DHCP relay
DHCP relay refers to the router's ability to act as an intermediary between DHCP clients requesting configuration parameters, such as a network address, and DHCP servers when the DHCP clients and DHCP servers are not attached to the same broadcast domain, or do not share the same IPv6 link (in the case of DHCPv6).
SR Linux supports DHCP relay for IRB subinterfaces and Layer 3 subinterfaces. Up to 8 DHCP or DHCPv6 servers are supported. The DHCP relay maximum packet size (including option 82 and vendor-specific options) is capped at 1500 bytes to avoid fragmentation on the Ethernet segment end attached to the DHCP server.
When DHCP relay is enabled for a subinterface, and a DHCP client initiates a request for configuration parameters, the router accepts the DHCP client's request and relays it to the remote DHCP server, which sends back the configuration parameters. The router relays the configuration parameters to the client.
The DHCP server network can be in the same IP-VRF network-instance of the Layer 3 subinterfaces that require DHCP relay (see DHCP relay for IRB and Layer 3 subinterfaces), or it can be in a different IP-VRF network-instance or the default network instance (see DHCP relay using different IP-VRF or default network-instance).
SR Linux supports DHCP relay for IPv4 and IPv6. This guide refers to DHCP for IPv4 as DHCP, and DHCP for IPv6 as DHCPv6.
DHCP relay for IPv4
When DHCP relay is enabled, the router intercepts DHCP broadcast packets and unicasts them to a specified DHCP server for handling. By default, the source address for DHCP packets relayed to the server (GIADDR) is the IP address of the ingress subinterface where the DHCP relay agent is enabled, although a different GIADDR can be specified if necessary.
SR Linux supports DHCP option 82, the Relay Information Option, specified in RFC 3046, which allows the router to append information to DHCP requests relayed to the DHCP server, identifying where the original DHCP request came from. DHCP option 82 includes two sub-options: circuit-id and remote-id.
When configured to do so, SR Linux includes the following information in the circuit-id and remote-id sub-options of DHCP option 82:
For circuit-id, the system_name/VRF_instance/sub-interface_id:vlan_id of the ingress subinterface where the relay agent is enabled that receives the DHCP Discover message from the DHCP client.
For remote-id, the MAC address of the DHCP client.
DHCP message flow for IPv4 address allocation shows an example of the discovery, offer, request, and acknowledgment (DORA) message flow that occurs when DHCP relay assigns an address to a DHCP client.
The DORA message flow shown in DHCP message flow for IPv4 address allocation works as follows:
The DHCP client sends a DHCP Discover (broadcast) message with the following values:
DA = FF:FF:FF:FF:FF:FF (broadcast)
SA= client MAC
SIP = 0.0.0.0
DIP = 255.255.255.255
Source UDP port = 68
Destination UDP port = 67
The DHCP payload has the following values:
Broadcast flag = 1 (broadcast) or 0 (unicast)
Relay agent IP = 0.0.0.0
Client MAC = mac1
Parameter request list (option 55) which lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others
The DHCP relay agent relays the DHCP Discover message toward the DHCP server (unicast). If configured to do so, information is added for the circuit ID and remote ID sub-options in DHCP option 82. The relayed packet is unicast toward the DHCP servers with the following values:
SIP = outgoing interface IP address by default. If the source-address is configured, the relayed packet instead has SIP = configured source-address
UDP source port = 67
UDP destination port = 67
The DHCP payload has the following values:
Broadcast = 1 (broadcast) or 0 (unicast)
Relay agent IP (giaddr) = IP address of the ingress sub-interface where the relay agent is enabled
Client MAC = mac1
Relay agent information (option 82)
The DHCP server assigns an IP address to the DHCP client, based on information in the GIADDR or in option 82, if configured to do so. The DHCP server sends a DHCP Offer message to the DHCP relay agent (unicast). The DHCP Offer message includes the IP address assigned to the DHCP client based on information in the GIADDR or in option 82.
The DHCP Offer packet is unicast with the following values:
SIP = DHCP IP address
DIP = giaddr
UDP source port = 67
UDP destination port = 67
The DHCP payload has the following values:
Broadcast flag = 1 (broadcast) or 0 (unicast).
Your (client) IP = IP address assigned by DHCP server
Agent IP = giaddr
Client MAC = mac1
DHCP identifier = DHCP server IP address
Option 82 (echoed back, and based on DHCP server configuration)
IP address Lease time (option 51)
Subnet mask (option 1)
Router (gateway) (option 3)
Others (DNS, Renewal Time value, Rebinding Time value, and so on)
The DHCP relay agent relays the DHCP Offer message to the DHCP client (either broadcast or unicast, based on the broadcast flag sent by the client).
The DHCP Offer message is relayed from the DHCP server toward the client with the following values:
DA = FF:FF:FF:FF:FF:FF (broadcast) OR Client MAC(unicast)
SIP = sub-interface IP address toward the client where DHCP relay agent is enabled
DIP = 255.255.255.255 (broadcast) OR Your (client) IP address (unicast)
Source UDP port = 67
Destination UDP port = 68
The relay agent relays the DHCP Offer toward the client without option 82. It strips off option 82 if echoed back from DHCP server.
The DHCP payload has the following values:
Broadcast flag = 1 (broadcast) or 0 (unicast).
Your (client) IP = IP address assigned by DHCP server
Agent IP = giaddr
Client MAC = mac1
DHCP identifier = DHCP server IP address
Option 82 (echoed back, and based on DHCP server configuration)
IP address Lease time (option 51)
Subnet mask (option 1)
Router (gateway) (option 3)
Others (DNS, Renewal Time value, Rebinding Time value, and so on.)
The DHCP client sends a DHCP request message (broadcast) with the following values:
DA = FF:FF:FF:FF:FF:FF (broadcast)
SA = client MAC
SIP = 0.0.0.0
DIP = 255.255.255.255
Source UDP port = 68
Destination UDP port = 67
The DHCP payload has the following values:
Broadcast flag = 1 (broadcast) or 0 (unicast).
Relay agent IP = 0.0.0.0
Client MAC = mac1
DHCP server identifier = DHCP server IP address
Requested IP (option 50)
Parameter request list (option 55) that lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others
The DHCP relay agent relays the DHCP Request message toward the DHCP server (unicast). The relayed packet is unicast toward the DHCP servers, with the following values:
SIP = outgoing interface IP address by default. If source-address is configured, then the relayed packet has SIP = configured source-address.
UDP source port = 67
UDP destination port = 67
The DHCP payload has the following values:
Broadcast flag = 1 (broadcast) or 0 (unicast).
Relay agent IP = giaddr
Client MAC = mac1
DHCP identifier = DHCP server IP address
Requested IP (option 50)
Relay agent Information (option 82) if configured under dhcp-relay
Parameter request list (option 55) that lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others
Vendor specific option (if configured)
The DHCP server sends a DHCP Ack message to the DHCP relay agent (unicast). The DHCP Ack packet is unicasted with the following values:
SIP = DHCP IP address
DIP = giaddr
UDP source port = 67
UDP destination port = 67
The DHCP payload has the following values:
Broadcast flag, either 1 (broadcast), or 0 (unicast)
Your (client) IP = IP address assigned by DHCP server
Agent IP = giaddr
Client MAC = mac1
DHCP identifier = DHCP server IP address
Option 82 (echoed back and based on DHCP server configuration)
IP address Lease time (option 51)
Subnet mask (option 1)
Router (gateway) (option 3)
Others (DNS, Renewal Time value, Rebinding Time value, and so on.)
Based on the broadcast flag sent by client, the DHCP Offer is relayed from the DHCP servers toward the client with the following values:
DA = FF:FF:FF:FF:FF:FF (broadcast) OR Client MAC(unicast)
SIP = sub-interface IP address toward the client where the DHCP relay agent is enabled
DIP = 255.255.255.255 (broadcast) OR Your (client) IP address (unicast)
Source UDP port = 67
Destination UDP port = 68
The relay agent relays the DHCP Offer toward client without option 82. It strips off option 82 if echoed back from DHCP server.
