Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
Nick.Ellson at pgn.com
Thu Dec 11 18:44:10 UTC 2008
Thanks to your explanation I was able to get the Cisco TAC to identify this Feature Request already in their system from another client:
CSCsm60591 Bug Details
DHCP Proxy/Address Assignment: Add support for RFC 3011 and RFC 3527
ASA sends DHCP Discover message out one interface, but does not ever get a reply DHCP Offer message from the DHCP Server. However, this applies only if the dhcp-network-scope specified is an interface other than the interface the Discover was sent out, and in the network topology includes next hop routers or firewalls between the ASA and the DHCP Server.
In a customer environment where, a DHCP Offer message sent from a DHCP Server to the ASA may take a different path than the DHCP Discover message sent by the ASA may run into issues. RFC 3011 ensures that the DHCP Offer message will be sent back to the same ASA interface it came from.
I have added my company to the list of those that need this function.
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of David W. Hankins
Sent: Thursday, December 11, 2008 9:32 AM
To: Users of ISC DHCP
Subject: Re: Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
On Thu, Dec 11, 2008 at 09:24:08AM -0800, David W. Hankins wrote:
> But that segues into the current problem; your giaddr is apparently
> an invalid value, not the address locating the DHCP relay agent.
Ok, this explanation is lame, let me try again.
A relay agent sets 'giaddr' to be it's own address, facing the client
whose packet it is passing on.
A server uses this value for two purposes;
1) To locate the right shared network, hence subnet(s), hence
2) To direct its replies to the relay agent.
RFC's 3011 and 3527 give the relay agent a way to provide a hint for
the first, while continuing to use giaddr for the second. It is
generally only used when the relay agent does not have a valid address
on the client-facing network, or where the relay agent would not be
normally reachable by the server using that address.
It appears to me that the giaddr value is -not- the relay agent's
address in your case, but is appropriate for locating leases.
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-users