DHCP relay¶
Overview¶
The DHCP relay listens for DHCP queries and responses. When a query is received from a client, it is forwarded to the specified DHCP server(s). When a reply is received from a server, it is forwarded to the client that made the initial request.
The DHCP relay needs at least the IP address of a reachable DHCP server and an interface on which listen for DHCP queries.
In the following example, a DHCP relay is configured with a maximum hop count
of 5 (hop-count), which limits the number of network devices a DHCP message
can pass through before being discarded. The maximum allowed size for DHCP
packets is set to 576 bytes (maximum-size). These options apply to all
interfaces but can be overridden by interface configurations (interface).
Then, the relay is configured to listen on 2 interfaces:
For eth1, the relay forwards DHCP queries to the DHCP servers at 1.0.0.1 and 2.0.0.1 (
dhcp-server). Additionally, this interface has its owndrop-unmatchedpolicy, which is configured to drop any DHCP packets from DHCP servers in response to a different relay agent.For eth2, the relay forwards DHCP requests to servers at IP addresses 1.0.0.1 and 3.0.0.1. This interface has also its own
maximum-sizespecific settings. Themaximum-sizesetting limits DHCP packets on this interface to 800 bytes, which overrides the global maximum size configured at the root level.
vsr> edit running
vsr running config# vrf main
vsr running vrf main# interface physical eth1
vsr running physical eth1#! port pci-b0s4
vsr running physical eth1# ipv4 address 10.100.0.1/24
vsr running physical eth1# ..
vsr running physical# ..
vsr running vrf main# interface physical eth2
vsr running physical eth2#! port pci-b0s5
vsr running physical eth2# ipv4 address 10.101.0.1/24
vsr running physical eth2# ..
vsr running physical# ..
vsr running vrf main# dhcp relay
vsr running relay# hop-count 5
vsr running relay# maximum-size 576
vsr running relay# interface eth1
vsr running interface eth1#! dhcp-server 1.0.0.1
vsr running interface eth1# dhcp-server 2.0.0.1
vsr running interface eth1# drop-unmatched true
vsr running interface eth1# ..
vsr running relay# interface eth2
vsr running interface eth2#! dhcp-server 1.0.0.1
vsr running interface eth2# dhcp-server 3.0.0.1
vsr running interface eth2# maximum-size 800
vsr running interface eth2# ..
vsr running relay# commit
The same configuration can be made using this NETCONF XML configuration:
vsr> show config xml absolute vrf main dhcp relay
<config xmlns="urn:6wind:vrouter">
<vrf>
<name>main</name>
<dhcp xmlns="urn:6wind:vrouter/dhcp">
<relay>
<enabled>true</enabled>
<drop-unmatched>false</drop-unmatched>
<hop-count>5</hop-count>
<max-size>576</max-size>
<interface>
<name>eth1</name>
<enabled>true</enabled>
<dhcp-server>1.0.0.1</dhcp-server>
<dhcp-server>2.0.0.1</dhcp-server>
<drop-unmatched>true</drop-unmatched>
</interface>
<interface>
<name>eth2</name>
<enabled>true</enabled>
<dhcp-server>1.0.0.1</dhcp-server>
<dhcp-server>3.0.0.1</dhcp-server>
<maximum-size>800<maximum-size>
</interface>
<agent-information>
<trusted-circuit>true</trusted-circuit>
</agent-information>
</relay>
</dhcp>
</vrf>
</config>
See also
The DHCP relay command reference for details.
The state of DHCP relay includes the statistics for received and forwarded packet counters and valid DHCP leases for each interface:
dut-vm running config# show state vrf main dhcp relay
relay
enabled true
drop-unmatched false
hop-count 5
max-size 576
interface eth1
enabled true
dhcp-server 1.0.0.1
dhcp-server 2.0.0.1
drop-unmatched true
hop-count 5
max-size 576
agent-information
enabled true
trusted-circuit true
..
counters
discover 1
offer 1
request 1
decline 0
ack 1
nack 0
release 0
inform 0
boot-request 0
boot-reply 0
..
dhcp-server-leases 10.100.0.3
starts 2024-08-30T15:39:03-01:00
ends 2024-08-30T16:39:03-01:00
hw-mac-address de:ed:01:15:df:0c
..
..
interface eth2
enabled true
dhcp-server 1.0.0.1
dhcp-server 3.0.0.1
drop-unmatched false
hop-count 5
max-size 800
agent-information
enabled true
trusted-circuit true
..
counters
discover 0
offer 0
request 0
decline 0
ack 0
nack 0
release 0
inform 0
boot-request 0
boot-reply 0
..
..
..
agent-information
trusted-circuit true
..
..
It is also possible to retrieve the statistics and valid leases of eth1 using
the command show dhcp-relay:
vsr> show dhcp-relay interface eth1
statistics for interface ntfp1 :
discover offer request decline ack nack release inform boot-request boot-reply
======== ===== ======= ======= === ==== ======= ====== ============ ==========
1 1 1 0 1 0 0 0 0 0
vsr> show dhcp-relay leases interface eth1
leases for interface ntfp1 :
address: 10.100.0.3
starts: 2024-08-30T15:39:03-01:00
ends: 2024-08-30T16:39:03-01:00
mac-addr: de:ed:01:15:df:0c
See also
The show dhcp-relay command reference for details.
Agent information¶
Agent information settings concern the identification of the DHCP relay.
Options 82¶
By default, the initial DHCP relay that intercepts a client’s DHCP request is identified using the GIADDR field in the DHCP packet. However, DHCP Options 82, also known as Relay Agent Information options, provide an enhanced mechanism. These options are appended by the relay to the original client request packet, providing additional context to the DHCP server, helping it in accurately assigning a lease to the client.
