DHCP relay

DHCP relay refers to the router's ability to act as an intermediary between DHCP clients requesting configuration parameters, such as a network address, and DHCP servers when the DHCP clients and DHCP servers are not attached to the same broadcast domain, or do not share the same IPv6 link (in the case of DHCPv6).

SR Linux supports DHCP relay for IRB subinterfaces and Layer 3 subinterfaces. Up to 8 DHCP or DHCPv6 servers are supported. The DHCP relay maximum packet size (including option 82 and vendor-specific options) is capped at 1500 bytes to avoid fragmentation on the Ethernet segment end attached to the DHCP server.

When DHCP relay is enabled for a subinterface, and a DHCP client initiates a request for configuration parameters, the router accepts the DHCP client's request and relays it to the remote DHCP server, which sends back the configuration parameters. The router relays the configuration parameters to the client.

The DHCP server network can be in the same IP-VRF network-instance of the Layer 3 subinterfaces that require DHCP relay (see DHCP relay for IRB and Layer 3 subinterfaces), or it can be in a different IP-VRF network-instance or the default network instance (see DHCP relay using different IP-VRF or default network-instance).

SR Linux supports DHCP relay for IPv4 and IPv6. This guide refers to DHCP for IPv4 as DHCP, and DHCP for IPv6 as DHCPv6.

Figure 1. DHCP relay for IRB and Layer 3 subinterfaces
Figure 2. DHCP relay using different IP-VRF or default network-instance

DHCP relay for IPv4

When DHCP relay is enabled, the router intercepts DHCP broadcast packets and unicasts them to a specified DHCP server for handling. By default, the source address for DHCP packets relayed to the server (GIADDR) is the IP address of the ingress subinterface where the DHCP relay agent is enabled, although a different GIADDR can be specified if necessary.

SR Linux supports DHCP option 82, the Relay Information Option, specified in RFC 3046, which allows the router to append information to DHCP requests relayed to the DHCP server, identifying where the original DHCP request came from. DHCP option 82 includes two sub-options: circuit-id and remote-id.

When configured to do so, SR Linux includes the following information in the circuit-id and remote-id sub-options of DHCP option 82:

  • For circuit-id, the system_name/VRF_instance/sub-interface_id:vlan_id of the ingress subinterface where the relay agent is enabled that receives the DHCP Discover message from the DHCP client.

  • For remote-id, the MAC address of the DHCP client.

DHCP message flow for IPv4 address allocation shows an example of the discovery, offer, request, and acknowledgment (DORA) message flow that occurs when DHCP relay assigns an address to a DHCP client.

Figure 3. DHCP message flow for IPv4 address allocation

The DORA message flow shown in DHCP message flow for IPv4 address allocation works as follows:

  1. The DHCP client sends a DHCP Discover (broadcast) message with the following values:

    • DA = FF:FF:FF:FF:FF:FF (broadcast)

    • SA= client MAC

    • SIP = 0.0.0.0

    • DIP = 255.255.255.255

    • Source UDP port = 68

    • Destination UDP port = 67

    The DHCP payload has the following values:

    • Broadcast flag = 1 (broadcast) or 0 (unicast)

    • Relay agent IP = 0.0.0.0

    • Client MAC = mac1

    • Parameter request list (option 55) which lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others

  2. The DHCP relay agent relays the DHCP Discover message toward the DHCP server (unicast). If configured to do so, information is added for the circuit ID and remote ID sub-options in DHCP option 82. The relayed packet is unicast toward the DHCP servers with the following values:

    • SIP = outgoing interface IP address by default. If the source-address is configured, the relayed packet instead has SIP = configured source-address

    • UDP source port = 67

    • UDP destination port = 67

    The DHCP payload has the following values:

    • Broadcast = 1 (broadcast) or 0 (unicast)

    • Relay agent IP (giaddr) = IP address of the ingress sub-interface where the relay agent is enabled

    • Client MAC = mac1

    • Relay agent information (option 82)

  3. The DHCP server assigns an IP address to the DHCP client, based on information in the GIADDR or in option 82, if configured to do so. The DHCP server sends a DHCP Offer message to the DHCP relay agent (unicast). The DHCP Offer message includes the IP address assigned to the DHCP client based on information in the GIADDR or in option 82.

    The DHCP Offer packet is unicast with the following values:

    • SIP = DHCP IP address

    • DIP = giaddr

    • UDP source port = 67

    • UDP destination port = 67

    The DHCP payload has the following values:

    • Broadcast flag = 1 (broadcast) or 0 (unicast).

    • Your (client) IP = IP address assigned by DHCP server

    • Agent IP = giaddr

    • Client MAC = mac1

    • DHCP identifier = DHCP server IP address

    • Option 82 (echoed back, and based on DHCP server configuration)

    • IP address Lease time (option 51)

    • Subnet mask (option 1)

    • Router (gateway) (option 3)

    • Others (DNS, Renewal Time value, Rebinding Time value, and so on)

  4. The DHCP relay agent relays the DHCP Offer message to the DHCP client (either broadcast or unicast, based on the broadcast flag sent by the client).

    The DHCP Offer message is relayed from the DHCP server toward the client with the following values:

    • DA = FF:FF:FF:FF:FF:FF (broadcast) OR Client MAC(unicast)

    • SIP = sub-interface IP address toward the client where DHCP relay agent is enabled

    • DIP = 255.255.255.255 (broadcast) OR Your (client) IP address (unicast)

    • Source UDP port = 67

    • Destination UDP port = 68

    The relay agent relays the DHCP Offer toward the client without option 82. It strips off option 82 if echoed back from DHCP server.

    The DHCP payload has the following values:

    • Broadcast flag = 1 (broadcast) or 0 (unicast).

    • Your (client) IP = IP address assigned by DHCP server

    • Agent IP = giaddr

    • Client MAC = mac1

    • DHCP identifier = DHCP server IP address

    • Option 82 (echoed back, and based on DHCP server configuration)

    • IP address Lease time (option 51)

    • Subnet mask (option 1)

    • Router (gateway) (option 3)

    • Others (DNS, Renewal Time value, Rebinding Time value, and so on.)

  5. The DHCP client sends a DHCP request message (broadcast) with the following values:

    • DA = FF:FF:FF:FF:FF:FF (broadcast)

    • SA = client MAC

    • SIP = 0.0.0.0

    • DIP = 255.255.255.255

    • Source UDP port = 68

    • Destination UDP port = 67

    The DHCP payload has the following values:

    • Broadcast flag = 1 (broadcast) or 0 (unicast).

    • Relay agent IP = 0.0.0.0

    • Client MAC = mac1

    • DHCP server identifier = DHCP server IP address

    • Requested IP (option 50)

    • Parameter request list (option 55) that lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others

  6. The DHCP relay agent relays the DHCP Request message toward the DHCP server (unicast). The relayed packet is unicast toward the DHCP servers, with the following values:

    • SIP = outgoing interface IP address by default. If source-address is configured, then the relayed packet has SIP = configured source-address.

    • UDP source port = 67

    • UDP destination port = 67

    The DHCP payload has the following values:

    • Broadcast flag = 1 (broadcast) or 0 (unicast).

    • Relay agent IP = giaddr

    • Client MAC = mac1

    • DHCP identifier = DHCP server IP address

    • Requested IP (option 50)

    • Relay agent Information (option 82) if configured under dhcp-relay

    • Parameter request list (option 55) that lists the required items from the DHCP server to be sent along with the IP address like subnet mask, router (gateway), and others

    • Vendor specific option (if configured)

  7. The DHCP server sends a DHCP Ack message to the DHCP relay agent (unicast). The DHCP Ack packet is unicasted with the following values:

    • SIP = DHCP IP address

    • DIP = giaddr

    • UDP source port = 67

    • UDP destination port = 67

    The DHCP payload has the following values:

    • Broadcast flag, either 1 (broadcast), or 0 (unicast)

    • Your (client) IP = IP address assigned by DHCP server

    • Agent IP = giaddr

    • Client MAC = mac1

    • DHCP identifier = DHCP server IP address

    • Option 82 (echoed back and based on DHCP server configuration)

    • IP address Lease time (option 51)

    • Subnet mask (option 1)

    • Router (gateway) (option 3)

    • Others (DNS, Renewal Time value, Rebinding Time value, and so on.)

  8. Based on the broadcast flag sent by client, the DHCP Offer is relayed from the DHCP servers toward the client with the following values:

    • DA = FF:FF:FF:FF:FF:FF (broadcast) OR Client MAC(unicast)

    • SIP = sub-interface IP address toward the client where the DHCP relay agent is enabled

    • DIP = 255.255.255.255 (broadcast) OR Your (client) IP address (unicast)

    • Source UDP port = 67

    • Destination UDP port = 68

    The relay agent relays the DHCP Offer toward client without option 82. It strips off option 82 if echoed back from DHCP server.

    The DHCP payload has the following values:

    • Broadcast flag can be either 1 (broadcast), or 0 (unicast)

    • Your (client) IP = IP address assigned by DHCP server

    • Agent IP = giaddr

    • Client MAC = mac1

    • DHCP Server identifier (option 54) = DHCP server IP address

    • IP address lease time (option 51)

    • Subnet mask (option 1)

    • Router (gateway) (option 3)

    • Others (DNS, Renewal Time value, Rebinding Time value, and so on.)

When renewing or releasing an address, the DHCP client unicasts the DHCP Request or Release message to the DHCP server without involvement by the DHCP relay agent.

Configuring DHCP relay for IPv4

To configure DHCP relay for a subinterface:

  • Configure the addresses / FQDNs of the DHCP servers.

  • Optionally configure the source address for DHCP messages sent to the servers.

  • Configure whether information is added to the sub-options for DHCP option 82.

Configure the DHCP relay agent on a subinterface

The following example configures the DHCP relay agent on a subinterface. The example configures the IP addresses / FQDNs of the remote DHCP servers and specifies the address to be used as the GIADDR in packets sent to the servers.

The circuit-id and remote-id options are configured, which causes the DHCP relay agent to include the system_name/VRF_instance/sub-interface_id:vlan_id in the circuit-id sub-option and the DHCP client MAC address in the remote-id sub-option of DHCP option 82.

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/2
 interface ethernet-1/2 {
        subinterface 1 {
            ipv4 {
                admin-state enable
                address 1.1.4.4/24 {
                }
                dhcp-relay {
                    option [
                           circuit-id
                           remote-id
                    ]
                    source-address 1.1.4.4
                    server [
                        172.16.32.1 
                        172.16.64.1 
                        192.168.1.1
                        remoteserver.example.com
                    ]
                }
            }

Specify the network-instance of the DHCP server

If the DHCP server network is in a different IP-VRF network-instance from the Layer 3 subinterfaces that require DHCP relay (see DHCP relay using different IP-VRF or default network-instance), specify the network-instance in the configuration. For example:

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/2
 interface ethernet-1/2 {
        subinterface 1 {
            ipv4 {
                admin-state enable
                address 1.1.4.4/24 {
                }
                dhcp-relay {
                    network-instance ipvrf2
                    option [
                           circuit-id
                           remote-id
                    ]
                    source-address 1.1.4.4
                    server [
                        172.16.32.1 
                        172.16.64.1 
                        192.168.1.1
                        remoteserver.example.com
                    ]
                }
            }

Using the GIADDR as the source address for DHCP Discover/Request packets

By default, the SR Linux uses the IP address of the outgoing interface as the source address for Discover/Request packets sent to the DHCP server. This is not the needed behavior for some configurations, such as a firewall protecting the DHCP server that allows connections from a limited set of IP addresses. You can use the use-gi-addr-as-src-ip-addr parameter to cause the SR Linux to instead use the GIADDR as the source address for Discover/Request packets sent to the DHCP server.

You can optionally configure the GIADDR address using the gi-address parameter. The configured GIADDR address can be a local IP address under the interface where DHCP relay is enabled, any loopback address within the same IP-VRF (if the DHCP server network is in this IP-VRF network-instance), or a loopback address defined in a different IP-VRF/default network-instance (if the DHCP server network is in different IP-VRF/default network-instance).

The following table shows the GIADDR and source address combinations.

Table 1. GIADDR and source address combinations

gi-address parameter

use-gi-addr-as-src-ipaddr parameter

GIADDR in relayed packet

Source IP address in relayed packet

Not configured (default)

False (default)

Primary IP address of interface

IP address of outgoing interface

Configured

False (default)

Configured GIADDR

IP address of outgoing interface

Configured

True

Configured GIADDR

Configured GIADDR

Not configured (default)

True

Primary IP address of interface

Primary IP address of interface (because it is picked as the GIADDR)

In the following example, the address specified with the gi-address parameter is used as the source address for Discover/Request packets sent to the DHCP server. If the gi-address parameter is not configured, then the default GIADDR (the primary IP address of the interface) is used.

