Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Issues with DHCP relay

This thread has been viewed 9 times

  • 1.  Issues with DHCP relay

    Posted Oct 31, 2019 04:07 AM

    Good day,

     

    We have a client with a setup where they have multiple DHCP scopes all being assigned from a single Windows server. 

     

    They have a 3810M as their core switch that has DHCP relay configured. Any switch that is directly connected to that 3810M relays fine, APs and clients get addresses correctly.

     

    However, if you are more than one switch hop from the relaying switch then devices connected to that switch will not get addresses.

     

    I am still pretty new to networking so I'm sure I've missed something simple. If anyone is able to assist it would be greatly appreciated. I can request a copy of the switches config from the client if it's needed. 



  • 2.  RE: Issues with DHCP relay

    EMPLOYEE
    Posted Oct 31, 2019 06:56 AM

    Could it be that you configured DHCP snooping on one or more of your switches? The DHCP snooping feature is enforcing that DHCP responses are coming from an authorized DHCP server and/or from an authorized (uplink) port. If you just enable snooping, it will block DHCP through a switch.

     

    Here is another post on this topic.



  • 3.  RE: Issues with DHCP relay

    Posted Oct 31, 2019 08:50 AM
    @Herman Robers wrote:

    Could it be that you configured DHCP snooping on one or more of your switches? The DHCP snooping feature is enforcing that DHCP responses are coming from an authorized DHCP server and/or from an authorized (uplink) port. If you just enable snooping, it will block DHCP through a switch.

     

    Here is another post on this topic.

    Hi Herman, thank you for the information. I think it's unlikely, but not impossible. Let me confirm with the tech onsite and see if it has been configured.

     

    Have we followed the correct procedure for configuring DHCP relay? We have a single core switch which has IPs in each VLAN that it will be relaying for. We then configured the IP helper-address for each VLAN. Is there any configuration that we need to do on the access switches? All I have done is tag the VLANs on the switch to switch links, with one VLAN that we want to get DHCP in being untagged on the edge port.



  • 4.  RE: Issues with DHCP relay
    Best Answer

    EMPLOYEE
    Posted Oct 31, 2019 12:41 PM

    The dhcp-relay/ip-helper has to be on the L3 interface on each VLAN. From your description that is on the core (which is quite common).

     

    If the switches are just L2 passing traffic to the core, there does not need to be any configuration for DHCP/relay there. IF you configured the dhcp-snooping, which is good to prevent users on the access ports to become a spoofed dhcp server, only then then you need to configure dhcp-snooping with the right uplinks/VLANs/valid dhcp servers.



  • 5.  RE: Issues with DHCP relay

    Posted Oct 31, 2019 01:12 PM
    @Herman Robers wrote:

    The dhcp-relay/ip-helper has to be on the L3 interface on each VLAN. From your description that is on the core (which is quite common).

     

    If the switches are just L2 passing traffic to the core, there does not need to be any configuration for DHCP/relay there. IF you configured the dhcp-snooping, which is good to prevent users on the access ports to become a spoofed dhcp server, only then then you need to configure dhcp-snooping with the right uplinks/VLANs/valid dhcp servers.

    Hi Herman, thanks for your response, that makes sense. I'll speak with the tech onsite tomorrow morning and verify that we haven't accidentally configured DHCP snooping anywhere.



  • 6.  RE: Issues with DHCP relay

    Posted Nov 01, 2019 04:06 AM
    @ciaran wrote:
    @Herman Robers wrote:

    The dhcp-relay/ip-helper has to be on the L3 interface on each VLAN. From your description that is on the core (which is quite common).

     

    If the switches are just L2 passing traffic to the core, there does not need to be any configuration for DHCP/relay there. IF you configured the dhcp-snooping, which is good to prevent users on the access ports to become a spoofed dhcp server, only then then you need to configure dhcp-snooping with the right uplinks/VLANs/valid dhcp servers.

    Hi Herman, thanks for your response, that makes sense. I'll speak with the tech onsite tomorrow morning and verify that we haven't accidentally configured DHCP snooping anywhere.

    Hi Herman, We have verified that DHCP snooping is not enabled. Do you have an idea of anything else we could try?



  • 7.  RE: Issues with DHCP relay

    EMPLOYEE
    Posted Nov 01, 2019 07:42 AM

    What I would do in such a case is start capturing the traffic. Does the DHCP request reach the DHCP server? Does the DHCP server respond? Then from there narrow down where the packets are lost.

     

    Also, try with a static IP to rule out that your VLAN may not be connected on your uplinks and the issue is a generic connectivity issue. Does the same client connected directly to the core work?

     

    A L2 switch (VLAN) should in general should be transparent and not blocking (except for security features like RA-guard/dhcp-snooping/private-vlan/port-acl).