PDA

View Full Version : DHCP relay on VSX 65



manrag
2009-04-14, 16:35
Hi I want to configure dhcp relay on a NGX R65 VSX cluster, Ive seen some people talking about nating, other sk talking about modifing some files.

Someone can help me with the steps for configuring DHCP relay on a VS?

chillyjim
2009-04-14, 18:40
A few weeks ago I was successful by "vsx set"ing to the right VS and and cpconfig'ing.

I also had to add a rule to explicitly allow DHCP_REQ (or something close to that).

sisu-up
2009-04-15, 08:13
You need two (well maybe three) things.

1. You have create the relay configurations. You can use sysconfig to do the first one if you wish. Here is what the config file looks in and it is located in /etc/sysconfig/dhcrelay.vrf

ENABLED=yes
VRF=10
DHCPSERVERS="dhcp_server_address1 dhcp_server_address2"
INTERFACES="eth1.648 wrp640"

This is for a VSID of 10. The wrp640 is the external interface.

Now you have to create NAT rules to NAT the wrp addresses of the VS to the real address of the internal gateway, in the case eth1.648.

How do I know what the wrp addresses for this VS are? In a cluster you have to do this on both members.

gateway# vsx showncs 10
<lots of stripped out data>
interface set dev eth1.648 address 10.255.0.17 netmask 255.255.255.240 mtu 1500 vr 10 cluster_ip 75.75.75.1 cluster_mask 255.255.255.0

The NAT rule will look like so.

SRC DST SRVC SRC DST
10.255.0.17 ANY UDP 67 75.75.75.1 ORG
10.255.0.17 ANY UDP 68 75.75.75.1 ORG

If you do not NAT such as this, the discovery will be forwarded to the external dhcp server with the wrp address not the real gw address. In this case if I did not NAT the outbound UDP67/68 then the source of the discover would come from 10.255.0.17 and the host would not get an address since there is no scope and the host really wanted an address from network 75.75.75.0/24.

I have been doing dhcp forwarding on VSX for three years, with both R60 and R65. If you fail to get this working let me know.

One other thing. If you are using the FCS /etc/init.d/dhcrelay you will have to add the following to the script or your relay will fail to work properly. Add this “export VRF_ENABLED=1” right below

start() {
# Start daemons.
conffile=""

# Define DHCP Relay Configuration File
# When this file is undefined, we will launch a few relay deamons
# (for every VS configuration file found)
# Also take care of vrf parameter
export VRF_ENABLED=1
if [ -n "$VRF_ENABLED" ]; then

[Expert@primary:0]# diff -s dhcrelay dhcrelay.FCS
< export VRF_ENABLED=1

sisu-up
2009-04-15, 08:21
One more thing I forgot to mention. It won’t work without the discovery broadcast object.

You need to create a host object with an address of 255.255.255.255.

Security rules needed are like so.

Rule SRC DST SRV Action
1 ANY 255.255.255.255 UDP 67/68 Accept
2 Inside_Nets DHCP_SRVR UDP67/66 Accept
3 Any Inside_Nets UDP67/68 Accept

There are predefined dhcp objects, you can use all three of them, but make sure any advanced inspection is turned off. Also you may need to tune your rules a bit tighter then the ones I show here, like rule 3 to fit your need. I have found using the dhcp server as a SRC in rule three has caused my problems in the past that's why use any now.

manrag
2009-04-15, 10:00
Sisu-up

Thanks for your answer. I have two questions.

1 Can yo clarify to me what is the FCS dhrelay?
2. The actual FW Cluster that is in production(the one thats being replaced by the VSX cluster) has the dhcp relay but we had to uninstall dhcp packages and install the ones from R55. Did you have to do ?

Thanks for your help.

sisu-up
2009-04-15, 11:25
What it means is the script that shipped with the CD, ie first customer shipment. I had to add the VRF Enable statement to the script for it to work, explained in previous post.

No, I used what was shipped with the CD, so you should be able to build the VSX gateway, modify dhcrelay, build out your dhrcrelay.vrf$VSID, create your security and NAT rules, fire up dhcrelay and it should start and forward discoveries. This applies to both VSX R60 and R65.

Anytime, once you get through the first configuration the rest will be easy. It's a bit strange, and a bit complex, but I have been pretty happy with it.


Sisu-up

Thanks for your answer. I have two questions.

1 Can yo clarify to me what is the FCS dhrelay?
2. The actual FW Cluster that is in production(the one thats being replaced by the VSX cluster) has the dhcp relay but we had to uninstall dhcp packages and install the ones from R55. Did you have to do ?

Thanks for your help.

sisu-up
2009-04-30, 06:59
FYI

I did some testing with the need for NAT a few days ago. In R60 this was required, however in R65 I have a test fw that used no NAT for the wrp internal gw addresses and the dhcp client did recieve an address. I will be offering more detail on this in a few weeks.

sisu-up
2009-08-28, 13:13
Ok, been awhile. I tried *not* NATing the wrp addresses to the real internal vlan or interface ip and did not recieve an ip address from the server. So if you use R60 or R65 VSX with Secure Platform, you will need to create two or four NAT rules for each interface that will need to forward dhcp discovers to an external dhcp server.