cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
0
Helpful
2
Replies

DHCP on Router, Relay from Switch through firewall to router...fails

cybrsage
Level 1
Level 1

I have a bunch of PCs on the inside of a 3COM layer 3 switch.  The switch has the udp forwarding turned on.  It then goes to a firewall, which is allowing the DHCP udp packets through, then onto the router which is also the DHCP server.  It does not work.

I am getting the following debug:

Jan  8 16:46:29.079 est: DHCPD: checking for expired leases.
Jan  8 16:46:40.267 est: DHCPD: Sending notification of DISCOVER:
Jan  8 16:46:40.267 est:   DHCPD: htype 1 chaddr 0013.7209.356f
Jan  8 16:46:40.267 est:   DHCPD: remote id 020a0000ac161e49010000000000
Jan  8 16:46:40.267 est:   DHCPD: circuit id 00000000
Jan  8 16:46:40.271 est: DHCPD: DHCPDISCOVER received from client 0100.1372.0935.6f through relay 10.10.255.50.
Jan  8 16:46:40.271 est: DHCPD: Seeing if there is an internally specified pool class:
Jan  8 16:46:40.271 est:   DHCPD: htype 1 chaddr 0013.7209.356f
Jan  8 16:46:40.271 est:   DHCPD: remote id 020a0000ac161e49010000000000
Jan  8 16:46:40.271 est:   DHCPD: circuit id 00000000
Jan  8 16:46:40.271 est: DHCPD: there is no address pool for 10.10.255.50.
Jan  8 16:46:44.267 est: DHCPD: Sending notification of DISCOVER:
Jan  8 16:46:44.267 est:   DHCPD: htype 1 chaddr 0013.7209.356f
Jan  8 16:46:44.267 est:   DHCPD: remote id 020a0000ac161e49010000000000
Jan  8 16:46:44.267 est:   DHCPD: circuit id 00000000
Jan  8 16:46:44.267 est: DHCPD: DHCPDISCOVER received from client 0100.1372.0935.6f through relay 10.10.255.50.
Jan  8 16:46:44.267 est: DHCPD: Seeing if there is an internally specified pool class:
Jan  8 16:46:44.267 est:   DHCPD: htype 1 chaddr 0013.7209.356f
Jan  8 16:46:44.267 est:   DHCPD: remote id 020a0000ac161e49010000000000
Jan  8 16:46:44.267 est:   DHCPD: circuit id 00000000
Jan  8 16:46:44.267 est: DHCPD: there is no address pool for 10.10.255.50.

Here is my router config:

no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 10.10.98.1 10.10.98.19
ip dhcp excluded-address 10.10.98.251 10.10.98.255
!
ip dhcp pool LAN
   network 10.10.98.0 255.255.255.0
   default-router 10.10.98.1
   dns-server 1.1.1.1 2.2.2.2
   netbios-name-server 1.1.1.1 2.2.2.2
   lease 8

The 10.10.255.50 address is one of the firewall interfaces.

Help!

2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

It seems that the firewall either overwrites the IP address of the relay agent in a client DHCP messages with its own address, or it finds that the relayed DHCP message does not contain a proper IP address of the relay agent so it fills it with its own address.

I assume that the 3Com switch is working as a default gateway for the VLANs for which you want to run the centralized DHCP service (i.e. that the routing function is provided by the 3Com and not just the firewall).

I suggest first verifying the configuration of the 3Com switch. I am not familiar with them so I can give you only general suggestions. It is necessary that the 3Com switch not only forwards the UDP broadcast towards the DHCP server but it also must enter its own IP address from the respective VLAN into the DHCP message as the relay agent IP address. Only relaying an UDP broadcast is not sufficient because such a relayed message lacks the information where should a reply be sent. The 3Com must include its IP address into the so-called GIADDR field of the DHCP message being relayed. Please make sure that it is the case.

Second, you should make sure that the firewall does not tamper with the contents of the DHCP message nor with its headers. The relayed DHCP message must be allowed to pass through the firewall transparently, without any alterations. It is also not appropriate to run any sort of NAT between the DHCP client and server.

Best regards,

Peter

Thanks, that is what it appears to me as well.  I will have the firewall guys check into that bit.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco