Test VRF-Aware DHCP Relaying with netlab « ipSpace.net blog

[ad_1]

After figuring out how DHCP relaying works and testing it in a simple lab, I went a step further and tested VRF-aware DHCP relaying.

Lab Topology

I had to make just a few changes to the DHCP relaying lab topology:

  • DHCP server is running on CSR 1000v. IOSv DHCP server does not support subnet selection DHCP option and thus doesn’t work with relays that do inter-VRF DHCP relaying.
  • I put the link between the DHCP client and DHCP relay into a VRF.

Changes in lab topology

groups:
  switch:
    members: [ relay ]
    module: [ ospf,vrf ]

vrfs:
  client:

links:
- user:
    dhcp.client: True
  relay:
    dhcp.server: srv
  type: lan
  vrf: client
Lab topology diagram

Lab topology diagram

Lab IPv4 addressing

  Interface                  IPv4 address  Description
================================================================================
srv (10.0.0.1/32)
  GigabitEthernet2            10.1.0.2/30  srv -> relay

relay (10.0.0.2/32)
  GigabitEthernet0/1          10.1.0.1/30  relay -> srv
  GigabitEthernet0/2        172.16.0.2/24  relay -> user (VRF: client)

user (10.0.0.3/32)
  GigabitEthernet0/1        172.16.0.3/24  user -> relay

You can view the complete topology file on GitHub.

Device Configurations

I configured VRF-aware DHCP relay (ip dhcp relay information option vpn) and VRF-aware DHCP pools (use vrf option in ip dhcp pool). The final device configurations (with Cisco IOSv as DHCP relay) are available in netlab-examples GitHub repository.

Cisco IOS VRF-aware DHCP relay configuration

ip dhcp relay information option vpn
!
interface GigabitEthernet0/2
 ip helper-address global 10.0.0.1

Cisco IOS VRF-aware DHCP server configuration

ip dhcp excluded-address vrf client 172.16.0.2
!
ip dhcp pool p_172.16.0.0
 vrf client
 network 172.16.0.0 255.255.255.0
 default-router 172.16.0.2

Does It Work?

It does… once I figured out IOSv DHCP server doesn’t work well with inter-VRF DHCP relaying and switched to CSR 1000v. Let’s go into some of the interesting (cleaned up) debugging printouts on the DHCP server. Full client and server logs are available on GitHub.

Debugging printout of DHCP server discovery

DHCPD: tableid for 10.1.0.2 on GigabitEthernet2 is 0
DHCPD: found subnet_info_addr 172.16.0.0
DHCPD: Giaddr from server-id-override suboption 172.16.0.2
DHCPD: client's VPN is client.
DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d35.3235.342e.3030.3539.2e64.6664.352d.4769.302f.31 through relay 10.1.0.1.
DHCPD: using server-id-override 172.16.0.2
DHCPD: Option 125 not present in the msg.
DHCPD: egress Interfce GigabitEthernet2
DHCPD: unicasting BOOTREPLY for client 5254.0059.dfd5 to relay 10.1.0.1.

Here’s what’s going on behind the scenes.

DHCP relay:

  • Specified its global IPv4 address (10.1.0.1) as the relay IPv4 address (giaddr)
  • Used link selection sub-option (option 82 sub-option 5, defined in RFC 3527) to pass the information about the VRF IP subnet in which the client resides.
  • Included client VPN information (option 82 sub-option 151, defined in RFC 6607)
  • Set the desired server ID to its VRF IP address (option 82 sub-option 11, defined in RFC 5107)

DHCP server therefore assigned an IP address from 172.16.0.0 pool to the client, set the server ID to 172.16.0.2, and sent the reply to 10.1.0.1. Similar processing happens for all subsequent packets.

Let’s also check the client lease:

DHCP lease on the DHCP client

user#show dhcp lease
...
Temp IP addr: 172.16.0.4  for peer on Interface: GigabitEthernet0/1
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 172.16.0.2, state: 5 Bound
   DHCP transaction id: 2030
   Lease: 86400 secs,  Renewal: 43200 secs,  Rebind: 75600 secs
   Next timer fires after: 11:36:39
   Retry count: 0   Client-ID: cisco-5254.0059.dfd5-Gi0/1
   Client-ID hex dump: 636973636F2D353235342E303035392E
                       646664352D4769302F31
   Hostname: user

As expected, the DHCP server IP address is the VRF IP address of the DHCP relay. All subsequent DHCP packets are thus sent to the DHCP relay and not directly to the DHCP server.

