DHCP Relay

DHCP Relay Policy

Typically, when your DHCP server is located under an EPG, all the endpoints in that EPG have access to it and can obtain the IP addresses via DHCP. However, in many deployment scenarios, the DHCP server may not exist in the same EPG, BD, or VRF as all the clients that require it. In these cases a DHCP relay can be configured to allow endpoints in one EPG to obtain IP addresses via DHCP from a server that is located in another EPG/BD deployed in a different site or even connected externally to the fabric and reachable via an L3Out connection.

You can create the DHCP Relay policy in the Orchestrator GUI to configure the relay. Additionally, you can choose to create a DHCP Option policy to configure additional options you can use with the relay policy to provide specific configuration details. For all available DHCP options refer to RFC 2132.

When creating a DHCP relay policy, you specify an EPG (for example, epg1) or external EPG (for example, ext-epg1) where the DHCP server resides. After you create the DHCP policy, you associate it with a bridge domain, which in turn is associated with another EPG (for example, epg2) allowing the endpoints in that EPG to reach the DHCP server. Finally, you create a contract between the relay EPG (epg1 or ext-epg1) and application EPG (epg2) to allow communication. The DHCP policies you create are pushed to the APIC when the bridge domain to which the policy is associated is deployed to a site.

Guidelines and Limitations

The DHCP relay policies are supported with the following caveats:
  • Multi-Site Orchestrator, Release 3.1(1h) supports assigning multiple DCHP policies to a Bridge Domain (BD).

    Release 3.1(1g) and earlier support only a single DHCP policy per BD.


    Note


    If you assign multiple DHCP policies in Release 3.1(1h) and then downgrade to a release that supports only a single policy, the first policy in the list will be used and any additional policies will be removed from the BD.


  • DHCP relay policies are supported for fabrics running Cisco APIC Release 4.2(1) or later.

  • The DHCP servers must support DHCP Relay Agent Information Option (Option 82).

    When an ACI fabric acts as a DHCP relay, it inserts the DHCP Relay Agent Information Option in DHCP requests that it proxies on behalf of clients. If a response (DHCP offer) comes back from a DHCP server without Option 82, it is silently dropped by the fabric.

  • DHCP relay policies are supported in user tenants or the common tenant only. DHCP policies are not supported for the infra or mgmt tenants.

    When configuring shared resources and services in the ACI fabric, we recommend creating those resources in the common tenant, that way they can be used by any user tenant.

  • DHCP relay server must be in the same user tenant as the DHCP clients or in the common tenant.

    The server and the clients cannot be in different user tenants.

  • DHCP relay policies can be configured for the primary SVI interface only.

    If the bridge domain to which you assign a relay policy contains multiple subnets, the first subnet you add becomes the primary IP address on the SVI interface, while additional subnets are configured as secondary IP addresses. In certain scenarios, such as importing a configuration with a bridge domain with multiple subnets, the primary address on the SVI may change to one of the secondary addresses, which would break the DHCP relay for that bridge domain.

    You can use the show ip interface vrf all command to verify IP address assignments for the SVI interfaces.

  • If you make changes to the DHCP policy after you have assigned it to a bridge domain and deployed the bridge domain to one or more sites, you will need to re-deploy the bridge domain for the DHCP policy changes to be updated on each site's APIC.

  • For inter-VRF DHCP relay with the DHCP server reachable via an L3Out, DHCP relay packets must use site-local L3Out to reach the DHCP server. Packets using an L3Out in a different site (Intersite L3Out) to reach the DHCP server is not supported.

  • The following DHCP relay configurations are not supported:

    • DHCP relay label on L3Out interfaces.

    • Importing existing DHCP policies from APIC.

    • DHCP relay policy configuration in Global Fabric Access Policies is not supported

    • Multiple DHCP servers within the same DHCP relay policy and EPG.

      If you configure multiple providers under the same DHCP relay policy, they must be in different EPGs or external EPGs.

Creating DHCP Relay Policies

This section describes how to create a DHCP relay policy.


Note


If you make changes to the DHCP policy after you have assigned it to a bridge domain and deployed the bridge domain to one or more sites, you will need to re-deploy the bridge domain for the DHCP policy changes to update on each site's APIC.


Before you begin

You must have the following:
  • A DHCP server set up and configured in your environment.

  • If the DHCP server is part of an application EPG, that EPG must be already created in the Multi-Site Orchestrator.

  • If the DHCP server is external to the fabric, the external EPG associated to the L3Out that is used to access the DHCP server must be already created.

Procedure


Step 1

Log in to your Multi-Site Orchestrator GUI.

