DHCP Helper or Relay Agent Configuration in Cisco IOS

While working, I come across many networks where the DHCP server is configured in a machine which is located in a remote location, and from there clients in different locations (geographically) and different IP network, are getting their DHCP assigned addresses. This is done by using something called DHCP helper or relay agent.

How DHCP relay agent works - DHCP messages are broadcast messages. They can not cross the boundary of a single IP network (broadcast domain). What the DHCP helper does - it converts the broadcast messages into unicast messages and forwards them to the remote DHCP server. When DHCP packets are going through different IP networks as unicast packets, we need only IP reachablity through routing only. For further reading - Understanding DHCP Relay Agents

Now let's introduce our network first -

DHCP relay agent network
Here the PC will get it's IP address from the DHCP server. But DHCP client and server are located in different networks. The PC is located at 192.168.10.0/24 and DHCP server is located at 192.168.30.0/24 network. The relay agent responsibilities lies on the router named R01 which is located at the same IP network as the PC. A complete IP reachablity is configured by the means of static routing. A complete configuration of the setup is available for download at the end of the article.

DHCP pool configuration

Let's define our DHCP server pool and it's related parameters in the DHCP router. The configuration commands are -

DHCP#
service dhcp --Enables DHCP server service
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool pool-192.168.10.0/24
 network 192.168.10.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4
 default-router 192.168.10.1
 domain-name family.local 
 lease 0 8 0 --DHCP release time is 8 hours
!

Our dhcp-pool is named pool-192.168.10.0/24. It is assigning addresses for 192.168.10.0/24 network. It is also giving default gateway and dns server information to the clients. Also the first 100 addresses is excluded from the pool.

DHCP helper configuration

Our DHCP helper is the R01 router. It has only one configuration command to work as a DHCP helper and it is applied on the client facing interface gi0/0.

R01#
interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.30.3

 Verification and troubleshooting

We will debug from both R01 and DHCP server. We will enable DHCP debugging by using the following command -

debug ip dhcp server packet

The PC is requesting an IP address using DHCP. If we go to R01, we will see the following debug output (output truncated) -

R01#
*May  8 12:23:54.216: DHCPD: Finding a relay for client 0100.5079.6668.06 on interface GigabitEthernet0/0.
*May  8 12:23:54.217: DHCPD: setting giaddr to 192.168.10.1.
*May  8 12:23:54.218: DHCPD: BOOTREQUEST from 0100.5079.6668.06 forwarded to 192.168.30.3.
*May  8 12:23:54.291: DHCPD: forwarding BOOTREPLY to client 0050.7966.6806.
*May  8 12:23:54.291: DHCPD: unicasting BOOTREPLY to client 0050.7966.6806 (192.168.10.101).

We can see from above output that DHCP requests are going towards DHCP server (192.168.30.3) from R01 (192.168.10.1) and packets are sent as unicast.

Now we look at the debug output from DHCP server (output truncated) -

DHCP#
*May  8 12:28:42.729: DHCPD: DHCPDISCOVER received from client 0100.5079.6668.06 through relay 192.168.10.1.
*May  8 12:28:44.732: DHCPD: Sending DHCPOFFER to client 0100.5079.6668.06 (192.168.10.101).
*May  8 12:28:44.733: DHCPD: unicasting BOOTREPLY for client 0050.7966.6806 to relay 192.168.10.1.
*May  8 12:28:46.717: DHCPD: DHCPREQUEST received from client 0100.5079.6668.06.
*May  8 12:28:46.717: DHCPD: Sending DHCPACK to client 0100.5079.6668.06 (192.168.10.101).DHCPD: Setting only requested parameters
*May  8 12:28:46.718: DHCPD: unicasting BOOTREPLY for client 0050.7966.6806 to relay 192.168.10.1.

Again we can see that DHCP server (192.168.30.3) is replaying back to R01 (192.168.10.1) and packets are sent as unicast.

At the end the client with mac address 0050.7966.6806 is assigned IP address 192.168.10.101.

We can also use the following commands to verify the DHCP server operation.

To display the current DHCP bindings -

DHCP#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.10.101      0100.5079.6668.06       May 09 2018 12:28 PM    Automatic

To view information about the configured DHCP pools -

DHCP#sh ip dhcp pool

 Pool pool-192.168.10.0/24 :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 192.168.10.102       192.168.10.1     - 192.168.10.254    1

To view the packet statistics of DHCP server -

DHCP#sh ip dhcp server statistics
Memory usage         81488
Address pools        1
Database agents      0
Automatic bindings   1
Manual bindings      0
Expired bindings     0
Malformed messages   0
Secure arp entries   0

 Message              Received
BOOTREQUEST          0
DHCPDISCOVER         17
DHCPREQUEST          10
DHCPDECLINE          0
DHCPRELEASE          7
DHCPINFORM           0

 Message              Sent
BOOTREPLY            0
DHCPOFFER            10
DHCPACK              10
DHCPNAK              0


So, this is in simple terms how DHCP helper or relay agent works.

The final configuration files can be downloaded from link - Configuration Download

For further reading, please look at -


Location: Sundsvall, Sweden

Comments

Post a Comment

Popular posts from this blog

Fortigate firewall AAA Configuration for management with TACACS+ protocol and Cisco ISE

Image
In this blog I will write about how to implement AAA services in Fortigate firewalls using Cisco ISE as an authentication server with TACACS+ protocol. First good to know our limitations. AAA means - Authentication (supported by ISE TACACS+), Authorization (partially supported by ISE TACACS+; Fortigate implements Admin-Profiles; so what a user can/cannot do is defined locally in the firewall with "Admin Profiles"; ISE just instructs the firewall to allocate one of those profiles), Accounting (not supported; instead configure syslog to get accounting data, Fortigate firewalls generate syslog messages for configuration changes made by a user). Let's jump to our configuration. Our topology is very simple; one Fortigate firewall and Cisco ISE server connected with the same management network which looks like below -  01 - Network Topology We have a management network 192.168.199.0/24. The firewall is at  .230  and Cisco ISE is at  .49  IP address. We are running the lates
Read more

Stacking switches Part - VI (Dell OS10 VLT - Virtual Link Trunking)

Image
In this blog I will configure MLAG (multi chassis link aggregation) for Dell OS10 switches. As every other vendor choses a fancy name of their implementation of MLAG; Dell is no exception to this. Dell calls their implementation VLT - Virtual Link Trunking . Let's look at our network topology - Two Dell OS10 switches will run peering between them and will run VLT/MLAG between them. Two Debian 10 linux machine will be connected with LACP bonding with both switches. They will simulate the client connection. Our topology looks like below - 01 - Dell OS10 VLT Topology Let's look at some terminology before configuration - VLT peer – The two switches participating in VLT are peer to each other. In a VLT domain a maximum of two switches are allowed. VLT interconnect (VLTi) – VLTi synchronizes state information between VLT peers. It synchronizes layer 2 and layer 3 control-plane information. These state/control-plane information includes MAC table, ARP table, IPv6 neighbors etc. VLT
Read more

Arista EOS AAA configuration for management with TACACS+ protocol and Cisco ISE (Part I)

Image
Today I will write about AAA configuration (SSH authentication, authorization and accounting) for Arista EOS switches with Cisco ISE as authentication server and AAA protocol will be TACACS . Our topology is very simple. One Arista switch and One Cisco ISE server is running on the same network. Our topology looks like below - 01 - Network Topology We have a management network 192.168.199.0/24. The switch is at .134 and Cisco ISE is at .49 IP address. We are running the latest version of ISE - version 3.0. Let's define our AAA requirements - Arista switches comes with two pre defined user roles - "network-admin" and "network-operator" . We will use those two roles. Every user after successful authentication from tacacs server (ISE), will be authorized as either "network-admin" or "network-operator" role. In turn these two roles will determine read-write or read-only access to the switch. N ote: With TACACS, we can also do individual cl
Read more