Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure a DHCP Relay in EVPN-VXLAN Fabric Architecture

 

DHCP Relay is an essential feature in most data center deployments. This example shows how to configure DHCP Relay in an EVPN-VXLAN-based data center fabric. The document also covers other common deployment models for DHCP Relay depending on how the DHCP Server is connected to the network. See Technical Overview for details.

Requirements

This example uses the following hardware and software components:

  • QFX5120 switches or QFX10002 switches

  • Junos OS Release 18.4R2-S5

We’ve tested the configuration example using Junos OS Release 18.4R2-S5.

Overview

The DHCP Relay agent operates as the interface between DHCP Clients and the Server. DHCP Relay agent forwards incoming requests from DHCP Clients to a specified DHCP Server. In this example, we are using the Edge-routed bridging (ERB) topology as shown in Figure 1.

Figure 1: DHCP Relay Overview
 DHCP Relay Overview

In the case of ERB, the inter-VLAN routing happens at the server leaf layer. The server leaf switches are configured to perform DHCP Relay function for the VLANs that have IRB interfaces configured on those switches.

You can apply the similar DHCP Relay configuration to a centrally-routed bridging (CRB) topology as well. In the case of CRB, Inter-VLAN routing happens at the spine switches level. So, the DHCP Relay must be configured on the spine switches.

Configuration

DHCP Relay Configuration with Virtual Gateway Address (VGA)

In this example, we’ll configure DHCP relay for the IRB interface configured with VGA. Figure 2 shows the topology used in this example.

Figure 2: DHCP Relay Configuration with VGA
DHCP Relay Configuration
with VGA

In this case, each leaf device has a unique IP address for the IRB interface in a given VLAN. The IRB interfaces on all leaf devices for a VLAN are configured with a common VGA.

Step-by-Step Procedure

Do the steps that follow to configure DHCP relay for the IRB interface configured with VGA.

  1. Enable DHCP Relay with forward-only option. The forward–only option ensures that DHCP packets are forwarded on the switch and that no DHCP Server Client bindings are created.

    Do not use any other DHCP Relay overrides.

  2. Create and activate the DHCP Relay server group.

    The DHCP Relay server group include one or more DHCP Servers—individually identified by IP address—and a user-defined name for the servers. In this example, one DHCP server—10.101.10.31—is assigned into a DHCP server group named Server_Group1.

  3. Associate the server group with the IRB interfaces on the leaf devices.

DHCP Relay Configuration with Anycast IRB

In this example, we will configure DHCP Relay for IRB interface configured with Anycast IP address. Figure 3 shows the topology used in this example.

Figure 3: DHCP Relay with IRB Anycast
DHCP Relay with IRB Anycast

As shown in the topology, a common IP address is configured on the IRB interface for a VLAN on all leaf devices. Since the IRB IP address is common on all leaf devices, the DHCP Server response might not reach to the correct leaf device that originated the DHCP relay request. If you are using Anycast IRB option for IRB interface, you must do the following:

  • Use a unique loopback address in each routing instance in each leaf device and source the DHCP Relay packets using this loopback IP address. The relay agent IP address includes the IP address of the loopback. This configuration enables the DHCP Server to send the response back to the leaf device that initiated the DHCP Relay.

  • Add the option-82 server-id-override configuration. Enabling option-82 will include the IP address of the IRB in the DHCP request message link selection attribute. The DHCP Server uses the IP address of the IRB interface in the link selection attribute to identify the pool from which an IP address must be assigned.

Step-by-Step Procedure

Do the steps below to configure DHCP Relay for IRB interface configured with Anycast IP address.

  1. Configure the DHCP Relay with the loopback address that will be used as relay source.
  2. Enable DHCP Relay option 82 with server-id-override option.
  3. Create the DHCP Relay server group and associate the server group with the IRB interfaces on the leaf devices. Same as in procedure DHCP Relay Configuration with Virtual Gateway Address (VGA).
  4. Check packet capture on the DHCP Server to verify the contents of the relayed DHCP packet. Figure 4 shows the sample packet capture file.
    Figure 4: Packet Capture on the DHCP Server
    Packet Capture on the DHCP
Server

    In the sample, you can notice that the relay agent IP address is the loopback IP address and the link selection attribute shows the IP address of the IRB interface.

DHCP Server Reachable only in a Service VRF

This example uses the topology shown in Figure 5.