Step 2

From the left navigation menu, select Application Management > Policies.

Step 3

In the top right of the main pane, select Add Policy > > Creating DHCP Policy.

This opens an Add DHCP configuration screen.

Step 4

In the Name field, specify the name for the policy.

Step 5

From the Select Tenant dropdown, select the tenant that contains the DHCP server.

Step 6

(Optional) In the Description field, provide a description for the policy.

Step 7

Select Relay for the Type.

Step 8

Click +Provider.

Step 9

Select the provider type.

When adding a relay policy, you can choose one of the following two types:

  • Application EPG—specifies a specific application EPG that includes the DHCP server you are adding as an endpoint.

  • L3 External Network—specifies the External EPG associated to the L3Out that is used to access the DHCP server.

Note

 

You can select any EPG or external EPG that has been created in the Orchestrator and assigned to the tenant you specified, even if you have not yet deployed it to sites. If you select an EPG that hasn't been deployed, you can still complete the DHCP relay configuration, but you will need to deploy the EPG before the relay is available for use.

Step 10

From the dropdown menu, pick the EPG or external EPG.

Step 11

In the DHCP Server Address field, provide the IP address of the DHCP server.

Step 12

Click Save to add the provider.

Step 13

(Optional) Add any additional providers.

Repeat steps 9 through 12 for each additional DHCP server.

Step 14

Click Save to save the DHCP relay policy.


Creating DHCP Option Policies

This section describes how to create a DHCP option policy. DHCP options are appended to the end of the messages that DHCP servers and clients exchange and can be used to provide additional configuration information to your DHCP server. Each DHCP option has a specific code that you must provide when adding the option policy. For a complete list of DHCP options and codes, see RFC 2132.

Before you begin

You must have the following already configured:
  • A DHCP server set up and configured in your environment.

  • An EPG that contains the DHCP server already created in the Multi-Site Orchestrator.

  • A DHCP Relay policy created, as described in Creating DHCP Relay Policies.

Procedure


Step 1

Log in to your Multi-Site Orchestrator GUI.

Step 2

From the left navigation menu, select Application Management > Policies.

Step 3

In the top right of the main pane, select Add Policy > > Creating DHCP Policy.

This opens an Add DHCP configuration screen.

Step 4

In the Name field, specify the name for the policy.

This is a name for the policy you're creating, not a specific DHCP option name. Each policy can contain multiple DHCP options.

Step 5

From the Select Tenant dropdown, select the tenant that contains the DHCP server.

Step 6

(Optional) In the Description field, provide a description for the policy.

Step 7

Select Option for the Type.

Step 8

Click +Option.

Step 9

Specify a name of the option.

While not technically required, we recommend using the same name for the option as listed in RFC 2132.

For example, Name Server.

Step 10

Specify an ID for the option .

You must provide the option code as listed in RFC 2132.

For example, 5 for Name Server option.

Step 11

Specify the option's data.

Provide the value if the option requires one.

For example, a list of name servers available to the client for the Name Server option.

Step 12

Click the check mark next to the Data field to save the option.

Step 13

(Optional) Repeat the steps to add any additional options.

Step 14

Click Save to save the DHCP option policy.


Assigning DHCP Policies

This section describes how to assign a DHCP policy to a bridge domain.


Note


If you make changes to the DHCP policy after you have assigned it to a bridge domain and deployed the bridge domain to one or more sites, you will need to re-deploy the bridge domain it for the DHCP policy changes to be updated on each site's APIC.


Before you begin

You must have the following already configured:

Procedure


Step 1

Log in to your Multi-Site Orchestrator GUI.

Step 2

From the left navigation menu, select Application Management > Schemas.

Step 3

Select the schema where the bridge domain is defined.

Step 4

Select the template where the bridge domain is defined.

Step 5

Scroll down to the Bridge Domain area and select the bridge domain.

Step 6

Add a DHCP policy.

If you are using Release 3.1(1h) or later, you can assign multiple DHCP policies:

Note

 

If you assign multiple DHCP labels to a bridge domain and then downgrade your MSO to an earlier release which does not support this feature, the bridge domain will retain only the first label from the list of DHCP labels for that BD.

Then when you first re-deploy the template after the downgrade, only the first label will remain deployed and MSO will delete all additional DHCP labels from the BD. In this case, the Deploy Template screen will indicate only a single change to the dhcpLabel field without explicitly listing every previously-existing label that would be removed.

  1. In the right sidebar, scroll down and click + Add DHCP Policy.

  2. In the Add DHCP Policy window, select the DHCP policy you want to assign to this BD.

  3. (Optional) From the DHCP Option Policy dropdown, select the option policy.