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/2
 interface ethernet-1/2 {
        subinterface 1 {
        ipv4 {
            admin-state enable
            address 172.16.1.1/24 {
                primary
            }
            address 172.16.2.1/24 {
            }
            dhcp-relay {
                admin-state enable
                gi-address 172.16.2.1
                use-gi-addr-as-src-ip-addr true
                option [
                    circuit-id
                    remote-id
                ]
                server [
                    1.1.1.1
                    2.2.2.2
                ]
            }
        }

Trusted and untrusted DHCP requests

If the DHCP relay agent receives a DHCP request and the downstream node added option 82 information or set the GIADDR to any value other than 0, the DHCP request is considered to be untrusted. By default, the router drops any untrusted DHCP request and discards the DHCP packets, as described in RFC 3046. SR Linux supports untrusted mode only. The DHCP relay agent discards DHCP packets traveling from the client to server side under the following conditions:

  • The DHCP packet includes option 82.

  • The DHCP packet has a GIADDR value that is not 0.

The DHCP relay agent discards DHCP packets traveling from the server to client side under the following conditions:

  • The circuit-id or remote-id are not enabled on the relay interface, but are present in the packet.

  • the GIADDR value in the DHCP packet does not match the GIADDR value on the relay interface.

  • There is no matching entry in the cache.

DHCP relay for IPv6

DHCP relay for IPv6 works similarly to IPv4. However, in DHCPv6, the DHCP Discover, Offer, and Ack messages are replaced by Solicit messages sent by clients, and Advertise and Reply messages sent by servers.

The DHCPv6 relay agent relays messages between clients and remote servers using Relay-Forward (client-to-server) and Relay-Reply (server-to-client) message types. DHCP option 82 is replaced in DHCPv6 by Interface-Id (option 18) and Remote Identifier (option 37), appended by relay agents.

You can optionally configure the DHCPv6 relay agent to include the client's MAC address in Client Link-Layer Address (option 79). This can be useful for dual-stack clients, where a client is using both DHCPv4 and DHCPv6, and the client's MAC address is being used as an identifier for DHCPv4.

DHCPv6 message flow for IPv6 address allocation shows the DHCPv6 message flow. DHCPv6 renew message flow and DHCPv6 release message flow show the renew and release flows.

Figure 4. DHCPv6 message flow for IPv6 address allocation

When assigning an address to a DHCP client, DHCP relay for IPv6 works as follows:

  1. The DHCPv6 client uses its link-local address as the source IPv6 address and IPv6 multicast address FF02::1:2 and MAC address 33:33:00:01:00:02 as destination IPv6 address/MAC address respectively for solicit/request messages and with the following UDP values:

    • source UDP port = 546

    • destination UDP port = 547

  2. The DHCPv6 relay agent uses a Relay-Forw message to relay the Solicit message toward the DHCPv6 server, using the outbound IPv6 address of the DHCPv6 relay agent as the source IPv6 address and with the following UDP values:

    • Source UDP port = 547

    • Destination UDP port = 547

  3. The DHCPv6 server replies to the relay agent an IP address to the DHCP client, based on information in the GIADDR or in option 82, if configured to do so, and with the following UDP values:

    • Source UDP port = 547

    • Destination UDP port = 547

  4. The DHCPv6 server replies to the relay agent with destination IPv6 address equal to DHCPv6 (RELAY-FW) source IPv6 address, and the following UDP values:

    • Source UDP port = 547

    • Destination UDP port = 547

  5. The DHCP relay agent relays the DHCP Offer message to the DHCP client (either broadcast or unicast, based on the broadcast flag sent by the client).

Figure 5. DHCPv6 renew message flow
Figure 6. DHCPv6 release message flow

Configuring DHCP relay for IPv6

To configure DHCP relay for a subinterface for IPv6:

  • Configure the addresses / FQDNs of the DHCPv6 servers.

  • Optionally configure the source IPv6 address for relay-forward messages sent to the servers.

  • Optionally configure whether information is included in the Interface-Id (option 18) and Remote Identifier (option 37) in relay-forward messages.

  • Optionally configure whether the MAC address of the DHCP client is included in the Client Link-Layer Address (option 79) in the relay-forward messages.

Configure the DHCPv6 relay agent on a subinterface

The following example configures the DHCPv6 relay agent on a subinterface. The example configures the IP addresses / FQDNs of the remote DHCPv6 servers and specifies the address to be used as the source IPv6 address in packets sent to the servers.

The interface-id and remote-id options are configured, which causes the DHCP relay agent to include the system_name/VRF_instance/subinterface_id:vlan_id in Interface-Id (option 18) and the DHCPv6 client MAC address in the Remote Identifier (option 37).

The client-link-layer-address option is configured, which causes the DHCP relay agent to include the DHCPv6 client MAC address in the Client Link-Layer Address (option 79).

