Re: SCCM - DHCP Relay question - Nexus

Hyperion0000 · ‎01-22-2019

Summary:

My L3 - Nexus 9k.

I'm trying to configure the subnet my SCCM server is on (to send magic packets to my remote subnets). Example - SCCM is on 10.0.0.1/24 (VLAN10) - SCCM server being 10.0.0.2

My remote Subnet is 192.168.0.1/24 (VLAN 192)

On the VLAN10 interface (where my SCCM server lives) I added the DHCP relay of the broadcast address for VLAN 192:

int vlan10

ip address 10.0.0.1 255.255.255.0

ip dhcp relay address 192.168.0.255

*Issue - I have other devices on the VLAN10 subnet that stopped obtaining IP addresses from the local DHCP server on that subnet (I would assume this is because the relay is trumping the local server....and the SCCM relay is not providing IP addresses....just magic :) :).

*What I'm looking for - a simple way (ACL?) to only allow the SCCM server to use the DHCP relay that I have added to its VLAN.

*Additional info - no other DHCP relays exist on VLAN10

Reza Sharifi · ‎01-22-2019

Under svi for vlan 10, can you add these commands and test again?

int vlan 10

ip directed-broadcast
ip dhcp relay 10.0.0.255

HTH

pieterh · ‎01-24-2019

Just for the record the network ID should be 10.0.0.0/24

and 10.0.0.1 is the first IP address in this network.

Your SCCM server resides in VLAN 10, but where is your DHCP server ?

if this is the router at 10.0.0.1, then you do not need a ip dhcp relay entry in this vlan

if your DHCP server is in vlan 20, then you need to point the ip helper to the ip-address of the dhcp server in vlan20 not the broadcast address of the network!

if you want your SCCM server in vlan10 to receive dhcp packets from clients in vlan 20, then you need the ip-helper command in vlan20

In this case vlan 20 may have 2 ip-helper entries one to the DHCP server (in vlan10) and one to the SCCM server.

the switch wil forward (relay) a single dhcp request to both ip-helpers (the return packets will find their way .....)

pieterh · ‎01-24-2019

read this Catalyst Layer 3 Switch for Wake-On-LAN Support Across VLANs Configuration Example

and a solution from another thread

Remember to configure ip forward-protocol udp 7 and ip directed-broadcast on the last hop router (nexus in this case).

WOL does not require directed-broadcasts unless you've got a host on a different subnet attempting to do it. if that is the case then you need to allow directed-broadcasts.

I have seen issues on access ports if ports were not set to auto auto.

Nothing special about the Nexus I am aware of.

In regards to possible conflict with the DHCP, make sure WOL is not using UDP/67 or you might run into some issues with DHCP snoop. I see the hosts using WOL and DHCP are on the same subnet but are the WOL and DHCP servers on the same subnet?

Hyperion0000 · ‎01-24-2019

pieterh,

Thanks for the response.

To answer your questions - VLAN10 has a DHCP server on the 10.0.0.0 network - so it does not require a helper.

The issue is that my SCCM server is also inside VLAN10 and for it to broadcast magic packets to a seperate VLAN it requires a helper/relay address for the broadcast address of the remote VLAN. *So literally the only device on VLAN10 that needs to use the help/relay is the SCCM server.......but when I add the helper/relay - other host stop using the local DHCP server on VLAN10 - and favor the helper/relay address instead. The good news - SCCM works, the bad news - DHCP does not work.

pieterh · ‎01-24-2019

did you add the access-list as described in the link??? this filters specific packet/port

I changed it to what i think will work for you

L3(config)# access-list 101 permit udp host 10.0.0.2 any eq 7 -> this "7" need to be changed to what SCCM uses

!--- This accepts directed broadcasts only from SCCM.

L3(config)# ip forward-protocol udp 7 -> this "7" need to be changed to what SCCM uses

!--- Specifies the protocol and port to be forwarded.

!--- Capture the WOL packet with any network sniffer to determine the UDP port what SCCM uses

!--- to use in this command. The port number varies with the WOL utility used.

L3(config-if)# interface vlan 10

L3(config-if)# ip address 10.0.0.1 255.255.255.0

L3(config-if)# ip helper-address 192.168.0.255

!--- Enables BOOTP broadcast forwarding to the DHCP server.

L3(config-if)# ip directed-broadcast 101

!--- Enables the translation of a directed broadcast to physical broadcasts. (using ACL 101)

Hyperion0000 · ‎01-26-2019

This command doesnt exist on Nexus - ip forward-protocol udp 7

This is what I plan to try (with question at the end):

ip access-list SCCM_OUT
10 permit udp 10.0.0.2/32 any eq 9 (sccm default Magic packet)
20 deny udp any any

!ACL for VLAN10 that will only allow my SCCM server to send Magic packet

int vlan 10 (VLAN where my SCCM server lives)

ip address 10.0.0.1 255.255.255.0

ip dhcp relay address 192.168.0.255 (broadcast of VLAN 192)

ip directed-broadcast SCCM_OUT

!Config on Magic packet source VLAN - where my SCCM server lives.

!Uses ACL to limit what can use direct-broadcast

int vlan 192 (remote VLAN)

ip address 192.168.0.1 255.255.255.0

ip direct-broadcast

!My question - I have a local DHCP server on VLAN10. My primary issue is that the IP Helper address is trumping the local DHCP server. Will this config actually keep those host from using the IP helper?

Hyperion0000 · ‎02-12-2019

I have not found a solution for this. I have decided to move my SCCM server to another subnet (without a local DHCP server).

Hyperion0000 · ‎01-24-2019

Reza - thanks for the response. The ip directed broadcast command is intended to be on the remove VLAN interface - so in my case on vlan 192.

*I did go ahead and try your suggestion, but no luck :)