ASA dhcprelay per interface

Answered Question
Mar 13th, 2008
User Badges:

I have an ASA-5505 with 3 vlans: outside, inside1, and inside 2. I'd like DHCP requests from inside1 and inside2 to go to different DHCP servers, depending on which interface the requests are received on. It would be the equivalent of issuing ip helper-address commands on two different router interfaces. It doesn't appear to be possible on the ASA-5505. Is that really correct??? If so, then do any of the other ASA models provide this capability?

Thanks

Mike


Correct Answer by francisco_1 about 9 years 2 months ago

that's correct. give it a go and let me know the outcome.



Franco

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
amritpatek Wed, 03/19/2008 - 14:05
User Badges:
  • Silver, 250 points or more

For your network you should better use a router or a switch for DHCP requests to be guided to DHCP servers depending on the interface. You can put the ASA after the router in your network.

ippolito Thu, 03/20/2008 - 06:16
User Badges:

Thanks, I know about dhcp relay -- this is exactly what I'm trying to use. But I want to relay to two different dhcp servers - one for dhcp requests on vlan1, one for dhcp requests on vlan2. If I understand how the ASA works, it will forward all packets from all vlans on which dhcp relay is enabled to ALL of the dhcp relay servers that are configured.


francisco_1 Thu, 03/20/2008 - 06:45
User Badges:
  • Gold, 750 points or more

All the ASA is doing is just relay the dhcp request between client and server. When the DHCP relay agent on the ASA appliance receives a DHCP request from a host on one of it interface, it will forward the request to one of the specified DHCP servers on an interface the servers are behind. When the DHCP server replies to the client, the security appliance forwards that reply back.


to answer your question: Just make sure both that both DHCP servers are setup on the asa for example if the servers are behind the inside interface "dhcprelay server **** inside" and make sure the servers are setup with the correct dhcp scope for the vlan1 and vlan 2. when the request is sent fromt her asa to the dhcp server, as long as the server have a dhcp scope for the correct vlan, it will respond back with an ip address to the asa and the asa will relay it to the client.


I'm i making sense?


Franco

ippolito Thu, 03/20/2008 - 07:42
User Badges:

That makes sense, thank you very much. If I understand correctly: as long as the ASA 5505 is compliant with RFC 1542, it will substitute its own gateway address into the dhcp request packet before it forwards it to the dhcp servers.


Then when the dhcp servers receive the request, it will know whether it needs to reply with an address based on if it has a dhcp scope configured that corresponds to the relay address provided in the request. (assuming the dhcp servers are also rfc compliant and don't just blindly reply to all dhcp requests)


Do I have that correct?

thanks

mike

Correct Answer
francisco_1 Thu, 03/20/2008 - 07:50
User Badges:
  • Gold, 750 points or more

that's correct. give it a go and let me know the outcome.



Franco

ippolito Mon, 03/24/2008 - 06:33
User Badges:

That worked, thank you very much for your help. How to I tag this message as having been resolved?

Thanks,

Mike


Actions

This Discussion