Can the users get an IP address if the DHCP server is outside out network and our controller is doing the NAT?
Environment Information : This article applies to all Aruba controllers and OS versions.
User is able to get DHCP lease from the server when there is no NAT boundary b/w the server and the controller.
However if there is a NAT device en route, he cannot get response from the DHCP server.
DHCP Offer packet goes to GIAddr and not to the Source IP of Discover packet.
Resolution : Keep the DHCP server inside the NAT boundary.
DHCP allows dynamic and automatic allocation of IP addresses on a network. One DHCP server can allocate addresses from multiple pools. Among other things, DHCP primarily provides the following to the client machine:
1. IP address
2. Subnet mask
3. Default Gateway
A DHCP Discover packet is a Broadcast packet. Since a broadcast cannot go across a router, this design would require us to put a DHCP server in each vlan. DHCP overcomes this by using multiple pools and a relay agents . A Relay Agent is configured using Ip helper address command in Aruba controller.
When IP helper address is configured on a VLan interface. It will forward the DHCP broadcast from the LAN segment to the DHCP Server as a unicast. It adds the VLan interface ip address as GIAddr (Gateway IP Address) to the DHCP Discover packet.
DHCP server compares the GIAddr to the pools configured and gives out leases from from the pools.
Problem.
If the DHCP server is configured across a NAT device, then client machines never get the IP address leases.
Interface vlan 1
IP address 20.1.1.1 255.255.255.0
Interface vlan 2
Ip address 10.1.1.1. 255.255.255.0
IP nat inside
Ip Helper Address 30.1.1.2
IP route 30.1.1.0 255.255.255.0 20.1.1.2
a. Vlan 1 is the controller IP
b. Vlan 2 is the User IP
c. DHCP server is 30.1.1.2 which is across the VLan 1.
d. A static route to 30.1.1.0 /24 points to 20.1.1.2 which is next hop in VLan 1.
e. Ip nat inside is configured which NATs all user traffic to the controller IP
Test 1: ping to the DHCP server is successful.
ICMP Echo Request Source IP =20.1.1.1 ( after NAT)
ICMP Echo Request Destination IP =30.1.1.2
ICMP Echo Reply Source IP =30.1.1.2
ICMP Echo Reply Destination IP =20.1.1.1
Test2: DHCP from client fails
DHCP Discover Source IP =20.1.1.1( after NAT)
DHCP Discover Destination IP =30.1.1.2
DHCP GIAddr IP =10.1.1.1
DHCP Offer Source IP =30.1.1.2
DHCP Offer Destination IP =10.1.1.1
DHCP GIAddr IP =10.1.1.1
We see, the DHCP Offer packet goes to GIAddr and not to the Source IP of Discover packet. Since GIAddr is a private IP address which is natted to the Controller IP, neither the DHCP server or it's default gateway knows how to get to 10.1.1.1.
Thus the DHCP Offer never reaches the client and DHCP process is never completed.