Question about HSRP and DHCP?

Answered Question
Jul 31st, 2013
User Badges:

2 units of 4507 for HSRP router configuration, each router is configured with the same the DHCP pool and addresses range.

According to the principle of HSRP, a standby router is in inactive state, the active router would like to assign IP addresses, only when the active router down off, standby router take over and begin to assigns IP addresses, but now the question is  the active router is not down, a few assigns IP addresses, most of the IP address is assigned by the standby router in. No ip-help-address on active router.

What the matter?how to resolve it?

Correct Answer by Alexey Stytsenko about 4 years 2 weeks ago
The big problem with the solution, besides the fact that it would be  complicated to create it, is that when the standby started to process  DHCP it would have no knowledge of the bindings issued by the primary.  It would probably result in issuing IP addresses to clients that  duplicate addresses in use that had been issued by the primary.


That can be fixed by dividing DHCP pools between switches - for eg. we have 192.168.0.0/24 network so we can divide this range such way that 4507-1 (normally active) will distribute addresses from 192.168.0.2 to 192.168.0.127 and 4507-2 will distribute addresses from 192.168.0.128 to 192.168.0.254. 


BTW I suppose external DHCP + UDP Forwarding Support for IP Redundancy Virtual Router Groups is the most sufficient solution for this case.


Regards,

Correct Answer by Richard Burts about 4 years 2 weeks ago

There really are few other solutions. When both 4507 are configured with DHCP then both will be active. And when the client PC sends the DHCP request it is sent as a broadcast. So both 4507 will receive the request and both will respond. That is the nature of DHCP.


The only alternative solution that occurs to me is that perhaps you could create an aplet using EEM. It would run on the standby 4507. It would check for the status of the primary 4507. If the primary is up then the aplet removes the DHCP configuration on the standby. If the primary is not accessible then the aplet creates the DHCP configuration on the standby. The big problem with the solution, besides the fact that it would be complicated to create it, is that when the standby started to process DHCP it would have no knowledge of the bindings issued by the primary. It would probably result in issuing IP addresses to clients that duplicate addresses in use that had been issued by the primary.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Alexey Stytsenko Wed, 07/31/2013 - 20:35
User Badges:

Good day.


According to the principle of HSRP, a standby router is in inactive  state, the active router would like to assign IP addresses, only when  the active router down off, standby router take over and begin to  assigns IP addresses


Incorrect. DHCP dont chained with any means to HSRP. If you have configure 2 DHCP servers in network them both will be active.  Host to request ip address use following steps:

The client, Host A, sends a DHCPDISCOVER broadcast  message to locate a Cisco IOS DHCP Server. A DHCP Server offers  configuration parameters (such as an IP address, a MAC address, a domain  name, and a lease for the IP address) to the client in a DHCPOFFER  unicast message. 

http://www.cisco.com/en/US/i/000001-100000/30001-35000/32001-32500/32369.jpg


So if DHCPDISCOVER message from host first reach currently HSRP standby router, it still can offer DHCP configuration parameters to host despite on it HSRP state.

luo_40201 Wed, 07/31/2013 - 21:00
User Badges:

2  router is enabled for the DHCP snooping, the client interface is set  by untrust,

Route1 in active and route2 is in standby, now most IP route2 allocation, but snooping binding table is in the route1,  According to what you say the table should be in route2.

What's matter?

Alexey Stytsenko Wed, 07/31/2013 - 22:28
User Badges:
 According to what you say the table should be in route2.

What's matter?

Indeed I quote Cisco offical doc.


but snooping binding table is in the route1

Snooping works based on intercepting DHCP messages, so i can suppose that DHCP messages from Route2 pass through Route1 so it can intercept them.


  DHCP Snooping Binding Database

The DHCP snooping feature dynamically builds and maintains the database  using information extracted from intercepted DHCP messages. The database  contains an entry for each untrusted host with a leased IP address if  the host is associated with a VLAN that has DHCP snooping enabled. The  database does not contain entries for hosts connected through trusted  interfaces.


The DHCP snooping feature updates the database when the switch receives  specific DHCP messages. For example, the feature adds an entry to the  database when the switch receives a DHCPACK message from the server. The  feature removes the entry in the database when the IP address lease  expires or the switch receives a DHCPRELEASE message from the host.

luo_40201 Wed, 07/31/2013 - 23:38
User Badges:

Snooping works based on intercepting DHCP messages, so i can suppose that DHCP messages from Route2 pass through Route1 so it can intercept them.

    


How to avoid pass through?

I need IP can be assigned in the router1 and also snooping binding table.

IP can be assigned only when the router1 will down off.

luo_40201 Thu, 08/01/2013 - 01:57
User Badges:

Clinets and dhcp servers are in the same vlan.so I think it's not necessory to configurate  help-address.

But still thank you.

Is there any  other solutions?

Correct Answer
Richard Burts Thu, 08/01/2013 - 04:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

There really are few other solutions. When both 4507 are configured with DHCP then both will be active. And when the client PC sends the DHCP request it is sent as a broadcast. So both 4507 will receive the request and both will respond. That is the nature of DHCP.


The only alternative solution that occurs to me is that perhaps you could create an aplet using EEM. It would run on the standby 4507. It would check for the status of the primary 4507. If the primary is up then the aplet removes the DHCP configuration on the standby. If the primary is not accessible then the aplet creates the DHCP configuration on the standby. The big problem with the solution, besides the fact that it would be complicated to create it, is that when the standby started to process DHCP it would have no knowledge of the bindings issued by the primary. It would probably result in issuing IP addresses to clients that duplicate addresses in use that had been issued by the primary.


HTH


Rick

Correct Answer
Alexey Stytsenko Thu, 08/01/2013 - 05:33
User Badges:
The big problem with the solution, besides the fact that it would be  complicated to create it, is that when the standby started to process  DHCP it would have no knowledge of the bindings issued by the primary.  It would probably result in issuing IP addresses to clients that  duplicate addresses in use that had been issued by the primary.


That can be fixed by dividing DHCP pools between switches - for eg. we have 192.168.0.0/24 network so we can divide this range such way that 4507-1 (normally active) will distribute addresses from 192.168.0.2 to 192.168.0.127 and 4507-2 will distribute addresses from 192.168.0.128 to 192.168.0.254. 


BTW I suppose external DHCP + UDP Forwarding Support for IP Redundancy Virtual Router Groups is the most sufficient solution for this case.


Regards,

Richard Burts Thu, 08/01/2013 - 19:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

While I agree with you that separate pools for DHCP on each 4507 is the realistic and workable solution, the original poster has been pretty insistent that he is looking for solutions based on his original topology of same pool on both 4507. I gave answers in the context of his question. If he is willing to consider other topologies then I certainly endorse the solution that you suggest.


HTH


Rick

Actions

This Discussion

Related Content