Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

Nick Ellson Nick.Ellson at pgn.com
Thu Dec 11 17:55:52 UTC 2008 

Correct, I believe. 

The Relay Agent (the Cisco ASA) has no Layer 3 presence on the 172.22.12.0/24 subnet that I desire the clients to be addressed on. It is in fact several layer 3 hops away from the DHCP Server in fact. 

In my vpn group policy I get an option for:

 dhcp-network-scope 

group-policy mode commands/options:
  A.B.C.D  The IP sub-network that the DHCP server should assign to users in
           this group
  none     No range of IP addresses will be specified and disable inheritance

So I gave it the "dhcp-network-scope 172.22.12.0" option and got what you saw in the DHCPDUMP output.

So for a DHCP-RELAY to successfully do what I need, the DHCP REQUEST is not putting out the needed options, correct? Meaning that if I need to request and address from a scope that my relay has no presence on, then it has to be able to select the scope aAND still get the reply back from the DHCP system.

I am having option confusion, and need to read 2131/3527 as well so I really understand what a relay agent must make as a request to make this happen, then I can try and make Cisco understand what is busted about their request.

Nick




Nick Ellson
CCIE# 20018
Infrastructure Specialist
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F 
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."
 

-----Original Message-----
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of David W. Hankins
Sent: Thursday, December 11, 2008 9:32 AM
To: Users of ISC DHCP
Subject: Re: Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

On Thu, Dec 11, 2008 at 09:24:08AM -0800, David W. Hankins wrote:
> But that segues into the current problem; your giaddr is apparently
> an invalid value, not the address locating the DHCP relay agent.

Ok, this explanation is lame, let me try again.

A relay agent sets 'giaddr' to be it's own address, facing the client
whose packet it is passing on.

A server uses this value for two purposes;

1) To locate the right shared network, hence subnet(s), hence
   appropriate leases.

2) To direct its replies to the relay agent.

RFC's 3011 and 3527 give the relay agent a way to provide a hint for
the first, while continuing to use giaddr for the second.  It is
generally only used when the relay agent does not have a valid address
on the client-facing network, or where the relay agent would not be
normally reachable by the server using that address.


It appears to me that the giaddr value is -not- the relay agent's
address in your case, but is appropriate for locating leases.

-- 
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?	 https://secure.isc.org/store/t-shirt/
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

More information about the dhcp-users mailing list