Multiple dhcrelay setup causing multiple duplicate DHCP requests
dhcp1 at thehobsons.co.uk
Tue Aug 17 07:00:25 UTC 2010
Michael Hodgkinson wrote:
>The clients are broadcasting requests/discovers and the dhcrelays are
>unicasting to both dhcpd servers.
>I ran tcpdump on the firewalls and confirmed the dhcrelays are the cause of
>the duplicate packets. The capture was many MB and probably a security
>concern, otherwise I would attach it.
>It appears that the client sends a request, which is received by fw1's
>dhcrelay, the request is sent to both dhcp1 and dhcpd2 which is intercepted
>by fw2's dhcrelay which also sends the request to both dhcp1 and dhcpd2
>causing a loop between the two dhcrelays.
I see it now. Ordinarily fw2 wouldn't see unicast traffic relayed by
fw1, but because the servers are actually in the packet path, they do.
Two methods come to mind :
1) Move the relay agents. They do NOT have to be in the gateways,
they can be on any device that is physically connected to the same
network as the clients. It's just customary to put them in the
routers since the routers are by definition connected, and are always
on - ie it's a convenient place to put them.
2) Move the servers. This may be harder, but can you move the server
so that the relayed traffic doesn't go through the other relay agent.
3) If you have the facilities, put some filters on fw1 and fw2 to
block the traffic from the other device. Ie, on fw1 only allow DHCP
traffic from server dhcpd2 on that eth5 into the firewall.
Actually, I'm not sure this last one will work.
The other one that comes to mind is to figure out how to make the
relay agent more intelligent and add the missing features. I know one
that's cropped up from time to time is that the outgoing interface to
the server (eth5 in this case) must be a broadcast capable network -
ie it can't be something like a ppp link. I believe the same fix for
your problem would fix that.
I think the answer is probably that the relay agent needs to be able
to listen only on those interface to which clients will be connected,
and only use the normal OS network stack for unicast packets back
to/from the server(s). And of course, only deal with packets on the
'backhaul' that are to/from the server(s)
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users