Figure 5: DHCP Server Reachable only in a Service VRF
DHCP Server Reachable only
in a Service VRF

In multi-tenant environments or in the environments enabled for macro-segmentation, IRB interfaces are placed in different VRFs. In such environments, the DHCP Server could be connected only in a service VRF.

Use one of the following methods to ensure that the endpoints in the client VRFs are able to get DHCP IP address from the DHCP Server in the Service VRF:

  • Use an external device such as a firewall to perform inter-VRF routing. In this method, all VRFs inside the leaf device have a route to the DHCP Server through the external device. In this case, you can use the same configuration steps as covered in sections DHCP Relay Configuration with Anycast IRB and DHCP Relay Configuration with Virtual Gateway Address (VGA).

  • Use Inter-VRF routing between the DHCP Client VRF and the service VRF locally on the leaf device. Use the configuration steps provided in this section to implement Inter-VRF routing option.

The configuration includes:

  • Service VRF which hosts the DHCP Server (192.168.78.101).

  • Client VRF which has IRB interfaces from DHCP clients.

  • Each VRF has a unique loopback IP address.

We are using a single DHCP Clients VRF in this example; however the production environment includes many VRFs.

Step-by-Step Procedure

Do the steps below to configure the DHCP Server in a Service VRF.

  1. Configure the loopback interfaces.

    Apart from the lo0.0 interface used for VTEP, you must use a separate loopback interfaces for every routing instance. In this case, the loopback interface lo0.110 is associated with the DHCP Server VRF. The loopback interface lo0.120 is associated with the DHCP Client VRF.

  2. Configure the routing instance where the DHCP Server is located. The DHCP Server is located in VLAN 99 with IRB.99. The IRB.99 is placed in TENANT_SERVICE_VRF.

    Complete the following configurations in the Service VRF:

    • Configure the dhcp-relay forward-only-replies option to enable DHCP response packets forwarded to the DHCP Clients in the other VRF.

    • Configure the auto-export command along with vrf-target export and import policies that also import routes from the DHCP Client VRFs.

  3. Configure the routing instances where the DHCP Clients are located.

    In this case, the DHCP Clients are located in VLAN 10 and VLAN 20 with corresponding IRB interfaces—IRB.10 and IRB.20. The IRB.10 and IRB.20 are part of the routing instance TENANT_CLIENT_VRF1.

    Configure the following in the DHCP Client VRF:

    • Configure the dhcp-relay forward-only routing-instance <name> option. This configuration specifies the routing instance where the DHCP Server is located. In this case, it is the "TENANT_SERVICE_VRF".

    • Configure the auto-export command to enable the routes from the DHCP Client VRF exported into the DHCP Server VRF.

DHCP Relay with a Single Loopback IP Address for the Entire Chassis

In this previous configuration, we’ve used multi-tenant use case with a unique loopback IP address per VRF. When you have large number of DHCP Client VRFs, assigning and maintaining a unique loopback IP address per VRF becomes a challenge.

Let’s use an example where we configure a single loopback IP address for the entire chassis irrespective of the number of VRFs configured on the leaf device. This method simplifies DHCP Relay operation.

Follow the same configuration steps used in the previous example Step-by-Step Procedure. One exception is—we are using the same IP address for all DHCP Client VRF loopback interfaces.

The configuration includes:

  • Service VRF which hosts the DHCP Server (192.168.78.101).

  • DHCP Client VRFs which have IRB interfaces from DHCP Clients.

  • All DHCP Client VRF loopback interfaces have the same IP address.

Figure 6 shows the topology used in this example.

Figure 6: DHCP Relay Operation
DHCP Relay Operation

Step-by-Step Procedure

Do the steps that follow to configure DHCP Relay with a single loopback IP address for the entire chassis.

  1. Configure the loopback interfaces.
  2. Configure the routing instance where the DHCP Server is located.
  3. Configure the routing instances where the DHCP Clients are located.

DHCPv6 Relay

If your data center deployment has endpoints with IPv6 addresses that use DHCPv6 for IP addressing, you can configure DHCPv6 Relay on the EVPN-VXLAN fabric. Similar to DHCPv4 Relay, EVPN-VXLAN fabric supports DHCPv6 Relay in the forward-only mode.

Figure 7 shows the topology used in this example.

Figure 7: DHCP6 Relay
DHCP6 Relay

The DHCPv6 Server assigns an IPv6 prefix based on the DHCPv6 SOLICIT message or in the RENEW message. In addition, the DHCPv6 Server sends the lease time, name server information, and so on. Unlike DHCPv4 Server, the DHCPv6 Server does not provide the prefix length and default gateway address. The DHCPv6 Client gets this information in the router advertisement messages sent by the IRB interface on the leaf device.

