Implementing DHCP Relay Agent
Understanding DHCP
This topic provides an overview of DHCP related components.
DHCP Relay Agent
A DHCP relay agent is a host that forwards DHCP packets between clients and servers that do not reside on a shared physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router where IP datagrams are switched between networks transparently.
DHCP clients use User Datagram Protocol (UDP) broadcasts to send DHCPDISCOVER messages when they lack information about the network to which they belong.
If a client is on a network segment that does not include a server, a relay agent is needed on that network segment to ensure that DHCP packets reach the servers on another network segment. UDP broadcast packets are not forwarded, because most routers are not configured to forward broadcast traffic. You can configure a DHCP relay agent to forward DHCP packets to a remote server by configuring a DHCP relay profile and configure one or more helper addresses in it. You can assign the profile to an interface or a VRF.
The figure below demonstrates the process. The DHCP client broadcasts a request for an IP address and additional configuration parameters on its local LAN. Acting as a DHCP relay agent, Router B picks up the broadcast, changes the destination address to the DHCP server's address and sends the message out on another interface. The relay agent inserts the IP address of the interface, on which the DHCP client’s packets are received into the gateway address (giaddr) field of the DHCP packet, which enables the DHCP server to determine which subnet should receive the offer and identify the appropriate IP address range. The relay agent unicasts the messages to the server address, in this case 172.16.1.2 (which is specified by the helper address in the relay profile).
DHCPv4 Server
DHCP server accepts address assignment requests and renewals and assigns the IP addresses from predefined groups of addresses contained within Distributed Address Pools (DAPS). DHCP server can also be configured to supply additional information to the requesting client such as subnet mask, domain-name, the IP address of the DNS server, the default router, and other configuration parameters. DHCP server can accept broadcasts from locally attached LAN segments or from DHCP requests that have been forwarded by other DHCP relay agents within the network.
DHCPv4 Client
The DHCP client functionality enables the router interfaces to dynamically acquire the IPv4 address using DHCP.
- a protocol to deliver host-specific configuration parameters from a DHCP server to a host.
- a mechanism to allocate network addresses to hosts.
DHCP is built on a client-server model, where designated DHCP server hosts allocate network addresses, and deliver configuration parameters to dynamically configured hosts.
A relay agent is required if the client and server are not on the same Layer 2 network. The relay agent usually runs on the router, and is required because the client device does not know its own IP address initially. The agent sends out a Layer 2 broadcast to find a server that has this information. The router relays these broadcasts to the DHCP server, and forwards the responses back to the correct Layer 2 address so that the correct device gets the correct configuration information.
DHCP has the ability to allocate IP addresses only for a configurable period of time, called the lease period. If the client is required to retain this IP address for a longer period beyond the lease period, the lease period must be renewed before the IP address expires. The client renews the lease based on configuration that was sent from the server. The client unicasts a REQUEST message using the IP address of the server. When a server receives the REQUEST message and responds with an ACK message. The lease period of the client is extended by the lease time configured in the ACK message.
Restrictions
- DHCP client can be enabled only on management interfaces.
- Either DHCP or static IP can be configured on an interface.
DHCP IPv4 Service-based Mode Selection
As part of DHCP IPv4 service based mode selection feature, a new mode called DHCP base is introduced. If an interface is configured in the DHCP base mode, then the DHCP selects the DHCP server mode to process the client request by matching option 60 (class-identifier) value of the client request with the configured value under the DHCP base profile.
For example:
dhcp ipv4
profile DHCP_BASE base
match option 60 41424355 profile DHCP_SERVER server
default profile DEFAULT_PROFILE server
relay information authenticate inserted
!
profile DHCP_relay relay
helper-address vrf default 10.10.10.1 giaddr 0.0.0.0
!
profile DHCP_SERVER server
lease 1 0 0
pool IP_POOL
!
profile DEFAULT_PROFILE server
lease 1 0 0
pool IP_POOL
!
