is same as above explanation, though how the relay forwards the DHCP OFFER back to its LAN may vary on devices.

-- Best Regards

Erik · ‎01-29-2016

I have the same question! I have the same setup. A VRF for guest that I'm trying to get a DHCP server on another subnet that isn't part of a VRF to hand out addresses to the guest one.

I thought the same thing. If I used ip helper-address global $DHCP_Server_IP that'd do it.

Sadly my clients don't pull addresses with this configuration. I was also wondering what IP address the router is appending to the DHCPREQ from VRF guest and if there wasn't a way for it to route back?

Debugging DHCP, DHCP server packet, and DHCP event I'm able to see the router get the offer from my client's mac address, and forward it on to the appropriate helper. I don't ever see the ACK.

If you got this working, can you let me know what you did?

Mikulasik · ‎04-15-2016

I have the exact same issue. 3750G 12.2.55se10

james.oxford · ‎04-26-2016

Me 3. 3750G. Version 15.0(2)SE4.

andybeller · ‎05-06-2016

The BOOTREPLY from the DHCP server appears to get sent back to the interface address (where ip-helper is configured) but this is unrouteable within global table.

I got this working on GNS3 by leaking the interface address into the Global table with a static and then I advertised the /32 address using BGP. You could also use BGP export to leak the route as well.

ip route 192.168.1.1 255.255.255.255 Gi0/1.100    ! Leak LAN address of Guest into Global routing table
!
interfaceGi0/1.100
ip helper-address global 1.1.1.1   ! send the dhcp requests via Global table
!
router bgp 64512
address-family ipv4
network 192.168.1.1 mask 255.255.255.255

ip helper-address global statement