Solved: DHCP on local subnet does not work in NX-OS switches environment

Andreas Reimann · ‎12-20-2023

In a NX-OS VPC environment with SVI on the Distribution Switches it's not possible to get a DHCP Client DISCOVER (L2 Broadcast / L3 Broadcast) through the SVI nodes. According to Differences between DHCP relay on the Nexus7000/NXOS and IP Helper on the 6500/IoS - Cisco Community the SVI intercept the IP Broadcast and packet is not L2 forwarded to the access switch where the DHCP server resides. All variants without relay at all or relay to DHCP server address, directed broadcast address, ip broadcast fails. DHCP server is masked to act only to Destination IP's 255.255.255.255 and SVI will send DISCOVER as unicast to 10.99.99.225.

Any ideas how to get it work, ie. die Client broadcast is forwarded in the broadcastdomain even SVI is present?

Andreas Reimann · ‎12-26-2023

Hi MHM

Yes, of course both VPC peers SVI is configured in symmetrical fashion. But i think we can stop in investigating here. Having a closer look at the sniffer ttrace it seems a misbehavior of the DHCP Server. Two packets in green 3ms after the ICMP unreachable shows a proper DHCPOFFER relay to the local IP Broadcast Address

View solution in original post

Andreas Reimann · ‎03-14-2024

As we are within a subnet, each edge switch uses it's own Hash to select an uplink. That means, as long we do not have orphan ports L2 packets are switches on left or right VPC peer, never using VPC Peer link. So your drawing should also show green lines passing through left VPC Peer.
Anyway, my conclusion is as stated above, not the network infrastructure is a problem even dGW with helper is intercepting the broadcast traffic by default.
The problem is on this go-via appliance which is not accepting unicast traffic but broadcast only.

View solution in original post

MHM Cisco World · ‎12-20-2023

Can you try put server in different subnet and use ip helper.

MHM

Andreas Reimann · ‎12-20-2023

Nice try. The DHCP server is something special. GitHub - maxiepax/go-via: go-via is a deployment tool for imaging and customising VMware ESXi Hypervisors.

And a trace we made on the server shows that if Source is an unicast IP it's replyed with ICMP Port unreachable. If DISCOVER arrives as 255.255.255.255 it is answered with OFFER.

MHM Cisco World · ‎12-20-2023

Are the PO of SW that client and Server connect to UP pending?

Did you add

Feature dhcp

Ip dhcp relay

ip dhcp relay sub-option type cisco

No ip dhcp relay information option vpn

Do above and check again

MHM

Andreas Reimann · ‎12-20-2023

These are the options i have running NX-OS 8.2(4)
ip dhcp relay ?
address Configure DHCP server to refer to
information Relay agent information option
source-address Configure source address for DHCPv4 relay
source-interface Configure source interface for DHCP relay
subnet-broadcast Configure DHCP relay subnet-broadcast on interface

MHM Cisco World · ‎12-25-2023

Sorry to continue or not' did you solve this issue?

Thanks

MHM

Andreas Reimann · ‎12-26-2023

No solution found yet

MHM Cisco World · ‎12-26-2023

Ok' let start

Did you config SVI for client and for DHCP server in both NSK?

Can you share the config

Thanks

MHM

Andreas Reimann · ‎12-26-2023

Hi MHM

Yes, of course both VPC peers SVI is configured in symmetrical fashion. But i think we can stop in investigating here. Having a closer look at the sniffer ttrace it seems a misbehavior of the DHCP Server. Two packets in green 3ms after the ICMP unreachable shows a proper DHCPOFFER relay to the local IP Broadcast Address

MHM Cisco World · ‎12-27-2023

for me it not clear to me the solution, if you want to
I need to know the GW of DHCP server point to HSRP or VLAN IP ?
MHM

Andreas Reimann · ‎12-27-2023

All statically configured endpoints are using HSRP as their dGW

interface Vlan99
no shutdown
vrf member TEST
no ip redirects
ip address 10.99.99.253/24
no ipv6 redirects
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp 1
ip 10.99.99.254

MHM Cisco World · ‎12-27-2023

Andreas Reimann · ‎03-14-2024

As we are within a subnet, each edge switch uses it's own Hash to select an uplink. That means, as long we do not have orphan ports L2 packets are switches on left or right VPC peer, never using VPC Peer link. So your drawing should also show green lines passing through left VPC Peer.
Anyway, my conclusion is as stated above, not the network infrastructure is a problem even dGW with helper is intercepting the broadcast traffic by default.
The problem is on this go-via appliance which is not accepting unicast traffic but broadcast only.

MHM Cisco World · ‎03-14-2024

I have now 9K in lab I will do more test and update you

MHM

MHM Cisco World · ‎03-18-2024

the lab is work the relay is work as I config, test many times

MHM