!
interface gigabitEthernet 0/0/0/0 base profile DHCP_BASE
The pool is configured under server-profile-mode and server-profile-class-sub-mode. The class-based pool selection is always given priority over profile pool selection. The DHCPv4 server profile class sub-mode supports configuring DHCP options except few (0, 12, 50, 52, 53, 54, 58, 59, 61, 82, and 255).
Configuring and Enabling DHCP Relay Agent with DHCP MAC Address Verification
This section discusses how to configure and enable DHCP Relay Agent with DHCP MAC address verification.
Configuration Example
Router# configure
Router(config)# dhcp ipv4
/* Configures DHCP for IPv4 and enters the DHCPv4 configuration submode. */
Router(config-dhcpv4)# profile client relay
/* Enables DHCP relay profile */
Router(config-dhcpv4)# client-mac-mismatch action drop
/* Enables MAC address verification. If MAC address in the DHCPv4 protocol header does not match the L2 header source MAC address in the DHCPv4 relay profile,
the frame is dropped */
Router(config-dhcpv4-relay-profile)# relay information option
/* Inserts the DHCP relay agent information option (option-82 field) in forwarded
BOOTREQUEST messages to a DHCP server. */
Router(config-dhcpv4-relay-profile)# relay information check
/* (Optional) Configures DHCP to check the validity of the relay agent information
option in forwarded BOOTREPLY messages. */
Router(config-dhcpv4-relay-profile)# relay information policy drop
/* (Optional) Configures the reforwarding policy for a DHCP relay agent;
that is, whether the relay agent will drop or keep (using the 'keep' keyword)
the relay information. */
Router(config-dhcpv4-relay-profile)# relay information option allow-untrusted
/* (Optional) Configures the DHCP IPv4 Relay not to discard BOOTREQUEST packets that have an existing
relay information option and the giaddr set to zero. */
Router(config-dhcpv4-relay-profile)# giaddr policy drop
/* Drops the packet that has an existing nonzero giaddr value. Use the 'replace' keyword
to replace the existing giaddr value with a value that it generates (the default behavior). */
Router(config-dhcpv4-relay-profile)# helper-address vrf vrf1 10.1.1.1
/* Forwards UDP broadcasts, including DHCP. */
Router(config-dhcpv4-relay-profile)# commit
Router(config-dhcpv4-relay-profile)# exit
Router(config-dhcpv4)# vrf vrf1 relay profile client
Router(config-dhcpv4)# commit
/* Configures DHCP Relay on a VRF and commits the entire configuration. */
Running Configuration
Confirm your configuration.
Router# show run
Thu May 11 09:00:57.839 IST
Building configuration...
!! IOS XR Configuration 0.0.0
!! Last configuration change at Thu May 11 09:00:54 2017 by annseque
!
dhcp ipv4
vrf vrf1 relay profile client
profile client relay
client-mac-match action drop
helper-address vrf vrf1 10.1.1.1
giaddr policy drop
relay information check
relay information option
relay information policy drop
relay information option allow-untrusted
!
!
DHCP MAC Address Verification
Use the following show command to check if DHCP MAC address is being verified on the router.
Router# show dhcp ipv4 relay statistics raw all
packet_drop_mac_mismatch : 0
The output validates that the DHCP MAC address of the packets is verified.
Enabling DHCP Relay Agent on an Interface
This section describes how to enable the Cisco IOS XR DHCP relay agent on an interface.
Configuration Example
The DHCP relay agent is disabled by default.
router#configure
router(config)#dhcp ipv4
/* Configures DHCP for IPv4 and enters the DHCPv4 configuration submode. */
router(config-dhcpv4)#interface HundredGigE 0/2/0/2 relay profile client
/* Attaches a relay profile to an interface.