    A DHCP option policy provides additional options to be passed to the DHCP relay. For additional details see Creating DHCP Option Policies.

  4. Repeat these substeps if you want to add multiple DHCP policies.

If you are using an earlier release, you can assign only a single DHCP policy:

  1. In the right sidebar, scroll down and check the DHCP Policy option checkbox.

  2. From the DHCP Relay Policy dropdown, select the DHCP policy you want to assign to this BD.

  3. (Optional) From the DHCP Option Policy dropdown, select the option policy.

    A DHCP option policy provides additional options to be passed to the DHCP relay. For additional details see Creating DHCP Option Policies.

Step 7

Assign the bridge domain to any EPG that needs access to the DHCP server via the relay.


Creating DHCP Relay Contract

DHCP packets are not filtered by contracts but contracts are required in many cases to propagate routing information within the VRF and across VRFs. Even though the DHCP packets are not filtered it is recommended to configure contracts between the client EPG and the EPG configured as the provider in the DHCP relay policy.

This section describes how to create a contract between the EPG that contains the DHCP server and the EPG that contains endpoints that need to use the relay. Even though you have already created and assigned the DHCP policy to the bridge domain and the bridge domain to the clients' EPG, you must create and assign the contract to enable programming of routes to allow client to server communication.

Before you begin

You must have the following already configured:

Procedure


Step 1

Log in to your Multi-Site Orchestrator GUI.

Step 2

From the left navigation menu, select Schemas.

Step 3

Select the schema where you want to create the contract.

Step 4

Create a contract.

DHCP packets are not filtered by the contract so no specific filter is required, but a valid contract should be created and assigned to ensure proper BD and routes deployment.

  1. Scroll down to the Contracts area and click + to create a contract.

  2. In the right sidebar, provide the Display Name for the contract.

  3. From the Scope dropdown, select the appropriate scope.

    Because the DHCP server EPG and application EPG must be in the same tenant, you can select one of the following:

    • vrf, if both EPGs are in the same VRF

    • tenant, if the EPGs are in different VRFs

  4. You can leave the Apply Both Directions knob on.

Step 5

Assign the contract to the DHCP relay EPG.

  1. Browse to the template where the EPG is located.

  2. Select the EPG or external EPG where the DHCP server resides.

    This is the same EPG you selected when creating the DHCP relay policy.

  3. In the right sidebar, click +Contract.

  4. Select the contract you created and provider for its type.

Step 6

Assign the contract to the application EPG whose endpoints require DHCP relay access.

  1. Browse to the template where the application EPG is located.

  2. Select the application EPG.

  3. In the right sidebar, click +Contract.

  4. Select the contract you created and consumer for its type.


Verifying DHCP Relay Policies in APIC

This section describes how to verify that the DHCP relay policies you have created and deployed using the Multi-Site Orchestrator are correctly pushed to each site's APIC. The DHCP policies you create are pushed to the APIC when the bridge domain to which the policy is associated is deployed to a site.

Procedure


Step 1

Log in to the site's APIC GUI.

Step 2

From the top navigation bar, select Tenants > <tenant-name>.

Select the tenant where you deployed the DHCP policy.

Step 3

Verify that the DHCP relay policy is configured in APIC.

In the left tree view, navigate to <tenant-name> > Policies > Protocol > DHCP > Relay Policies. Then confirm that the DHCP relay policy you configured has been created.

Step 4

Verify that the DHCP option policy is configured in APIC.

If you have not configured any DHCP option policies, you can skip this step.

In the left tree view, navigate to <tenant-name> > Policies > Protocol > DHCP > Option Policies. Then confirm that the DHCP option policy you configured has been created.

Step 5

Verify that the DHCP policy is correctly associated with the bridge domain.

In the left tree view, navigate to <tenant-name> > Networking > Bridge Domains > <bridge-domain-name> > DHCP Relay Labels. Verify that the DHCP policy is also associated with the deployed bridge domain.


Editing or Deleting Existing DHCP Policies

This section describes how to edit or delete a DHCP relay or option policy.


Note


  • If you make changes to the DHCP policy after you have assigned it to a bridge domain and deployed the bridge domain to one or more sites, you will need to re-deploy it for the DHCP policy changes to update on each site's APIC.

  • You cannot deleted policies that are associated with one or more bridge domains, you must first unassign the policy from every bridge domain.


Procedure


Step 1

Log in to your Multi-Site Orchestrator GUI.

Step 2

From the left navigation menu, select Policies.

Step 3

Click the actions menu next to the DHCP policy and select Edit or Delete.