DHCP Relay Support for MPLS VPN

DHCP Relay Support for MPLS VPN

This feature enables a DHCP Server to locate the VPN (VRF) in which each client resides. The DHCP relay agent captures the VPN association of the DHCP Client and includes this information in the DHCP packet. The relay agent provides this information using three suboptions of the DHCP relay agent information option (DHCP Option 82):

1. VPN Identifier: This suboption is used by the relay agent to tell the DHCP Server the VPN for every DHCP request it passes onto the DHCP Server. It is also used to forward the DHCP replies that the DHCP Server sends back to the DHCP relay agent. The VPN ID configured on the incoming interface (or the VRF name if no VPN ID is configured) is contained in the VPN Identifier suboption.

2. Subnet Selection Suboption: This suboption allows the separation of the subnet where the Client resides from the IP address used to communicate with the relay agent. The gateway address is changed to the outgoing interface of the relay agent toward the DHCP Server. The DHCP Server uses this gateway address to send reply packets back to the relay agent.

3. Server Identifier Override Suboption: This value is copied in the reply packet from the DHCP Server instead of the normal Server ID address. This suboption contains the incoming interface IP address of the relay agent which is accessible by the Client. Using this information, the DHCP Client sends all the renew and release packets to the relay agent. The relay agent adds all the VPN suboptions and then forwards these packets to the DHCP Server.

Deployment Scenario

In this scenario, the Service Provider will assign IP addresses to the Customer routers for the interface connected to PE routers. The IP addresses will be assigned to the Clients based on the VRF they belong to. PE1 and PE2 service provider routers will act as DHCP relay agents. The DHCP Server is located at 10.88.1.10 in the service provider network.

Customer A and B have Extranet VPN connection to share their resources.

DHCP Relay Configuration on PE1

ip vrf Customer_A

 rd 1:1

 route-target import 1:2

 route-target export 1:1

ip dhcp relay information option vpn

! Enables the router to insert VPN suboptions into DHCP Requests from the Clients and changes the gateway address to outgoing interface toward the DHCP Server

interface Fastethernet 0/0

! Interface connected to Customer A

 ip vrf forwarding Customer_A

 ip address 172.16.1.1 255.255.255.0

 ip helper-address global 10.88.1.10

! Forwards the DHCP Requests to the DHCP Server. "global" keyword indicates the DHCP Server can be reached by Global Routing table

DHCP Relay Configuration on PE2

ip vrf Customer_B

 rd 1:2

 route-target import 1:1

 route-target export 1:2

ip dhcp relay information option vpn

interface Fastethernet 0/0

 ip vrf forwarding Customer_B

 ip address 172.16.2.1 255.255.255.0

 ip helper-address global 10.88.1.10

The DHCP Server used here is a Cisco IOS router (C7200-ADVENTERPRISEK9_SNA-M, Version 12.2(33)SRE). The configuration for the DHCP Server is simple.

DHCP Server Configuration

ip dhcp excluded-address 172.16.1.1

ip dhcp excluded-address 172.16.2.1

ip dhcp pool Customer_A

   vrf Customer_A                                ! Indicates this DHCP Pool for VRF Customer_A

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

ip dhcp pool Customer_B

   vrf Customer_B                                ! Indicates this DHCP Pool for VRF Customer_B

   network 172.16.2.0 255.255.255.0

   default-router 172.16.2.1

When the Customer router CE1 starts sending DHCP packets for IP Address, the PE1 router1 add the suboptions like the VPN Identifier i.e Customer_A, changes the outgoing interface to Fastethernet 2/0 which is the one facing toward the DHCP Server and overrides the Server ID to its incoming interface IP address i.e. 172.16.1.1.

"debug ip dhcp server packet" on DHCP Server

DHCP_Server# debug ip dhcp server packet

*Apr 24 00:13:19.931: DHCPD: Reload workspace interface FastEthernet1/0 tableid 0.

*Apr 24 00:13:19.935: DHCPD: tableid for 10.88.1.10 on FastEthernet1/0 is 0

*Apr 24 00:13:19.935: DHCPD: found subnet_info_addr 172.16.1.0

*Apr 24 00:13:19.935: DHCPD: Giaddr from server-id-override suboption 172.16.1.1

*Apr 24 00:13:19.935: DHCPD: client's VPN is Customer_A.