To disable the DHCP relay on the interface, use the 'no interface HundredGigE 0/2/0/2 none' command. */
router(config-dhcpv4-if)#commit
Running Configuration
Router#show running-config dhcp ipv4
dhcp ipv4
interface HundredGigE 0/2/0/2 relay profile client
!
Support for DHCP Option 82 on Bridge-Group Virtual Interface (BVI) Interface
DHCP option 82 provides additional security when DHCP is used to allocate network addresses. It enables the DHCP relay agent to prevent DHCP client requests from untrusted source. You can configure the relay agent to insert the Option 82 circuit ID in the DHCP packet before the relay agent sends the packet to the DHCP server. When the DHCP relay profile is attached to a bridge virtual interface (BVI), you can assign the name of the ingress Layer 2 interface as the value of Option 82 circuit ID. The DHCP packet that is sent from the relay agent to the server carries the packet’s ingress Layer 2 interface name as Option 82 circuit ID.
Configuration Example
router#configure
router(config)#dhcp ipv4
/* The 'dhcp ipv6' command configures DHCP for IPv6 and enters the DHCPv6 configuration submode. */
router(config-dhcpv4)#profile bvi1_profile relay
/* Enters the relay profile configuration mode. */
router(config-dhcpv4-relay-profile)#helper-address vrf default 10.1.1.2
/* Forwards UDP broadcasts, including DHCP. */
router(config-dhcpv4-relay-profile)#relay information option
/* Enables adding both circuit-id and remote-id to the DHCP packet */
router(config-dhcpv4-relay-profile)#interface BVI1 relay information option format-type circuit-id format-string "%s" l2-interface
/* Enables the DHCP relay agent to add the value of Option 82 Circuit ID field to the DHCP packet and assigns the ingress Layer 2 interface
as the value of Option 82 Circuit ID field. */
router(config-dhcpv4-relay-profile)# interface BVI1 relay profile bvi1_profile
/* Enables DHCP for IPV4 on a BVI interface and attaches the profile as the relay profile for the BVI interface. */
Running Configuration
Router#show running-config dhcp ipv4
dhcp ipv4
profile irb relay
helper-address vrf default 10.1.1.2
relay information option
!
interface BVI1 relay information option format-type circuit-id format-string "%s" l2-interface
interface BVI1 relay profile irb
Configuring DHCPv4 Server Profile on Bridge-Group Virtual Interface (BVI) Interface
DHCP server accepts address assignment requests and renewals and assigns the IP addresses from predefined groups of addresses contained within Distributed Address Pools (DAPS). DHCP server can also be configured to supply additional information to the requesting client. DHCP server can accept broadcasts from locally attached LAN segments or from DHCP requests that have been forwarded by other DHCP relay agents within the network.
DHCP IPv4 service-based mode selection
As part of DHCP IPv4 service based mode selection feature, a new mode called DHCP base is introduced. If an interface is configured in the DHCP base mode, then the DHCP selects the DHCP server mode to process the client request by matching option 60 (class-identifier) value of the client request with the configured value under the DHCP base profile.
The pool is configured under server-profile-mode and server-profile-class-sub-mode. The class-based pool selection is always given priority over profile pool selection. The DHCPv4 server profile class sub-mode supports configuring DHCP options except few (0, 12, 50, 52, 53, 54, 58, 59, 61, 82, and 255 ).