The DHCP payload has the following values:
Broadcast flag can be either 1 (broadcast), or 0 (unicast)
Your (client) IP = IP address assigned by DHCP server
Agent IP = giaddr
Client MAC = mac1
DHCP Server identifier (option 54) = DHCP server IP address
IP address lease time (option 51)
Subnet mask (option 1)
Router (gateway) (option 3)
Others (DNS, Renewal Time value, Rebinding Time value, and so on.)
When renewing or releasing an address, the DHCP client unicasts the DHCP Request or Release message to the DHCP server without involvement by the DHCP relay agent.
Configuring DHCP relay for IPv4
To configure DHCP relay for a subinterface:
-
Configure the addresses / FQDNs of the DHCP servers.
-
Optionally configure the source address for DHCP messages sent to the servers.
-
Configure whether information is added to the sub-options for DHCP option 82.
Configure the DHCP relay agent on a subinterface
The following example configures the DHCP relay agent on a subinterface. The example configures the IP addresses / FQDNs of the remote DHCP servers and specifies the address to be used as the GIADDR in packets sent to the servers.
The circuit-id and remote-id options are configured, which
causes the DHCP relay agent to include the
system_name/VRF_instance/sub-interface_id:vlan_id in the circuit-id sub-option and
the DHCP client MAC address in the remote-id sub-option of DHCP option 82.
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/2
interface ethernet-1/2 {
subinterface 1 {
ipv4 {
admin-state enable
address 1.1.4.4/24 {
}
dhcp-relay {
option [
circuit-id
remote-id
]
source-address 1.1.4.4
server [
172.16.32.1
172.16.64.1
192.168.1.1
remoteserver.example.com
]
}
}
Specify the network-instance of the DHCP server
If the DHCP server network is in a different IP-VRF network-instance from the Layer 3 subinterfaces that require DHCP relay (see DHCP relay using different IP-VRF or default network-instance), specify the network-instance in the configuration. For example:
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/2
interface ethernet-1/2 {
subinterface 1 {
ipv4 {
admin-state enable
address 1.1.4.4/24 {
}
dhcp-relay {
network-instance ipvrf2
option [
circuit-id
remote-id
]
source-address 1.1.4.4
server [
172.16.32.1
172.16.64.1
192.168.1.1
remoteserver.example.com
]
}
}
Using the GIADDR as the source address for DHCP Discover/Request packets
By default, the SR Linux uses the IP address of the outgoing interface as the source address for Discover/Request packets sent to the DHCP server. This is not the needed behavior for some configurations, such as a firewall protecting the DHCP server that allows connections from a limited set of IP addresses. You can use the use-gi-addr-as-src-ip-addr parameter to cause the SR Linux to instead use the GIADDR as the source address for Discover/Request packets sent to the DHCP server.
You can optionally configure the GIADDR address using the gi-address parameter. The configured GIADDR address can be a local IP address under the interface where DHCP relay is enabled, any loopback address within the same IP-VRF (if the DHCP server network is in this IP-VRF network-instance), or a loopback address defined in a different IP-VRF/default network-instance (if the DHCP server network is in different IP-VRF/default network-instance).
The following table shows the GIADDR and source address combinations.
|
gi-address parameter |
use-gi-addr-as-src-ipaddr parameter |
GIADDR in relayed packet |
Source IP address in relayed packet |
|---|---|---|---|
|
Not configured (default) |
False (default) |
Primary IP address of interface |
IP address of outgoing interface |
|
Configured |
False (default) |
Configured GIADDR |
IP address of outgoing interface |
|
Configured |
True |
Configured GIADDR |
Configured GIADDR |
|
Not configured (default) |
True |
Primary IP address of interface |
Primary IP address of interface (because it is picked as the GIADDR) |
In the following example, the address specified with the gi-address parameter is used as the source address for Discover/Request packets sent to the DHCP server. If the gi-address parameter is not configured, then the default GIADDR (the primary IP address of the interface) is used.