The configurable DHCP Option 82 sub-options are the following:
circuit-id: option 82.1,remote-id: option 82.2,and
link-selection: option 82.5.
Configuring either the remote-id or the link-selection automatically enables the
emission of a circuit-id, which defaults to including the name of the client
interface. For example, the following results in sending eth1 as the value for
option 82.1:
vsr> edit running
vsr running config# vrf main dhcp relay interface eth1 agent-information
vsr running agent-information# remote-id global 6wind-eth1
vsr running agent-information# commit
However, a custom value for the circuit-id can be configured to override the default interface name:
vsr running agent-information# circuit-id 6wind-eth1
vsr running agent-information# commit
Note
The remote-id DHCP Option 82.2 is a value that can be appended when
relaying DHCP packets to the DHCP servers. This value applies globally to
all remote devices behind the interface, which means it does not comply with
“RFC 3046”. However, it does ensure compatibility with certain DHCP
implementations.
Relay address and link-selection¶
The agent-information relay-address setting specifies the IP address that
the relay uses to communicate with DHCP servers.
This address is also set in the GIADDR field of the DHCP packet if the relay is the first one in the communication path. The GIADDR serves two purposes for the DHCP server:
It specifies the IP address to which the DHCP server must reply.
It is used by the DHCP server to identify the IP range for assigning a lease, unless a
link-selectionIP (DHCP option 82.5) is provided.
When the link-selection IP is set, the server uses it instead to
determine the appropriate IP range for lease assignment and communicates with
the relay using the GIADDR. This is particularly helpful when the client
subnet containing the link-selection IP is not routable from the DHCP
server.
In the previous example, the relay address of the eth1 DHCP relay was
automatically set to 10.100.0.1, and packets sent to the dhcp-server addresses
used this as the source address. To communicate with the DHCP server using a
different source IP, set the GIADDR using relay-address (e.g., 10.0.0.1)
and use the 10.100.0.1 address as the link-selection. This ensures the servers
select the range that includes 10.100.0.1 instead of relying solely on the
GIADDR.
vsr> edit running
vsr running config# vrf main
vsr running vrf main# interface physical eth1
vsr running physical eth1# ipv4 address 10.0.0.1/24
vsr running physical eth1# ..
vsr running physical# ..
vsr running vrf main# dhcp relay interface eth1 agent-information
vsr running agent-information# relay-address 10.0.0.1
vsr running agent-information# link-selection 10.100.0.1
vsr running agent-information# commit
Since eth1 has only two addresses (10.0.0.1 and 10.100.0.1), the
link-selection can be deduced from the relay-address and vice-versa. The
following configurations will produce the same result:
vsr> edit running
vsr running config# vrf main dhcp relay interface eth1 agent-information
vsr running agent-information# relay-address 10.0.0.1
vsr running agent-information# link-selection auto
vsr running agent-information# commit
vsr> edit running
vsr running config# vrf main dhcp relay interface eth1 agent-information
vsr running agent-information# del relay-address
vsr running agent-information# link-selection 10.100.0.1
vsr running agent-information# commit
The configured relay-address IP can reside on an interface other than the
client interface, such as a loopback interface. To set the 10.0.0.1 relay
address on a loopback interface:
vsr> edit running
vsr running config# vrf main
vsr running vrf main# interface physical eth1
vsr running physical eth1# del ipv4 address 10.0.0.1/24
vsr running physical eth1# ..
vsr running physical# ..
vsr running vrf main# interface loopback loopback1
vsr running loopback loopback1# ipv4 address 10.0.0.1/32
vsr running loopback loopback1# ..
vsr running loopback# ..
vsr running vrf main# dhcp relay interface eth1 agent-information
vsr running agent-information# relay-address 10.0.0.1
vsr running agent-information# commit
Warning
When setting relay-address without link-selection, ensure the
specified relay address resides on the client interface. Otherwise,
the DHCP servers will incorrectly attempt to select an IP range
that includes the GIADDR, which is the relay address. In the
example, since the GIADDR is on loopback1, deleting the
link-selection would instruct the servers to select a range based
on 10.0.0.1.
Trusted circuit¶
When a DHCP relay receives a DHCP request from a client, it sets the
GIADDR field and optionally inserts the Agent Information (Option 82) before
forwarding the request to the specified dhcp-server IPs. These IPs may
represent other DHCP relays. In such cases, when another DHCP relay receives
the request, the presence of the GIADDR field or Option 82 indicates that the
packet originated from a prior relay in the network path.
The trusted-circuit option determines the behavior of the relay upon receiving
a packet containing either GIADDR or Option 82. This option specifies whether
the relay should forward or discard such packets. By default, it is set to
true, which means the relay will forward such packets. For enhanced security,
it is recommended to set this option to false on interfaces that directly
receive client requests, ensuring that such packets are discarded.
To set all client interfaces globally as untrusted:
vsr> edit running
vsr running config# vrf main dhcp relay agent-information
vsr running agent-information# trusted-circuit false
vsr running agent-information# commit
This configuration is equivalent to setting trusted-circuit on the eth1 and
eth2 interfaces individually:
vsr> edit running
vsr running config# vrf main dhcp relay
vsr running relay# interface eth1 agent-information
vsr running agent-information# trusted-circuit false
vsr running agent-information# ..
vsr running interface eth1# ..
vsr running relay# interface eth2 agent-information
vsr running agent-information# trusted-circuit false
vsr running agent-information# commit