Configuration Example
Router#configure
Router(config)#dhcp ipv4
Router(config-dhcpv4)#profile bvi1_server server
/* Enters the server profile configuration mode. */
Router(config-dhcpv4-server-profile)#lease 0 0 0
/* Also use 'days minutes seconds' to specify lease for an IP address assigned from the pool. */
Router(config-dhcpv4-server-profile)#bootfile http://10.1.1.1/auto/images/server_bvi.iso
/* Configures the boot file b1. */
Router(config-dhcpv4-server-profile)#pool bvi_pool
/* Configures the DAPS pool name. */
Router(config-dhcpv4-server-profile)#broadcast-flag policy unicast-always
/*Broadcasts only BOOTREPLY packets if the DHCP IPv4 broadacst flag is set in the DHCP IPv4 header */
Router(config-dhcpv4-server-profile)#class Class_A
/* Creates and enters server profile class configuration submode. */
Router(config-dhcpv4-server-profile-class)#match vrf default
/* Matches the class based on the VRF. */
Router(config-dhcpv4-server-profile-class)#match l2-interface TenGigE0/0/0/0
/* Matches the class based on the interface. */
Router(config-dhcpv4-server-profile-class)#bootfile http://10.1.1.1/auto/images/TENGClassA.iso
/* Configures the boot file b1. */
Router(config-dhcpv4-server-profile-class)#pool bvi_pool
/* Configures the DAPS pool name. */
Router(config-dhcpv4-server-profile-class)#option 66 ascii tftp://10.1.1.1/image.iso
/* Configures the DHCP option code. */
Router(config-dhcpv4-server-profile-class)#option 160 ascii http://10.1.1.1/image.iso
/* Configures the DHCP option code. */
Running Configuration
Router# show dhcp ipv4 server profile name BVI_Server
dhcp ipv4
profile BVI_Server server
lease 0 0 1
bootfile http://10.1.1.1/auto/images/server_bvi.iso
pool bvi_pool
broadcast-flag policy UnicastAlways
class ClassA
match vrf default
match l2-interface TenGigE0/0/0/0
bootfile http://10.1.1.1/auto/images/server_TENGClassA.iso
pool bvi_pool
option 66 ascii tftp://10.1.1.1/image.iso
option 160 ascii http://10.1.1.1/image.iso
!
Configuring Multiple Classes with a Pool
This section discusses configuring multiple classes with a pool.
Configuration Example
router#configure
router(config)#dhcp ipv4
/* Enables DHCP for IPv4 and enters DHCP IPv4 configuration mode. */
router(config-dhcpv4)#profile TEST server
/* Enters the server profile configuration mode. */
router(config-dhcpv4-server-profile)#pool POOL_TEST
/* Configures the DAPS pool name. */
router(config-dhcpv4-server-profile)#class Class_A
/* Creates and enters server profile class configuration submode. */
router(config-dhcpv4-server-profile-class)#pool pool_A
/* Configures the pool name. */
router(config-dhcpv4-server-profile-class)#match option 60 hex abcd
/* DHCP server selects a pool from a class by matching options in the received DISCOVER packet with the match option. */
router(config-dhcpv4-server-profile-class)#exit
/* Exits the server profile class submode. */
router(config-dhcpv4-server-profile)#class Class_B
/* Creates and enters the server profile class. */
router(config-dhcpv4-server-profile-class)#pool pool_B
/* Configures the pool name. */
router(config-dhcpv4-server-profile-class)#match vrf VRF1
/* The DHCP server selects a pool from a class by matching the options in the received DISCOVER packet with the match command.
none of the classes match, then pools configured under the profile mode are selected. The DHCP server requests DAPS to allocate
an address from that pool. */
router(config-dhcpv4-server-profile-class)#commit
Running Configuration
Router#show running-config dhcp ipv4
dhcp ipv4
profile TEST server
pool POOL_TEST
class Class_A
pool pool_A
match option 60 hex abcd
exit
class Class_B
pool pool_B
match vrf VRF1
!
Configuring a Server Profile DAPS with Class Match Option
This section discusses configuring a server profile DAPS with class match option.
