Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

Nick Ellson Nick.Ellson at
Thu Dec 11 17:55:52 UTC 2008

Correct, I believe. 

The Relay Agent (the Cisco ASA) has no Layer 3 presence on the subnet that I desire the clients to be addressed on. It is in fact several layer 3 hops away from the DHCP Server in fact. 

In my vpn group policy I get an option for:


group-policy mode commands/options:
  A.B.C.D  The IP sub-network that the DHCP server should assign to users in
           this group
  none     No range of IP addresses will be specified and disable inheritance

So I gave it the "dhcp-network-scope" option and got what you saw in the DHCPDUMP output.

So for a DHCP-RELAY to successfully do what I need, the DHCP REQUEST is not putting out the needed options, correct? Meaning that if I need to request and address from a scope that my relay has no presence on, then it has to be able to select the scope aAND still get the reply back from the DHCP system.

I am having option confusion, and need to read 2131/3527 as well so I really understand what a relay agent must make as a request to make this happen, then I can try and make Cisco understand what is busted about their request.


Nick Ellson
CCIE# 20018
Infrastructure Specialist
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F 
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."

-----Original Message-----
From: dhcp-users-bounces at [mailto:dhcp-users-bounces at] On Behalf Of David W. Hankins
Sent: Thursday, December 11, 2008 9:32 AM
To: Users of ISC DHCP
Subject: Re: Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

On Thu, Dec 11, 2008 at 09:24:08AM -0800, David W. Hankins wrote:
> But that segues into the current problem; your giaddr is apparently
> an invalid value, not the address locating the DHCP relay agent.

Ok, this explanation is lame, let me try again.

A relay agent sets 'giaddr' to be it's own address, facing the client
whose packet it is passing on.

A server uses this value for two purposes;

1) To locate the right shared network, hence subnet(s), hence
   appropriate leases.

2) To direct its replies to the relay agent.

RFC's 3011 and 3527 give the relay agent a way to provide a hint for
the first, while continuing to use giaddr for the second.  It is
generally only used when the relay agent does not have a valid address
on the client-facing network, or where the relay agent would not be
normally reachable by the server using that address.

It appears to me that the giaddr value is -not- the relay agent's
address in your case, but is appropriate for locating leases.

Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

More information about the dhcp-users mailing list