Vendor Interoperability Is Fun

I tried to test a combination of Arista vEOS DHCP relay (4.28.3M) and Cisco CSR DHCP server.

Arista vEOS VRF-aware DHCP relay configuration

ip dhcp relay information option
!
interface Ethernet2
 ip helper-address 10.0.0.1 vrf default

It didn’t work until I removed the vrf definition from the DHCP pool – here’s the relevant part of Cisco IOS XE debugging printout:

DHCPD: Bad VPN information type: 99.
DHCPD: client's VPN is .

According to RFC 6607, the VPN selection sub-option (sub-option 151) starts with Virtual Subnet Selection Type (a binary zero for VRF name), and that’s what Cisco IOS XE expects.

Arista EOS 4.29.1F documentation (section 13.1.9 – DHCP Relay Across VRF) claims that the value of sub-option 151 created by EOS contains just the VPN name (without the intervening binary zero meaning “what follows is the VPN name”). Faced with client as the value of sub-option 151, Cisco IOS understands the VSS Type to be 99 (ASCII value of c), which is invalid. The DHCP server on CSR 1000v thus ignores sub-option 151.

Takeaways

  • Inter-VRF DHCP relaying is complex – it’s trying to make a simple protocol do things it was never designed to do. We’ll get back to the fun implications of this Rube Goldberg stack of kludges when we get to redundant designs.
  • Two or three sub-options of option-82 are involved in inter-VRF DHCP relaying, and DHCP relays and servers have to support them perfectly for the whole thing to work.
  • In particular, the DHCP relay and DHCP server MUST support server identifier override sub-options of option 82 and MUST support the same way of identifying the client subnet.
  • There are at least two ways of specifying the client subnet in DHCP – link selection sub-option of option 82 and subnet selection option (option 118). In the ideal world, all relay agents and servers would use link selection sub-option – after all, it was designed to be used in DHCP relaying scenarios. I wouldn’t be surprised if the networking vendors fail to reach that level of consistency.
  • Virtual Subnet Selection Suboption (option 151) it not needed for inter-VRF DHCP relaying, but is required to implement multi-tenant DHCP with overlapping address pools. At least one vendor implemented it incorrectly.

I’m positive that you’ve experienced your share of horror stories on other platforms. Please share them in the comments!

Reference: Configuration Templates

I had to make the DHCP relay and DHCP server configuration templates VRF-aware to make this lab work.

DHCP relay has to use the global parameter of the ip helper-address. It also has to be configured to insert VPN sub-option into Relay Agent DHCP option (ip dhcp relay information option vpn):

DHCP relay configuration template

% for intf in interfaces if intf.dhcp.server is defined and intf.vrf is defined %
%   if loop.first %
ip dhcp relay information option vpn
%   endif %
% endfor %
!
% for intf in interfaces if intf.dhcp.server is defined %
%   set helper = hostvars[intf.dhcp.server].loopback.ipv4
interface  intf.ifname 
%   if intf.vrf is defined %
 ip helper-address global  helper 
%   else %
 ip helper-address  helper 
%   endif %
% endfor %

All I had to do in the DHCP server template was to add the vrf option to ip dhcp excluded-address and ip dhcp pool configuration commands:

DHCP relay server template

logging buffered
no service timestamp debug
!
do debug ip dhcp server packet
do debug ip dhcp server event
!
% for h,v in hostvars.items() %
%   for intf in v.interfaces if intf.dhcp.server is defined and intf.ipv4 is defined %
ip dhcp excluded-address % if intf.vrf is defined %vrf  intf.vrf  % endif % intf.ipv4
%   endfor %
% endfor %
!
% for h,v in hostvars.items() %
%   for intf in v.interfaces if intf.dhcp.server is defined and intf.ipv4 is defined %
!
ip dhcp pool p_ intf.ipv4
%     if intf.vrf is defined %
 vrf  intf.vrf 
%     endif %
 network  intf.ipv4 ipaddr('netmask')  
 default-router ipaddr('address') 
%   endfor %
% endfor %

You can download the configuration templates from GitHub;

Try It Out!

Want to run this lab on your own, or try it out with different devices? No problem:

Coming Up Next

So far so good: simple DHCP relaying works, as does (with a few quirks) inter-VRF DHCP relaying. Will they still work in VXLAN segments? That’s the topic of the next blog post in this series.

[ad_2]

Source link