Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
Nick Ellson
Nick.Ellson at pgn.com
Thu Dec 11 16:47:05 UTC 2008
I am trying to offload the VPN Client addressing from my Cisco ASA to using DHCP. Cisco supports RFC 3011 so that I can pick a DHCP pool for each profile I have by specifying an address in the desired scope.
I have discovered that our MS DHCP server do not support RFC 3011, so I am testing a linux box with dhcp V3.1.1 and I had a question on what I am seeing in dhcpdump:
Inside interface of my VPN box (ASA 5510) is 172.22.199.248
My Linux Box running dhcpd is 172.22.1.123
<snip>
subnet 172.22.12.0 netmask 255.255.255.0 {
range 172.22.12.10 172.22.12.30;
option domain-name-servers 172.22.8.230, 172.22.8.233;
option domain-name "remote.tal.dom";
default-lease-time 600;
max-lease-time 7200;
}
<snip>
When I try to log into the VPN system, I see this on my server:
dhcpdump -i eth0
TIME: 2008-12-11 08:42:18.882
IP: 172.22.199.248 (0:11:20:e2:bb:3f) > 172.22.1.123 (0:11:85:5c:ae:21)
OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 082c8acb
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 172.22.12.0
CHADDR: 00:1e:13:12:e9:cd:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 1 (DHCPDISCOVER)
OPTION: 57 ( 2) Maximum DHCP message size 1152
OPTION: 61 ( 35) Client-identifier 00:63:69:73:63:6f:2d:30:30:31:65:2e:31:33:31:32:2e:65:39:63:64:2d:50:4c:4e:30:35:36:30:38:2d:4c:41:4e:00
OPTION: 12 ( 8) Host name PLN0560
OPTION: 55 ( 6) Parameter Request List 1 (Subnet mask)
6 (DNS server)
15 (Domainname)
44 (NetBIOS name server)
3 (Routers)
33 (Static route)
---------------------------------------------------------------------------
TIME: 2008-12-11 08:42:19.003
IP: 172.22.1.123 (0:11:85:5c:ae:21) > 172.22.12.0 (0:0:c:7:ac:1)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 082c8acb
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 172.22.12.11
SIADDR: 0.0.0.0
GIADDR: 172.22.12.0
CHADDR: 00:1e:13:12:e9:cd:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 2 (DHCPOFFER)
OPTION: 54 ( 4) Server identifier 172.22.1.123
OPTION: 51 ( 4) IP address leasetime 600 (10m)
OPTION: 1 ( 4) Subnet mask 255.255.255.0
OPTION: 6 ( 8) DNS server 172.22.8.230,172.22.8.233
OPTION: 15 ( 15) Domainname remote.tal.dom
---------------------------------------------------------------------------
And it repeats 4 times and eventually my client get's no address.
It looks like I am getting farther that the MS DHCP server. But I don't understand this line in the reply:
IP: 172.22.1.123 (0:11:85:5c:ae:21) > 172.22.12.0 (0:0:c:7:ac:1)
What would it reply TO and address that is part of it's own pool?? Should it not reply to the IP in the original request? Or how would my packet make it back to my ASA?
Nick
Nick Ellson
CCIE# 20018
Infrastructure Specialist
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20081211/f2729f1d/attachment.html>
More information about the dhcp-users
mailing list