Configuration Example
router#configure
router(config)#dhcp ipv4
/* The 'dhcp ipv6' command configures DHCP for IPv6 and enters the DHCPv6 configuration submode. */
router(config-dhcpv4)#profile ISP1 server
/* Enters the server profile configuration mode. */
router(config-dhcpv4-server-profile)#pool ISP1_POOL
/* Configures the DAPS pool name. */
router(config-dhcpv4-server-profile)#class ISP1_CLASS
/* Creates and enters server profile class configuration submode. */
router(config-dhcpv4-server-profile-class)#pool ISP1_CLASS_POOL
/* Configures the pool name. */
router(config-dhcpv4-server-profile-class)#match option 60 hex PXEClient_1
/* DHCP server selects a pool from a class by matching options in the received DISCOVER packet with the match option. */
router(config-dhcpv4-server-profile-class)#exit
router(config-dhcpv4-server-profile)#exit
router(config-dhcpv4)#profile ISP2 server
/* Enters the server profile configuration mode. */
router(config-dhcpv4-server-profile)#dns-server 10.20.3.4
/* Configures the name of the DNS server or the IP address. */
router(config-dhcpv4-server-profile)#pool ISP2_POOL
/* Configures the pool name. */
router(config-dhcpv4-server-profile)#class ISP2_CLASS
/* Creates and enters the server profile class. */
router(config-dhcpv4-server-profile-class)#pool ISP2_CLASS_POOL
/* Configures the pool name. */
router(config-dhcpv4-server-profile-class)#match option 60 hex PXEClient_2
/* DHCP server selects a pool from a class by matching options in the received DISCOVER packet with the match option. */
router(config-dhcpv4-server-profile-class)#exit
router(config-dhcpv4-server-profile)#exit
router(config-dhcpv4)#commit
Running Configuration
Router#show running-config dhcp ipv4
dhcp ipv4
profile ISP1 server
pool ISP1_POOL
class ISP1_CLASS
pool ISP1_CLASS_POOL
match option 60 hex PXEClient_1
exit
exit
profile ISP2 server
dns-server 10.20.3.4
pool ISP2_POOL
class ISP2_CLASS
pool ISP2_CLASS_POOL
match option 60 hex PXEClient_2
exit
exit
!
Configuring Server Profile without DAPS Pool Match Option
This section discusses configuring a server profile without DAPS pool match option.
Configuration Example
router#configure
router(config)#dhcp ipv4
/* The 'dhcp ipv6' command configures DHCP for IPv6 and enters the DHCPv6 configuration submode. */
router(config-dhcpv4)#profile ISP1 server
/* Enters the server profile configuration mode. */
router(config-dhcpv4-server-profile)#dns-server ISP1.com
/* Configures the name of the DNS server or IP address. */
router(config-dhcpv4-server-profile)#exit
router(config-dhcpv4)#profile ISP2 server
/* Enters the server profile configuration mode. */
router(config-dhcpv4-server-profile)#dns-server ISP2.com
/* Configures the name of the DNS server or IP address. */
router(config-dhcpv4-server-profile)#exit
router(config-dhcpv4)#commit
Running Configuration
Router#show running-config dhcp ipv4
dhcp ipv4
profile ISP1 server
dns-server ISP1.com
exit
profile ISP2 server
dns-server ISP2.com
exit
!
Configuring an Address Pool for Each ISP on DAPS
This section discusses configuring an address pool for each ISP on DAPS.
Configuration Example
router#configure
router(config)#pool vrf ISP_1 ipv4 ISP1_POOL
/* Configures an IPv4 pool for the specifed VRF or all VRFs. Use the 'ipv6' keyword for IPv6 pool. */
router(config-pool-ipv4)#network 10.10.10.0
/* Specifies network for allocation. */
router(config-pool-ipv4)#exit
router(config)#pool vrf ISP_2 ipv4 ISP2_POOL
/* Configures an IPv4 pool for the specifed VRF or all VRFs. */
router(config-pool-ipv4)#network 10.20.20.0
/* Specifies network for allocation. */
router(config-pool-ipv4)#exit
router(config-dhcpv4)#commit
Running Configuration
Router#show running-config pool
pool vrf ISP_1 ipv4 ISP1_POOL
network 10.10.10.0
exit
pool vrf ISP_2 ipv4 ISP2_POOL
network 10.20.20.0
!