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/2
interface ethernet-1/2 {
subinterface 1 {
ipv4 {
admin-state enable
address 172.16.1.1/24 {
primary
}
address 172.16.2.1/24 {
}
dhcp-relay {
admin-state enable
gi-address 172.16.2.1
use-gi-addr-as-src-ip-addr true
option [
circuit-id
remote-id
]
server [
1.1.1.1
2.2.2.2
]
}
}
Trusted and untrusted DHCP requests
If the DHCP relay agent receives a DHCP request and the downstream node added option 82 information or set the GIADDR to any value other than 0, the DHCP request is considered to be untrusted. By default, the router drops any untrusted DHCP request and discards the DHCP packets, as described in RFC 3046. SR Linux supports untrusted mode only. The DHCP relay agent discards DHCP packets traveling from the client to server side under the following conditions:
The DHCP packet includes option 82.
The DHCP packet has a GIADDR value that is not 0.
The DHCP relay agent discards DHCP packets traveling from the server to client side under the following conditions:
The circuit-id or remote-id are not enabled on the relay interface, but are present in the packet.
the GIADDR value in the DHCP packet does not match the GIADDR value on the relay interface.
There is no matching entry in the cache.
DHCP relay for IPv6
DHCP relay for IPv6 works similarly to IPv4. However, in DHCPv6, the DHCP Discover, Offer, and Ack messages are replaced by Solicit messages sent by clients, and Advertise and Reply messages sent by servers.
The DHCPv6 relay agent relays messages between clients and remote servers using Relay-Forward (client-to-server) and Relay-Reply (server-to-client) message types. DHCP option 82 is replaced in DHCPv6 by Interface-Id (option 18) and Remote Identifier (option 37), appended by relay agents.
You can optionally configure the DHCPv6 relay agent to include the client's MAC address in Client Link-Layer Address (option 79). This can be useful for dual-stack clients, where a client is using both DHCPv4 and DHCPv6, and the client's MAC address is being used as an identifier for DHCPv4.
DHCPv6 message flow for IPv6 address allocation shows the DHCPv6 message flow. DHCPv6 renew message flow and DHCPv6 release message flow show the renew and release flows.
When assigning an address to a DHCP client, DHCP relay for IPv6 works as follows:
The DHCPv6 client uses its link-local address as the source IPv6 address and IPv6 multicast address FF02::1:2 and MAC address 33:33:00:01:00:02 as destination IPv6 address/MAC address respectively for solicit/request messages and with the following UDP values:
source UDP port = 546
destination UDP port = 547
The DHCPv6 relay agent uses a Relay-Forw message to relay the Solicit message toward the DHCPv6 server, using the outbound IPv6 address of the DHCPv6 relay agent as the source IPv6 address and with the following UDP values:
Source UDP port = 547
Destination UDP port = 547
The DHCPv6 server replies to the relay agent an IP address to the DHCP client, based on information in the GIADDR or in option 82, if configured to do so, and with the following UDP values:
Source UDP port = 547
Destination UDP port = 547
The DHCPv6 server replies to the relay agent with destination IPv6 address equal to DHCPv6 (RELAY-FW) source IPv6 address, and the following UDP values:
Source UDP port = 547
Destination UDP port = 547
The DHCP relay agent relays the DHCP Offer message to the DHCP client (either broadcast or unicast, based on the broadcast flag sent by the client).
Configuring DHCP relay for IPv6
To configure DHCP relay for a subinterface for IPv6:
-
Configure the addresses / FQDNs of the DHCPv6 servers.
-
Optionally configure the source IPv6 address for relay-forward messages sent to the servers.
-
Optionally configure whether information is included in the Interface-Id (option 18) and Remote Identifier (option 37) in relay-forward messages.
- Optionally configure whether the MAC address of the DHCP client is included in the Client Link-Layer Address (option 79) in the relay-forward messages.
Configure the DHCPv6 relay agent on a subinterface
The following example configures the DHCPv6 relay agent on a subinterface. The example configures the IP addresses / FQDNs of the remote DHCPv6 servers and specifies the address to be used as the source IPv6 address in packets sent to the servers.
The interface-id and remote-id options are configured, which causes the DHCP relay agent to include the system_name/VRF_instance/subinterface_id:vlan_id in Interface-Id (option 18) and the DHCPv6 client MAC address in the Remote Identifier (option 37).
The client-link-layer-address option is configured, which causes the DHCP relay agent to include the DHCPv6 client MAC address in the Client Link-Layer Address (option 79).