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/2
 interface ethernet-1/2 {
        description dut1-dut4-1
        subinterface 1 {
            ipv6 {
                admin-state enable
                address 2001:db8:101::1/64 {
                    primary
                }
                address 2001:db8:202::1/64 {
                }
                dhcp-relay {
                    admin-state enable
                    source-address 2001:db8:101::1
                    option [
                       interface-id
                       remote-id
                       client-link-layer-address
                    ]
                    server [
                       1::1
                       2::2
                       remoteserver.example.com
                    ]
                }
           }
       }

Specify the network-instance when the DHCP server network is in a different IP-VRF

If the DHCP server network is in a different IP-VRF network-instance from the Layer 3 subinterfaces that require DHCP relay (see DHCP relay using different IP-VRF or default network-instance), specify the network-instance in the configuration. For example:

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/2
 interface ethernet-1/2 {
        description dut1-dut4-1
        subinterface 1 {
            ipv6 {
                admin-state enable
                address 2001:db8:101::1/64 {
                    primary
                }
                address 2001:db8:202::1/64 {
                }
                dhcp-relay {
                    network-instance ipvrf2
                    admin-state enable
                    source-address 2001:db8:101::1
                    option [
                       interface-id
                       remote-id
                       client-link-layer-address
                    ]
                    server [
                       1::1
                       2::2
                       remoteserver.example.com
                    ]
                }
           }
       }

QoS for DHCP relay

Self-generated DHCP/DHCPv6 packets are mapped into forwarding class 4 (fc4), low drop probability level, and DSCP marking 34 (AF41).

DHCP relay operational down reasons

The DHCP relay agent can enter an operationally down state in the following scenarios:

  • The DHCP relay admin state is down.

  • The subinterface under which DHCP relay is configured is operationally down.

  • All DHCP servers configured within the network instance are unreachable.

  • The configured GIADDR for DHCP, or source-address for DHCPv6, does not match any of the configured IP addresses under the subinterface where DHCP relay is configured

  • The IP address is deleted under the subinterface.

Updating domain name resolution for DHCP-relay server FQDNs

If the DHCP relay configuration specifies a remote DHCP server using an FQDN instead of an IP address, SR Linux periodically refreshes the state of the domain to ensure the DHCP server name can be resolved. If the name of a DHCP server cannot be resolved, the DHCP relay agent does not send requests to that DHCP server until its name can be successfully resolved.

To manually cause an update of all domain name resolutions for DHCP servers configured for DHCP relay, use the tools system dhcp-relay update-dns-entries command.

--{ running }--[  ]--
# tools system dhcp-relay update-dns-entries

You can display the domain name resolutions with an info from state command. For example:

--{ running }--[  ]--
# info from state interface ethernet-1/1 subinterface 1 ipv4 dhcp-relay dns-resolution
    interface ethernet-1/1 {
        subinterface 1 {
            ipv4 {
                dhcp-relay {
                    dns-resolution {
                        server example.com {
                            resolved-ip-address 10.0.0.1
                            last-update "25 seconds ago"
                        }
                    }
                }
            }
        }
    }

Displaying DHCP relay statistics

To display DHCP relay statistics, use the info from state command in candidate or running mode, or the info command in state mode.

IPv4

--{ * candidate shared default }--[  ]--
# info from state interface ethernet-1/16 subinterface 1 ipv4 dhcp-relay statistics
    interface ethernet-1/16 {
        subinterface 1 {
            ipv4 {
                dhcp-relay {
                    statistics {
                        client-packets-received 2
                        client-packets-relayed 2
                        client-packets-discarded 0
                        server-packets-received 2
                        server-packets-relayed 2
                        server-packets-discarded 0
                    }
                }
            }
        }
    }

IPv6

--{ * candidate shared default }--[  ]--
# info from state interface ethernet-1/16 subinterface 1 ipv6 dhcp-relay statistics
    interface ethernet-1/16 {
        subinterface 1 {
            ipv6 {
                dhcp-relay {
                    statistics {
                        client-packets-received 2
                        client-packets-relayed 2
                        client-packets-discarded 0
                        server-packets-received 2
                        server-packets-relayed 2
                        server-packets-discarded 0
                    }
                }
            }
        }
    }

Clearing DHCP relay statistics

You can clear the DHCP relay statistics counters for a specified subinterface.

--{ * candidate shared default }--[  ]--
# tools interface ethernet-1/2 subinterface 1 ipv4 dhcp-relay statistics clear
/interface[name=ethernet-1/2]/subinterface[index=1]:
subinterface ethernet-1/2.1 statistics cleared