*Apr 24 00:13:19.939: DHCPD: using received relay info

!--- The DHCP Server receives a DHCPDISCOVER message from the relay agent PE1 indicating that it belongs to VRF Customer_A

*Apr 24 00:13:19.939: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 through relay 10.13.1.1.

*Apr 24 00:13:19.939: DHCPD: using received relay info.

*Apr 24 00:13:19.947: DHCPD: Saving workspace (ID=0x43000004)

*Apr 24 00:13:19.947: DHCPD: New packet workspace 0x65D720A0 (ID=0x56000005)

*Apr 24 00:13:21.279: DHCPD: Reprocessing saved workspace (ID=0x43000004)

*Apr 24 00:13:21.279: DHCPD: using received relay info.

*Apr 24 00:13:21.279: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 through relay 10.13.1.1.

*Apr 24 00:13:21.283: DHCPD: using received relay info.

!---- The DHCP Server sends a unicast DHCPOFFER message to the relay agent with an IP address 172.16.1.2 from the pool for VRF Customer_A

*Apr 24 00:13:21.283: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 (172.16.1.2).

*Apr 24 00:13:21.287: DHCPD: using server-id-override 172.16.1.1

*Apr 24 00:13:21.287: DHCPD: unicasting BOOTREPLY for client c408.1610.0000 to relay 10.13.1.1.

*Apr 24 00:13:21.291: DHCPD: Freeing saved workspace (ID=0x43000004)

*Apr 24 00:13:21.647: DHCPD: Reload workspace interface FastEthernet1/0 tableid 0.

*Apr 24 00:13:21.647: DHCPD: tableid for 10.88.1.10 on FastEthernet1/0 is 0

*Apr 24 00:13:21.651: DHCPD: found subnet_info_addr 172.16.1.0

*Apr 24 00:13:21.651: DHCPD: Giaddr from server-id-override suboption 172.16.1.1

*Apr 24 00:13:21.651: DHCPD: client's VPN is Customer_A.

!--- The DHCP Server receives a DHCPREQUEST message from the client indicating the client has accepted the IP address and other parameters provided by the Server

*Apr 24 00:13:21.651: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30.

!--- The DHCP Server sends a DHCPACK message back to the client

*Apr 24 00:13:21.655: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d63.3430.382e.3136.3130.2e30.3030.302d.4661.302f.30 (172.16.1.2).

*Apr 24 00:13:21.655: DHCPD: using server-id-override 172.16.1.1

*Apr 24 00:13:21.659: DHCPD: unicasting BOOTREPLY for client c408.1610.0000 to relay 10.13.1.1.

The same is true for CE2's DHCP requests. The following output shows that CE1 receives 172.16.1.2/24 from the DHCP Server with a default-router 172.16.1.1

CE1 receives an IP address

CE1# show ip interface brief

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            172.16.1.2      YES DHCP   up                    up

Serial0/0                  unassigned      YES unset  administratively down down

FastEthernet0/1            unassigned      YES unset  administratively down down

Serial0/1                  unassigned      YES unset  administratively down down

CE1# show ip route | begin Gateway

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

     172.16.0.0/24 is subnetted, 1 subnets

C       172.16.1.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [254/0] via 172.16.1.1

The show ip dhcp binding command shows the IP addresses a DHCP server has handed out to its clients.

IP Address Binding

DHCP_Server# show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address          Client-ID/              Lease expiration        Type

                    Hardware address/

                    User name

Bindings from VRF pool Customer_A:

IP address          Client-ID/              Lease expiration        Type

                    Hardware address/

                    User name

172.16.1.2          0063.6973.636f.2d63.    Apr 25 2010 12:13 AM    Automatic

                    3430.382e.3136.3130.

                    2e30.3030.302d.4661.

                    302f.30

Bindings from VRF pool Customer_B:

IP address          Client-ID/              Lease expiration        Type

                    Hardware address/

                    User name

172.16.2.2          0063.6973.636f.2d63.    Apr 25 2010 12:33 AM    Automatic

                    3430.392e.3063.3938.

                    2e30.3030.302d.4661.

                    302f.30

Finally, the following output shows that traffic from CE1 is reachable to CE2 router.

CE1#ping 172.16.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 128/313/556 ms