Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

Nick Ellson Nick.Ellson at pgn.com
Thu Dec 11 16:47:05 UTC 2008


I am trying to offload the VPN Client addressing from my Cisco ASA to using DHCP. Cisco supports RFC 3011 so that I can pick a DHCP pool for each profile I have by specifying an address in the desired scope.

I have discovered that our MS DHCP server do not support RFC 3011, so I am testing a linux box with dhcp V3.1.1 and I had a question on what I am seeing in dhcpdump:

Inside interface of my VPN box (ASA 5510) is 172.22.199.248
My Linux Box running dhcpd is 172.22.1.123

<snip>
subnet 172.22.12.0 netmask 255.255.255.0 {
  range 172.22.12.10 172.22.12.30;
  option domain-name-servers 172.22.8.230, 172.22.8.233;
  option domain-name "remote.tal.dom";
  default-lease-time 600;
  max-lease-time 7200;
}
<snip>

When I try to log into the VPN system, I see this on my server:

dhcpdump  -i eth0

  TIME: 2008-12-11 08:42:18.882
    IP: 172.22.199.248 (0:11:20:e2:bb:3f) > 172.22.1.123 (0:11:85:5c:ae:21)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 082c8acb
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 172.22.12.0
CHADDR: 00:1e:13:12:e9:cd:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         1 (DHCPDISCOVER)
OPTION:  57 (  2) Maximum DHCP message size 1152
OPTION:  61 ( 35) Client-identifier         00:63:69:73:63:6f:2d:30:30:31:65:2e:31:33:31:32:2e:65:39:63:64:2d:50:4c:4e:30:35:36:30:38:2d:4c:41:4e:00
OPTION:  12 (  8) Host name                 PLN0560
OPTION:  55 (  6) Parameter Request List      1 (Subnet mask)
                                              6 (DNS server)
                                             15 (Domainname)
                                             44 (NetBIOS name server)
                                              3 (Routers)
                                             33 (Static route)

---------------------------------------------------------------------------

  TIME: 2008-12-11 08:42:19.003
    IP: 172.22.1.123 (0:11:85:5c:ae:21) > 172.22.12.0 (0:0:c:7:ac:1)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 082c8acb
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 172.22.12.11
SIADDR: 0.0.0.0
GIADDR: 172.22.12.0
CHADDR: 00:1e:13:12:e9:cd:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         2 (DHCPOFFER)
OPTION:  54 (  4) Server identifier         172.22.1.123
OPTION:  51 (  4) IP address leasetime      600 (10m)
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:   6 (  8) DNS server                172.22.8.230,172.22.8.233
OPTION:  15 ( 15) Domainname                remote.tal.dom
---------------------------------------------------------------------------

And it repeats 4 times and eventually my client get's no address.

It looks like I am getting farther that the MS DHCP server. But I don't understand this line in the reply:

IP: 172.22.1.123 (0:11:85:5c:ae:21) > 172.22.12.0 (0:0:c:7:ac:1)

What would it reply TO and address that is part of it's own pool?? Should it not reply to the IP in the original request? Or how would my packet make it back to my ASA?

Nick

Nick Ellson
CCIE# 20018
Infrastructure Specialist
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20081211/f2729f1d/attachment.html>


More information about the dhcp-users mailing list