Step-by-Step Procedure

Do the steps below to configure the DHCP6 Relay.

  1. Configure the DHCPv6 Relay in the routing instance.
  2. Configure the IRB interfaces to send router advertisement messages with a default gateway address and the IPv6 prefix length information.

    The configuration enables the DHCPv6 Clients to identify the prefix length and the default gateway because the DHCPv6 Server does not provide the information.

Step-by-Step Procedure

Verification for DHCPv6 Relay

  1. Verify DHCPv6 Solicit Message

    Use the packet capture details of the DHCPv6 solicit message, see Figure 8.

    Figure 8: Packet Capture of the DHCPv6 Solicit Message
    Packet
Capture of the DHCPv6 Solicit Message

    In the packet capture file, you can see information of the DHCPv6 solicit message on the DHCPv6 Server. The output indicates that the source address of the DHCPv6 relay packet is the loopback IPv6 address of the VRF on the leaf device. The link address field indicates the prefix pool that needs to be selected by the DHCPv6 Server for address assignment.

  2. Verify DHCPv6 Reply Message Details

    Use the packet capture details of the DHCPv6 reply message, see Figure 9

    Figure 9: Packet Capture of the DHCPv6 Reply Message
    Packet Capture of the DHCPv6
Reply Message

    In the packet capture file, you can see information of the DHCPv6 reply message sent by the DHCPv6 Server. The DHCPv6 reply is sent to the loopback address in the VRF on the leaf device. The fields indicate that the DHCPv6 Server is sending the assigned IP prefix for the endpoint and lifetime information. The reply message does not include prefix length and the default gateway address.

  3. Verify DHCPv6 Client Details

    Verify router advertisement messages on the DHCPv6 Client.

    Use the packet capture details of the DHCPv6 solicit message, see Figure 10

    Figure 10: Packet Capture of the DHCPv6 Solicit Message
    Packet Capture of the DHCPv6
Solicit Message

    In the packet capture file, you can see information of the DHCPv6 Client. Here, you can see that the router advertisement message is providing the prefix length information along with the default gateway IP address as the link local IP address of the IRB interface.

Transit DHCP Relay

Figure 11 shows the topology of transit DHCP Relay.

Figure 11: Transit DHCP Relay
Transit DHCP Relay

In the topology, there are local DHCP Clients for which the server leaf is the DHCP Relay. There is another set of DHCP Clients behind a firewall device. The firewall acts as the DHCP Relay for these DHCP clients. The DHCP packets relayed by the firewall traverse through the EVPN-VXLAN fabric to reach the DHCP Server. These packets are referred to as transit DHCP relay packets.

The transit DHCP relay packets represented with the red arrow might traverse the fabric using an IRB interface on the server leaf. If you enable DHCP relay on this IRB interface, the transit DHCP packets might be snooped and sent to the CPU on the server leaf and dropped. This might cause the following symptoms:

  • The DHCP Relay only works for endpoints connected locally to the fabric.

  • The DHCP Relay does not work for the endpoints connected behind the remote DHCP relay; that is—in this case, the firewall device.

To address the problem:

  • Place the local IRB interfaces that are performing DHCP relay for local endpoints in a separate VRF.

  • Ensure that the transit DHCP traffic can traverse the fabric in a different VRF over an IRB interface which is not enabled to perform DHCP relay for local endpoints.

This workaround prevents the transit DHCP Relay packets from being snooped instead of simply getting routed.

Validation

To confirm that the configuration is working properly, perform the following tasks:

Check DHCP Relay Statistics

Purpose

Verify that the DHCP relay is functioning.

Action

From operational mode:

user@host>set dhcp relay statistics

Enable Tracing Options for DHCP

Purpose

Enable tracing options for the DHCP Relay agent.

Action

Use the following commands from edit mode:

user@host> set system processes dhcp-service traceoptions file jdhcpd
user@host> set system processes dhcp-service traceoptions file size 1g
user@host> set system processes dhcp-service traceoptions level all

DHCP Log Files

Purpose

View DHCP log files to get DHCP services details.

Action

From operational mode:

user@host>show log jdhcpd

Meaning

The sample output shows the DHCP log messages in the messages file. The output command shown in the document is truncated for easy readability.