DHCP Relay Support for MPLS VPN
DHCP Relay Support for MPLS VPN
This feature enables a DHCP Server to locate the VPN (VRF) in which each client resides. The DHCP relay agent captures the VPN association of the DHCP Client and includes this information in the DHCP packet. The relay agent provides this information using three suboptions of the DHCP relay agent information option (DHCP Option 82):
1. VPN Identifier: This suboption is used by the relay agent to tell the DHCP Server the VPN for every DHCP request it passes onto the DHCP Server. It is also used to forward the DHCP replies that the DHCP Server sends back to the DHCP relay agent. The VPN ID configured on the incoming interface (or the VRF name if no VPN ID is configured) is contained in the VPN Identifier suboption.
2. Subnet Selection Suboption: This suboption allows the separation of the subnet where the Client resides from the IP address used to communicate with the relay agent. The gateway address is changed to the outgoing interface of the relay agent toward the DHCP Server. The DHCP Server uses this gateway address to send reply packets back to the relay agent.
3. Server Identifier Override Suboption: This value is copied in the reply packet from the DHCP Server instead of the normal Server ID address. This suboption contains the incoming interface IP address of the relay agent which is accessible by the Client. Using this information, the DHCP Client sends all the renew and release packets to the relay agent. The relay agent adds all the VPN suboptions and then forwards these packets to the DHCP Server.
Deployment Scenario
In this scenario, the Service Provider will assign IP addresses to the Customer routers for the interface connected to PE routers. The IP addresses will be assigned to the Clients based on the VRF they belong to. PE1 and PE2 service provider routers will act as DHCP relay agents. The DHCP Server is located at 10.88.1.10 in the service provider network.
Customer A and B have Extranet VPN connection to share their resources.
DHCP Relay Configuration on PE1
ip vrf Customer_A
rd 1:1
route-target import 1:2
route-target export 1:1
!
ip dhcp relay information option vpn
! Enables the router to insert VPN suboptions into DHCP Requests from the Clients and changes the gateway address to outgoing interface toward the DHCP Server
!
interface Fastethernet 0/0
! Interface connected to Customer A
ip vrf forwarding Customer_A
ip address 172.16.1.1 255.255.255.0
ip helper-address global 10.88.1.10
! Forwards the DHCP Requests to the DHCP Server. "global" keyword indicates the DHCP Server can be reached by Global Routing table
!
DHCP Relay Configuration on PE2
ip vrf Customer_B
rd 1:2
route-target import 1:1
route-target export 1:2
!
ip dhcp relay information option vpn
!
interface Fastethernet 0/0
ip vrf forwarding Customer_B
ip address 172.16.2.1 255.255.255.0
ip helper-address global 10.88.1.10
!
The DHCP Server used here is a Cisco IOS router (C7200-ADVENTERPRISEK9_SNA-M, Version 12.2(33)SRE). The configuration for the DHCP Server is simple.
DHCP Server Configuration
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.2.1
!
ip dhcp pool Customer_A
vrf Customer_A ! Indicates this DHCP Pool for VRF Customer_A
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
!
ip dhcp pool Customer_B
vrf Customer_B ! Indicates this DHCP Pool for VRF Customer_B
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
When the Customer router CE1 starts sending DHCP packets for IP Address, the PE1 router1 add the suboptions like the VPN Identifier i.e Customer_A, changes the outgoing interface to Fastethernet 2/0 which is the one facing toward the DHCP Server and overrides the Server ID to its incoming interface IP address i.e. 172.16.1.1.
"debug ip dhcp server packet" on DHCP Server
DHCP_Server# debug ip dhcp server packet
*Apr 24 00:13:19.931: DHCPD: Reload workspace interface FastEthernet1/0 tableid 0.
*Apr 24 00:13:19.935: DHCPD: tableid for 10.88.1.10 on FastEthernet1/0 is 0
*Apr 24 00:13:19.935: DHCPD: found subnet_info_addr 172.16.1.0
*Apr 24 00:13:19.935: DHCPD: Giaddr from server-id-override suboption 172.16.1.1
*Apr 24 00:13:19.935: DHCPD: client's VPN is Customer_A.
*Apr 24 00:13:19.939: DHCPD: using received relay info
!--- The DHCP Server receives a DHCPDISCOVER message from the relay agent PE1 indicating that it belongs to VRF Customer_A
*Apr 24 00:13:19.939: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 through relay 10.13.1.1.
*Apr 24 00:13:19.939: DHCPD: using received relay info.
*Apr 24 00:13:19.947: DHCPD: Saving workspace (ID=0x43000004)
*Apr 24 00:13:19.947: DHCPD: New packet workspace 0x65D720A0 (ID=0x56000005)
*Apr 24 00:13:21.279: DHCPD: Reprocessing saved workspace (ID=0x43000004)
*Apr 24 00:13:21.279: DHCPD: using received relay info.
*Apr 24 00:13:21.279: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 through relay 10.13.1.1.
*Apr 24 00:13:21.283: DHCPD: using received relay info.
!---- The DHCP Server sends a unicast DHCPOFFER message to the relay agent with an IP address 172.16.1.2 from the pool for VRF Customer_A
*Apr 24 00:13:21.283: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 (172.16.1.2).
*Apr 24 00:13:21.287: DHCPD: using server-id-override 172.16.1.1
*Apr 24 00:13:21.287: DHCPD: unicasting BOOTREPLY for client c408.1610.0000 to relay 10.13.1.1.
*Apr 24 00:13:21.291: DHCPD: Freeing saved workspace (ID=0x43000004)
*Apr 24 00:13:21.647: DHCPD: Reload workspace interface FastEthernet1/0 tableid 0.
*Apr 24 00:13:21.647: DHCPD: tableid for 10.88.1.10 on FastEthernet1/0 is 0
*Apr 24 00:13:21.651: DHCPD: found subnet_info_addr 172.16.1.0
*Apr 24 00:13:21.651: DHCPD: Giaddr from server-id-override suboption 172.16.1.1
*Apr 24 00:13:21.651: DHCPD: client's VPN is Customer_A.
!--- The DHCP Server receives a DHCPREQUEST message from the client indicating the client has accepted the IP address and other parameters provided by the Server
.
*Apr 24 00:13:21.651: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30.
!--- The DHCP Server sends a DHCPACK message back to the client
*Apr 24 00:13:21.655: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 (172.16.1.2).
*Apr 24 00:13:21.655: DHCPD: using server-id-override 172.16.1.1
*Apr 24 00:13:21.659: DHCPD: unicasting BOOTREPLY for client c408.1610.0000 to relay 10.13.1.1.
The same is true for CE2's DHCP requests. The following output shows that CE1 receives 172.16.1.2/24 from the DHCP Server with a default-router 172.16.1.1
CE1 receives an IP address
CE1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 172.16.1.2 YES DHCP up up
Serial0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
CE1# show ip route | begin Gateway
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 172.16.1.1
The show ip dhcp binding command shows the IP addresses a DHCP server has handed out to its clients.
IP Address Binding
DHCP_Server# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
Bindings from VRF pool Customer_A:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
172.16.1.2 0063.6973.636f.2d63. Apr 25 2010 12:13 AM Automatic
3430.382e.3136.3130.
2e30.3030.302d.4661.
302f.30
Bindings from VRF pool Customer_B:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
172.16.2.2 0063.6973.636f.2d63. Apr 25 2010 12:33 AM Automatic
3430.392e.3063.3938.
2e30.3030.302d.4661.
302f.30
Finally, the following output shows that traffic from CE1 is reachable to CE2 router.
CE1#ping 172.16.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/313/556 ms