Print Download PDF Send Feedback

Previous

Next

DHCP Relay

In This Section:

DHCP Services

DHCP Services Initial Setup - Management Servers

Configuring DHCP Relay on the Security Gateway - Gaia Portal

Configuring DHCP Relay on the Security Gateway - Gaia Clish (bootp)

BOOTP/DHCP Parameters

Monitoring BOOTP - Gaia Clish (show bootp)

Configuring DHCP Security Policy

BOOTP/DHCP Relay extends Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP) operations across multiple hops in a routed network. In standard BOOTP, all interfaces on a LAN are loaded from a single configuration server on the LAN. BOOTP Relay allows configuration requests to be forwarded to, and serviced from, configuration servers outside the LAN.

BOOTP/DHCP Relay offers these advantages over standard BOOTP/DHCP:

The Gaia implementation of BOOTP Relay is compliant with RFC 951, RFC 1542, and RFC 2131. BOOTP Relay supports Ethernet and IEEE 802 LANs with canonical MAC byte ordering, on clients that specify Bootp htype=1: 802.3 and FDDI.

When an interface configured for BOOTP Relay receives a boot request, it forwards the request to all the servers in its server list. It does this after waiting a specified length of time for a local server to answer the boot request. If a primary IP is specified, it stamps the request with that address. Otherwise, it stamps the request with the lowest numeric IP address specified for the interface.

DHCP Services

To allow the DHCP relay traffic, it is necessary to configure explicit Security Policy rules with the DHCP relay services.

Such explicit Rule Base configuration is required for these reasons:

For Gateways that are R77.20 or higher, the applicable DHCP services are the new DHCP services: dhcp-request and dhcp-reply. The procedures in this chapter are compatible with the new DHCP services. For Gateways that are older than R77.20, refer to sk98839.

For DHCPv6, the services are dhcp-request, dhcp-reply and dhcp-relay.

DHCP Services Initial Setup - Management Servers

This procedure shows how to configure the DHCP services on the Security Management Server or the Multi-Domain Server.

To configure the new DHCP services on the server:

  1. Connect to the command line on the Security Management Server or the Multi-Domain Server (over SSH, or console). 
  2. Log in to Expert mode. 
  3. Examine the contents of all the related table.def files. This file is in $FWDIR/lib, and possibly other locations, such as the backwards-compatibility sub-directories. For file locations, refer to sk98339.

    [Expert@HostName:0]# grep -E "no_hide_services_ports|no_fold_services_ports" /path_to_relevant/table.def

  4. If UDP port 67 and UDP port 68 are configured in the no_hide_services_ports or the no_fold_services_ports tables, edit the related table.def file and remove these ports.

    [Expert@HostName:0]# vi /path_to_relevant/table.def

    Change from:

    no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> }

    no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> }

    To:

    no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... }

    no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... }

    Note - These table changes are only necessary if one or more VSX or ClusterXL clusters run DHCP Relay. You can skip it if DHCP Relay is only used on VRRP clusters or stand-alone Security Gateways.

  5. Install Policy.

Configuring DHCP Relay on the Security Gateway - Gaia Portal

Use the Portal to enable BOOTP/DHCP Relay on each interface. If the interface is enabled for relay, you can set up a number of servers to which to forward BOOTP/DHCP requests.

To enable BOOTP/DHCP relay on an Interface

  1. Open the Advanced Routing > DHCP Relay page of the Portal.
  2. Click Add.

    The Add BOOTP/DHCP Relay window opens.

  3. Select an Interface on which you want to enable BOOTP/DHCP.
  4. Optional: Enter values for one or more of these parameters:
    • Primary Address
    • Wait Time
  5. Define the IPv4 address of each relay to which you want to forward BOOTP/DHCP requests. For each relay:
    1. Click Add
    2. In the Add Relay window, enter the IPv4 address of the relay
    3. Click OK.
  6. Click Save.

To disable BOOTP/DHCP relay on an interface

  1. Open the Advanced Routing > DHCP Relay page of the Portal.
  2. Select an interface.
  3. Click Delete.

Configuring DHCP Relay on the Security Gateway - Gaia Clish (bootp)

Use these commands to configure BOOTP properties for specific interfaces.

set bootp interface <if_name>
	primary ip_address wait‑time <0-65535> on
	relay-to ip_address <on | off>
	off

Parameter

Description

primary ip_address wait-time <0-65535> on

The ip_address to stamp as the gateway address on all BOOTP requests.

