In This Section: |
BOOTP/DHCP Relay extends Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP) operations across multiple hops in a routed network. In standard BOOTP, all interfaces on a LAN are loaded from a single configuration server on the LAN. BOOTP Relay allows configuration requests to be forwarded to, and serviced from, configuration servers outside the LAN.
BOOTP/DHCP Relay offers these advantages over standard BOOTP/DHCP:
The Gaia implementation of BOOTP Relay is compliant with RFC 951, RFC 1542, and RFC 2131. BOOTP Relay supports Ethernet and IEEE 802 LANs with canonical MAC byte ordering, on clients that specify Bootp htype=1: 802.3 and FDDI.
When an interface configured for BOOTP Relay receives a boot request, it forwards the request to all the servers in its server list. It does this after waiting a specified length of time for a local server to answer the boot request. If a primary IP is specified, it stamps the request with that address. Otherwise, it stamps the request with the lowest numeric IP address specified for the interface.
To allow the DHCP relay traffic, it is necessary to configure explicit Security Policy rules with the DHCP relay services.
Such explicit Rule Base configuration is required for these reasons:
For Gateways that are R77.20 or higher, the applicable DHCP services are the new DHCP services: dhcp-request and dhcp-reply. The procedures in this chapter are compatible with the new DHCP services. For Gateways that are older than R77.20, refer to sk98839.
For DHCPv6, the services are dhcp-request, dhcp-reply and dhcp-relay.
This procedure shows how to configure the DHCP services on the Security Management Server or the Multi-Domain Server.
To configure the new DHCP services on the server:
[Expert@HostName:0]# grep -E "no_hide_services_ports|no_fold_services_ports" /path_to_relevant/table.def
no_hide_services_ports
or the no_fold_services_ports
tables, edit the related table.def file and remove these ports.[Expert@HostName:0]# vi /path_to_relevant/table.def
Change from:
no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> }
no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ..., <68,17>, <67,17> }
To:
no_hide_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... }
no_fold_services_ports = { <4500,17>, <500,17>, <259,17>, <1701,17>, ... }
Note - These table changes are only necessary if one or more VSX or ClusterXL clusters run DHCP Relay. You can skip it if DHCP Relay is only used on VRRP clusters or stand-alone Security Gateways.
Use the Portal to enable BOOTP/DHCP Relay on each interface. If the interface is enabled for relay, you can set up a number of servers to which to forward BOOTP/DHCP requests.
To enable BOOTP/DHCP relay on an Interface
The Add BOOTP/DHCP Relay window opens.
To disable BOOTP/DHCP relay on an interface
Use these commands to configure BOOTP properties for specific interfaces.
set bootp interface <if_name>
primary ip_address wait‑time <0-65535> on
relay-to ip_address <on | off>
off
Parameter |
Description |
---|---|
|
The ip_address to stamp as the gateway address on all BOOTP requests. The wait-time value is the minimum seconds to wait before forwarding a bootp request. A client-generated bootp request includes the elapsed time after the client began to boot. The bootp relay does not forward the request until the indicated elapsed time at least equals the specified wait time. This delay lets a local configuration server reply, before it relays to a remote server. |
|
The server to which BOOTP requests are forwarded. You can specify more than one server. |
|
Disables BOOTP on the specified interface. |
Parameter |
Description |
---|---|
Primary Address |
The IP address to use as the BOOTP/DHCP router address. If you enter an IP address, all BOOTP/DHCP requests received on the interface are stamped with this gateway address. This can be useful on interfaces with multiple IP addresses (aliases). |
Wait Time |
The minimum time to wait (in seconds) for a local configuration server to answer the boot request before forwarding the request through the interface. This delay provides an opportunity for a local configuration server to reply before attempting to relay to a remote server. Set the wait time to a sufficient length to allow the local configuration server to respond before the request is forwarded. If no local server is present, set the time to zero (0). |
Relay to Server |
The IPv4 address of the BOOTP/DHCP configuration server to which to forward BOOTP/DHCP requests. You can configure relay to multiple configuration servers independently on each interface. Configuring different servers on different interfaces provides load balancing, while configuring multiple servers on a single interface provides redundancy. The server IPv4 address cannot be an address belonging to the local machine. |
Use this group of commands to monitor and troubleshoot the BOOTP implementation.
show bootp
interfaces
interface <if_name>
stats
stats receive
stats request
stats reply
You configure the DHCP services on these ports:
To configure DHCP Security Policy:
If the option Accept outgoing packets originating from gateway implied rule is selected, then from the drop-down menu, select Last or Before Last.
The New Host window opens.
bootp
dhcp-relay
dhcp-req-localmodule
dhcp-rep-localmodule
Note - Use the DHCP-relay object, which you configured on the Security Gateway. For its value, enter the name of the Security Gateway, which runs DHCP Relay.
An example for a Rule Base with the DHCP relay services:
Source IP |
Destination IP |
Service |
Action |
Description of the rule |
---|---|---|---|---|
|
Global_Broadcast |
|
|
Source IP must be Any. A value of 0.0.0.0 does not work. |
<DHCP_Relay> Client Network |
DHCP_Server |
|
|
In some situations, the DHCP client sends some requests directly to the DHCP Server. |
<DHCP_Relay> |
Client_Network Global_Broadcast |
|
|
The replies can be unicast or broadcast based on the DHCP client options. |
DHCP_Server |
Client_Network Global_Broadcast |
|
|
The replies can be unicast or broadcast based on the DHCP client options. In some situations, the DHCP server sends some requests directly to the DHCP client. |