Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
Nick.Ellson at pgn.com
Thu Dec 11 17:55:52 UTC 2008
Correct, I believe.
The Relay Agent (the Cisco ASA) has no Layer 3 presence on the 172.22.12.0/24 subnet that I desire the clients to be addressed on. It is in fact several layer 3 hops away from the DHCP Server in fact.
In my vpn group policy I get an option for:
group-policy mode commands/options:
A.B.C.D The IP sub-network that the DHCP server should assign to users in
none No range of IP addresses will be specified and disable inheritance
So I gave it the "dhcp-network-scope 172.22.12.0" option and got what you saw in the DHCPDUMP output.
So for a DHCP-RELAY to successfully do what I need, the DHCP REQUEST is not putting out the needed options, correct? Meaning that if I need to request and address from a scope that my relay has no presence on, then it has to be able to select the scope aAND still get the reply back from the DHCP system.
I am having option confusion, and need to read 2131/3527 as well so I really understand what a relay agent must make as a request to make this happen, then I can try and make Cisco understand what is busted about their request.
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of David W. Hankins
Sent: Thursday, December 11, 2008 9:32 AM
To: Users of ISC DHCP
Subject: Re: Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
On Thu, Dec 11, 2008 at 09:24:08AM -0800, David W. Hankins wrote:
> But that segues into the current problem; your giaddr is apparently
> an invalid value, not the address locating the DHCP relay agent.
Ok, this explanation is lame, let me try again.
A relay agent sets 'giaddr' to be it's own address, facing the client
whose packet it is passing on.
A server uses this value for two purposes;
1) To locate the right shared network, hence subnet(s), hence
2) To direct its replies to the relay agent.
RFC's 3011 and 3527 give the relay agent a way to provide a hint for
the first, while continuing to use giaddr for the second. It is
generally only used when the relay agent does not have a valid address
on the client-facing network, or where the relay agent would not be
normally reachable by the server using that address.
It appears to me that the giaddr value is -not- the relay agent's
address in your case, but is appropriate for locating leases.
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-users