The wait-time value is the minimum seconds to wait before forwarding a bootp request. A client-generated bootp request includes the elapsed time after the client began to boot. The bootp relay does not forward the request until the indicated elapsed time at least equals the specified wait time. This delay lets a local configuration server reply, before it relays to a remote server.

relay-to ip_address <on | off>

The server to which BOOTP requests are forwarded. You can specify more than one server.

off

Disables BOOTP on the specified interface.

BOOTP/DHCP Parameters

Parameter

Description

Primary Address

The IP address to use as the BOOTP/DHCP router address. If you enter an IP address, all BOOTP/DHCP requests received on the interface are stamped with this gateway address. This can be useful on interfaces with multiple IP addresses (aliases).

Wait Time

The minimum time to wait (in seconds) for a local configuration server to answer the boot request before forwarding the request through the interface. This delay provides an opportunity for a local configuration server to reply before attempting to relay to a remote server. Set the wait time to a sufficient length to allow the local configuration server to respond before the request is forwarded. If no local server is present, set the time to zero (0).

Relay to Server

The IPv4 address of the BOOTP/DHCP configuration server to which to forward BOOTP/DHCP requests. You can configure relay to multiple configuration servers independently on each interface. Configuring different servers on different interfaces provides load balancing, while configuring multiple servers on a single interface provides redundancy. The server IPv4 address cannot be an address belonging to the local machine.

Monitoring BOOTP - Gaia Clish (show bootp)

Use this group of commands to monitor and troubleshoot the BOOTP implementation.

show bootp
	interfaces
	interface <if_name>
	stats
	stats receive
	stats request
	stats reply

Configuring DHCP Security Policy

You configure the DHCP services on these ports:

To configure DHCP Security Policy:

  1. In the SmartDashboard, go to the Policy menu > Global Properties > Firewall.

    If the option Accept outgoing packets originating from gateway implied rule is selected, then from the drop-down menu, select Last or Before Last.

  2. Create a new host object for the DHCP server.
    1. Enter the object name.
    2. Enter the IPv4 address of the DHCP server.
    3. Click OK.
  3. Create a new host object for the Global Broadcast.

    The New Host window opens.

    1. Enter the object name
    2. Enter the IPv4 Address of 255.255.255.255.
    3. Click OK.
  4. Create a new Client Network object.
    1. Enter the object name.
    2. Enter the Network address and Net mask, to which the DHCP clients are connected.
    3. Click OK.
  5. Make sure that the legacy DHCP configuration does not exist:
    1. Delete/disable all security rules for DHCP traffic that use these legacy services:
      • bootp
      • dhcp-relay
      • dhcp-req-localmodule
      • dhcp-rep-localmodule
    2. Delete/disable all manual NAT rules for legacy DHCP configuration. For more about NAT rules, see sk97566.
  6. Configure the required Security Policy rules with the new DHCP services (dhcpv6-request and dhcpv6-reply).

    Note - Use the DHCP-relay object, which you configured on the Security Gateway. For its value, enter the name of the Security Gateway, which runs DHCP Relay.

    An example for a Rule Base with the DHCP relay services:

    Source IP

    Destination IP

    Service

    Action

    Description of the rule

    Any

    Global_Broadcast

    dhcp-request

    Accept

    Source IP must be Any. A value of 0.0.0.0 does not work.

    <DHCP_Relay>

    Client Network

    DHCP_Server

    dhcp-request

    Accept

    In some situations, the DHCP client sends some requests directly to the DHCP Server.

    <DHCP_Relay>

    Client_Network

    Global_Broadcast

    dhcp-reply

    Accept

    The replies can be unicast or broadcast based on the DHCP client options.

    DHCP_Server

    Client_Network

    Global_Broadcast

    dhcp-reply

    Accept

    The replies can be unicast or broadcast based on the DHCP client options.

    In some situations, the DHCP server sends some requests directly to the DHCP client.

  7. Install Policy on the related Security Gateways.