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/2
interface ethernet-1/2 {
description dut1-dut4-1
subinterface 1 {
ipv6 {
admin-state enable
address 2001:db8:101::1/64 {
primary
}
address 2001:db8:202::1/64 {
}
dhcp-relay {
admin-state enable
source-address 2001:db8:101::1
option [
interface-id
remote-id
client-link-layer-address
]
server [
1::1
2::2
remoteserver.example.com
]
}
}
}
Specify the network-instance when the DHCP server network is in a different IP-VRF
If the DHCP server network is in a different IP-VRF network-instance from the Layer 3 subinterfaces that require DHCP relay (see DHCP relay using different IP-VRF or default network-instance), specify the network-instance in the configuration. For example:
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/2
interface ethernet-1/2 {
description dut1-dut4-1
subinterface 1 {
ipv6 {
admin-state enable
address 2001:db8:101::1/64 {
primary
}
address 2001:db8:202::1/64 {
}
dhcp-relay {
network-instance ipvrf2
admin-state enable
source-address 2001:db8:101::1
option [
interface-id
remote-id
client-link-layer-address
]
server [
1::1
2::2
remoteserver.example.com
]
}
}
}
QoS for DHCP relay
Self-generated DHCP/DHCPv6 packets are mapped into forwarding class 4 (fc4), low drop probability level, and DSCP marking 34 (AF41).
DHCP relay operational down reasons
The DHCP relay agent can enter an operationally down state in the following scenarios:
The DHCP relay admin state is down.
The subinterface under which DHCP relay is configured is operationally down.
All DHCP servers configured within the network instance are unreachable.
The configured GIADDR for DHCP, or source-address for DHCPv6, does not match any of the configured IP addresses under the subinterface where DHCP relay is configured
The IP address is deleted under the subinterface.
Updating domain name resolution for DHCP-relay server FQDNs
If the DHCP relay configuration specifies a remote DHCP server using an FQDN instead of an IP address, SR Linux periodically refreshes the state of the domain to ensure the DHCP server name can be resolved. If the name of a DHCP server cannot be resolved, the DHCP relay agent does not send requests to that DHCP server until its name can be successfully resolved.
To manually cause an update of all domain name resolutions for DHCP servers configured for DHCP relay, use the tools system dhcp-relay update-dns-entries command.
--{ running }--[ ]--
# tools system dhcp-relay update-dns-entries
You can display the domain name resolutions with an info from state command. For example:
--{ running }--[ ]--
# info from state interface ethernet-1/1 subinterface 1 ipv4 dhcp-relay dns-resolution
interface ethernet-1/1 {
subinterface 1 {
ipv4 {
dhcp-relay {
dns-resolution {
server example.com {
resolved-ip-address 10.0.0.1
last-update "25 seconds ago"
}
}
}
}
}
}Displaying DHCP relay statistics
To display DHCP relay statistics, use the info from state command in candidate or running mode, or the info command in state mode.
IPv4
--{ * candidate shared default }--[ ]--
# info from state interface ethernet-1/16 subinterface 1 ipv4 dhcp-relay statistics
interface ethernet-1/16 {
subinterface 1 {
ipv4 {
dhcp-relay {
statistics {
client-packets-received 2
client-packets-relayed 2
client-packets-discarded 0
server-packets-received 2
server-packets-relayed 2
server-packets-discarded 0
}
}
}
}
}
IPv6
--{ * candidate shared default }--[ ]--
# info from state interface ethernet-1/16 subinterface 1 ipv6 dhcp-relay statistics
interface ethernet-1/16 {
subinterface 1 {
ipv6 {
dhcp-relay {
statistics {
client-packets-received 2
client-packets-relayed 2
client-packets-discarded 0
server-packets-received 2
server-packets-relayed 2
server-packets-discarded 0
}
}
}
}
}
Clearing DHCP relay statistics
You can clear the DHCP relay statistics counters for a specified subinterface.
--{ * candidate shared default }--[ ]--
# tools interface ethernet-1/2 subinterface 1 ipv4 dhcp-relay statistics clear
/interface[name=ethernet-1/2]/subinterface[index=1]:
subinterface ethernet-1/2.1 statistics cleared