Cisco DHCP relay question

[zrac]

I can't believe I"m having hard time with this, it's one of those wtf days today.

This is being done in a lab for some testing purposes, but the simple **** is driving me insane

Two routers, cisco 1700 , behind them a hardware firewall in each end doing site to site VPN , each "site" has of course its own subnet , everything is allowed between sites as it's wrapped in VPN packets and there are no filters on that traffic , connection is T1's out to the internet from the 1700 routers.

Main site has a DHCP server (2003 box) , DHCP is configured with scopes for all subnets, locally in the mian site it works perfect, but remote sites cannot get DHCP to them from this box.

Now I believe both cisco routers require a DHCP relay agent to pass DHCP requests/replies between the different subnets , correct ?

If so, how should it be configured? I can't find much useful info on the net, I do NOT want the routers to do DHCP, I only want them to pass the info between subnets as needed.

TIA!

 

[Arch]

Under the interface:
ip helper-address a.b.c.d

where a.b.c.d is the IP address of the DHCP server.

That will do DHCP relay.

 

[zrac]

in both routers?

lets say location 1 is 192.168.10.x
location 2 is 20.x

DHCP server is 10.100

location 1 router should then have ip helper-address 192.168.10.100
location 2 would have the same ?

 

[Arch]

It only needs to be on the interface of the router where the clients are.

So, if the clients are in the 192.168.20.x subnet, ip helper-address needs to be on the router's interface, also in the 192.168.20.x subnet. Nothing is required on the other router.

 

[zrac]

thank you, I will try this later and post results.

 

[Arch]

This doc should help clear some some things, should you run into problems:
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804412bf.html

 

[zrac]

well it did not work, but maybe I'm not thinking right right now, I'll outline the hardware seutp as well as example IP's below to make more sense of it, I believe you are 100% correct, but I think I'm not putting in the right ip helper address.

Location 1
LAN (192.168.10.x) -> firewall protected interface (10.1) -> firewall external interface (200.0.0.1) -> cisco router FastEth 0 (200.0.0.2) -> cisco router Serial 0 (60.0.0.1) -> internet

Clients as well as DHCP server is in this location with 10.100


Location 2
clients that need to see the DHCP server in loc1 ->
LAN (192.168.20.x) -> firewall protected interface (20.1) -> firewall external interface (250.0.0.1) -> cisco router FastEth 0 (250.0.0.2) -> cisco router Serial 0 (65.0.0.1) -> internet



there are static routes setup in both locations on both routers with (0.0.0.0 0.0.0.0 public IP of other sides serial interface)


--------

so you're saying to put ip helper-address for the location 2 router , but what IP would you put in ?

 

[zrac]

thanks for the link, I"ll read up on it right now, but if you feel like chimming in with the IP that I should throw in there, then by all means feel free

thanks for all the help.

 

[Arch]

The IP helper address needs to point to the DHCP server. That's the only address you can put in.

 

[Arch]

Note, I don't think this is going to work for you. DHCP queries do not cross broadcast domains, i.e, they aren't routable by default. Your firewall interface on the 192.168.20.x network is what needs to do the DHCP relay.

If the Cisco routers are forwarding just VPN encapulated packets there is no way for it to tell DHCP requests from regular IP traffic, it all looks the same.

 

[zrac]

Yeah that's what I was afraid of, but on some level I figured I had it setup wrong

 

[Mantrius]

I'm almost curious as to why you don't just hand out DHCP from one of the switches locally instead of trying to get broadcast traffic routed....

 

[zrac]

preferance, single DHCP server for all locations etc... I realize it's extra WAN traffic, but I was willing to sacrifice that.

but actually I've given up and did just that, used our firewall's built in DHCP feature to get around it

 

[Darkstar850]

What kind of firewall is it? PIX, checkpoint netscreen, other?

 

[Nybbles]

preferance, single DHCP server for all locations etc... I realize it's extra WAN traffic, but I was willing to sacrifice that.

It's also another point to fail. At least if the WAN link went down and there was a DHCP server at both locations, then users at the remote location would at least be able to work and access stuff that was local to them.

With only one DHCP server on the other side of the WAN link, if that link goes down, users lose all connectivity. This may or may not make a difference depending on if there are resources (files or printers) on both sides, or just the main site.

However, I do think you made the right decision running DHCP at both locations. No sense in making things more complicated than they need to be.

 

[zrac]

It's also another point to fail. At least if the WAN link went down and there was a DHCP server at both locations, then users at the remote location would at least be able to work and access stuff that was local to them.

With only one DHCP server on the other side of the WAN link, if that link goes down, users lose all connectivity. This may or may not make a difference depending on if there are resources (files or printers) on both sides, or just the main site.

However, I do think you made the right decision running DHCP at both locations. No sense in making things more complicated than they need to be.

very true, but all servers are offsite to those locations and nothing is saved locally at their sites, therefore if WAN goes down they really can't do much, heck they lose their phone system too (we're mean bastards over here)

not to mention the second there is any computer problem my users love to throw their hands in the air and claim they can't do any work thanks to me