Search this Blog

Tuesday, January 28, 2014

What are the differences between DHCP relay on the Nexus7000/NXOS and IP Helper on the 6500/IoS?

What are the differences between DHCP relay on the Nexus7000/NXOS and IP Helper on the 6500/IoS?

DHCP Relay Agent: Routers, by default, will not forward broadcast packets. Since DHCP client messages use the destination IP address of 255.255.255.255 (all Nets Broadcast), DHCP clients will not be able to send requests to a DHCP server on a different subnet unless the DHCP/BootP Relay Agent is configured on the router. The DHCP/BootP Relay Agent will forward DHCP requests on behalf of a DHCP client to the DHCP server. The DHCP/BootP Relay Agent will append its own IP address to the source IP address of the DHCP frames going to the DHCP server. This allows the DHCP server to respond via unicast to the DHCP/BootP Relay Agent. The DHCP/BootP Relay Agent will also populate the Gateway IP address field with the IP address of the interface on which the DHCP message is received from the client. The DHCP server uses the Gateway ip address field to determine the subnet from which the DHCPDISCOVER, DHCPREQUEST, or DHCPINFORM message originates.

NX-OS's implementation of a DHCP relay on a Nexus 7000 differs from that of how we implement the DHCP helper address on the 6500 and other IoS based platforms.

On the Nexus 7000 we use an VACL to redirect all DHCP broadcast traffic to the CPU when the DHCP relay function is implemented.  When this redirect occurs the Nexus 7000 does NOT broadcast these DHCP broadcast packets to all ports within the VLAN as one would expect.  This is done based on the fact that it is believed that if a DHCP relay agent is configured, than the DHCP server does not exist on the local vlan and there is no need to broadcast this traffic locally.

This is different than what occurs on the 6500.  On the 6500 all DHCP broadcast are leaked to the CPU and flooded to all ports within the vlan.

On the N7k you can view the redirect VACL in hardware via the following command, 'show system internal access-list vlan X input statistics'.  Below shows what the ACL redirect  would look like for a relay agent configrued on SVI 10.  This only shows the redirect VACL for module 2.  If you have mulitple modules in the device, this VACL redirect would be configured for every module (this is because there is a forwarding engine on every module on a N7k):

7000-1# sh system internal access-list vlan 10 input statistics

slot  2
=======

Tcam 1 resource usage:
----------------------
Label_b = 0x801
Bank 0
------
    IPv4 Class
      Policies: DHCP Snooping()  [Merged]
      Entries: 
        [Index] Entry [Stats]
        ---------------------
[0003] redirect(0x800) udp 0.0.0.0/0 255.255.255.255/32 eq 68  [0]
[0004] redirect(0x800) udp 0.0.0.0/0 255.255.255.255/32 eq 67  [0]
[0005] redirect(0x800) udp 0.0.0.0/0 eq 68 255.255.255.255/32  [0]
[0006] redirect(0x800) udp 0.0.0.0/0 eq 67 255.255.255.255/32  [0]
[0007] permit ip 0.0.0.0/0 0.0.0.0/0  [0]

The issue with not broadcasting the DHCP discover when a relay agent is configured is that in certain scenarios this can break functionality, when a local servers need to hear the DHCP broadcast packet.  This can also occur if the server is not directly attached to the N7k, but to get to the server the traffic must pass through a N7k with the DHCP relay agent configured for that vlan.

In order to get around scenarios where the local DHCP discover needs to be heard by a specific device on the local subnet as well as the DHCP server an additional DHCP relay-agent address would need to be configured on the SVI of that vlan.  This relay-agent address would need to point to the local device that needs to hear this traffic.  Since DHCP traffic is redirected to all relay-agents configured the DHCP discover would be sent to the DHCP server(12.3.4.6) as well as the local server(10.0.0.2).  An example of this can be been below:

Interface vlan 12 
ip address 10.0.0.1 255.255.255.0 
ip dhcp relay 12.3.4.6  <---dhcp server="" span="">
ip dhcp relay 10.0.0.2 <---ip address="" local="" of="" server.="" span="">

If multiple devices on that subnet need to hear this traffic, you can specify a local a relay-agent as the directed broadcast address of the local subnet.  This will cause the DHCP traffic to be flooded throughout the local subnet (as destination 10.0.0.255) as well as being sent to the DHCP server(12.3.4.6):

Interface vlan 12 
ip address 10.0.0.1 255.255.255.0 
ip dhcp relay 12.3.4.6  <---dhcp server="" span="">
ip dhcp relay 10.0.0.255 <---local broadcast="" span="" subnet="">

Since the relay-agent is simply forwarding this traffic to the configured address, this will allow this traffic to get to the correct location.

Below is a step-by-step walk through of the DHCP Process on the N7k and 6500 discussing the difference above.

DHCP relay-agent process on the N7k:


  1. DHCP discover is sent by the client
  2. When this packet ingresses the N7k it is redirected to the CPU/relay agent by the ingress forwarding engine and is not broadcast on the vlan.
  3. The relay agent redirects the DHCP discover to the DHCP server.
  4. DHCP server responds to the IP address of the relay-agent in the  giaddr field of the discover/request packet with a DHCP offer, which is relayed to the client.
  5. DHCP client responds with DHCP request (whether it be an unicast or broadcast response), this is redirected to the relay-agent and forwarded on to the DHCP server.
  6. DHCP server ACK's the request, which is sent to the relay-agent.  This is then relayed to the client, finishing the DHCP process.

DHCP helper address process on the 6500:


  1. DHCP discover is sent by the client
  2. When this packet ingresses the 6500 it is leaked to the CPU/relay agent based on a destination index, which includes the vlan broadcast.
  3. The relay agent redirects the DHCP discover to the DHCP server.
  4. DHCP server responds to the IP address of the relay-agent in the giaddr field of the discover/request packet with a DHCP offer, which is relayed to the client.
  5. DHCP client responds with DHCP request (whether it be an unicast or broadcast response), this is redirected to the relay-agent and forwarded on to the DHCP server.
  6. DHCP server ACK's the request, which is sent to the relay-agent.  This is then relayed to the client, finishing the DHCP process.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */