FWSM dhcp relay feature - does it process bootp as well?

jbrauer · ‎10-06-2009

Dear all,

in our environment we need to relay both dhcp and bootp over an FWSM (code version 3.2.13).

Though the docs do not mention bootp (they only mention dhcp) one *could* guess from the "dhcprelay statistics" command that bootp is supported as well:

myFWSM/pri/act# sh dhcprelay statistics

DHCP UDP Unreachable Errors: 0

DHCP Other UDP Errors: 0

Packets Relayed

BOOTREQUEST 0

DHCPDISCOVER 18

(...)

BOOTREPLY 0

However our tests show that bootp is not relayed though DHCP is relayed as expected. Is this WAD (working as designed)?

Thanks in advance for any reply. Cheers.

Herbert Baerten · ‎10-12-2009

Hello Joachim,

dhcprelay does support bootp, i.e. it should relay bootp requests to the configured DHCP-server.

If it does not work, enable "debug dhcprelay *" and see if you can work out what is happening.

hth

Herbert

jbrauer · ‎10-14-2009

Hi Herbert,

first off thanks for your reply.

I already did start debug dhcprelay and for DHCP requests evrything is working as expected, however for BOOTP I did not see any FWSM debug messages - that s why I started this thread.

I have a wirekshark trace as well which shows that the bootp requests are addressed to the broadcast MAC and the UDP header shows source port 68 dest pot 67. However the bootp flag is set to 0x0000 Unicast. Maybe that s the reason why it s not working?

For the DHCP DISCOVERs which are working I see that the bootp flag is se to 0x8000 Unicast.

Both the bootp client and the FWSM are in the same LAN segment.

Regards, Joachim

tprendergast · ‎10-14-2009

First, let's make sure you arent running into a known issue.

There are a few restrictions around dhcp relay --

â€¢The relay agent cannot be enabled if the DHCP server feature is also enabled.

â€¢DHCP Relay services are not available in transparent firewall mode. You can, however, allow DHCP traffic through using an access list. To allow DHCP requests and replies through the FWSM in transparent mode, you need to configure two access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.

â€¢Clients must be directly-connected to the FWSM and cannot send requests through another relay agent or a router.

â€¢For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context.

Please post some configuration (show run dhcpd) for us.

Also check to make sure the pxeboot/dhcpd server isn't redirecting the default route of your servers trying to boot... use the "dhcprelay setroute" function to change the defaultrouter portion of the packet to the fwsm interface during the process. That may help packet flow continue to function.

I know bootp is not supported by the built in dhcpd server on the FWSM, but it sounds like you are using dhcpd servers that are not on the fwsm, so validate those relay conditions first.

Cheers,

Tim

jbrauer · ‎10-14-2009

Hi Tim,

thanks for your advice...

dhcp server isn't enabled on the FWSM. FWSM is running in routed mode. Client is running on the same LAN segment as the FWSM. In the very same LAN segment I can successfully issue DHCP client requests which are then processed by the DHCP relay on the FWSM. I see that with "debug dhcprelay" active.

As well with "debug dhcprelay"I see no response on the BOOTP requests so I assume the pxeboot issue you mention does not apply since no processing takes place.

As posted before I see with wireshark that the BOOTP issuer (an IBM AIX Box) flags the bootp request as 0x0000 Unicast in the bootp flag though the MAC dest addr is the broadcast MAC, however the UDP dest addr is 0.0.0.0 - maybe that s the cause why the FWSM is not picking it?

Regards, Joachim