Contivity Secure IP Services Gateway
DHCP Relay
Table of Contents
1. Overview.........................................................................................................................1 2. Configuring DHCP Relay service...................................................................................5 2.1. Configuration using GUI.........................................................................................5 2.1.1. Enabling the DHCP Relay globally..................................................................5 2.1.2. Enabling the DHCP Relay on interfaces...........................................................5 2.1.3. Checking the Status...........................................................................................9 2.2. Event Log messages.................................................................................................9 2.3 Configuration using CLI.........................................................................................11 3. Sample configuration....................................................................................................12 3.1. Setup......................................................................................................................12 3.2. Configuring WS.....................................................................................................13 3.3. Configuring CES....................................................................................................14 3.4. Configuring DHCP Server.....................................................................................19 3.5. Testing the Connection..........................................................................................29
1. Overview
In some cases the DHCP clients and their associated DHCP servers do not reside on the same IP network or subnet. In such cases the third party agent is required to transfer DHCP messages between clients and the servers. Such an agent is referred to as a DHCP Relay agent.
Until release V03.6 Contivity Secure IP Services Gateway dropped all DHCP requests packets. In release V04, DHCP Relay agent feature was added allowing the Contivity to forward DHCP and BOOTP messages between a DHCP server and a DHCP client on different subnets. When a locally attached client issues a DHCP or BOOTP request as a broadcast message, the Contivity gateway will relay the message to a specified DHCP or BOOTP server, and forward the replies from server to client.
CG030819 1.00 August 2003 Page: 1 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
With the DHCP Relay service enabled the branch office hosts can be configured via DHCP using the central site DHCP server (Figure 1). In a branch office, users will have a LAN that attaches to the Contivity gateway’s private interface. It is desirable to use DHCP to manage the hosts on the branch office LAN. To simplify network management on the branch office, users would like to use the DHCP server on the central office network to administrate IP addresses. A DHCP Relay agent will convert broadcast packet to unicast packet and forward it to the servers. The list of servers to be sent is configurable. PC1DHCP Server Contivity Contivity Remote Sites Figure 1 Central Site As in the branch office situation explained above, DHCP Relay will also forward the DHCP requests across other physical interfaces (Figure 2). The broadcast requests are converted into unicast before the request is sent to the servers. PC1DHCP Server Contivity DHCP Server Figure 2 CG030819 1.00 August 2003 Page: 2 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
DHCP requests (unicast or broadcast) coming through private interfaces will be relayed as unicast packets. Requests coming from public interface are dropped at the IP level. Requests coming through tunnels are dropped by the DHCP Relay agent task. Contivity supports DHCP requests coming through private physical interfaces only.
DHCP Relay agent can relay packets on all the interfaces (private, public, tunnel). All it cares about are the IP addresses of the DHCP servers, not the interface through which the packets are relayed.
DHCP Relay will try to relay the requests to the configured servers. DHCP Relay agent has no knowledge of whether there is a route to any of these servers or not. As long as there is a route to this server, the routing/forwarding module in Contivity will send the packet out, or it will drop it.
The DHCP Relay code relies heavily on the packet filters. When the DHCP Relay task is enabled/disabled, a filter specific to DHCP Relay will be installed or removed. These filters control the delivery of the packets to and from DHCP Relay.
When the client makes DHCP requests, Firewall configuration may prevent these requests from reaching the DHCP Relay agent. If a DHCP request reaches the DHCP Relay agent module, it will try to relay the requests to the configured servers. Again this relay may not be sent out due to Firewall configuration.
CG030819 1.00 August 2003 Page: 3 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Figure 3 shows the message exchanges between the DHCP client and the DHCP server. DHCP Client DHCPDISCOVER client request for IP address and configuration options (broadcast)Forwarded modified DHCPDISCOVER request to a specific DHCP server (unicast) DHCP Relay Agent DHCP Server Forward modified DHCPOFFER (Layer 2 broadcast/unicast) DHCPOFFER server sends available IP address (unicast) DHCPREQUEST client accepts the offer and asks the server for its configuration Forwarded modified DHCPREQUEST to a specific DHCP server (unicast) DHCPACK server responds with the committed IP address and other configuration options Figure 3 CG030819 1.00 August 2003 Page: 4 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
2. Configuring DHCP Relay service
2.1. Configuration using GUI
2.1.1. Enabling the DHCP Relay globally
To enable the DHCP Relay globally on Contivity, navigate ServersÆDHCP Relay. The DHCP Relay screen appears:
Check the box next to Enabled under the DHCP Relay and click OK:
2.1.2. Enabling the DHCP Relay on interfaces
To enable the DHCP Relay on private interfaces click Add under the DHCP Relay Interfaces tab on the DHCP Relay screen:
CG030819 1.00 August 2003 Page: 5 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The DHCP RelayÆAdd screen appears:
Select the interface the DHCP Relay should be enabled on from the drop-down list next to Physical Interface (private):
Select the Enabled State for the DHCP Relay on the interface (Enabled by default). To disable the relay services select Disabled:
Enter the IP address of the DHCP server the requests should be sent to in the text box next to Helper (1/2/3) tab. Up to 3 DHCP servers can be specified. To enable the relay to the specified server check the box next to Enabled for the appropriate entry:
CG030819 1.00 August 2003 Page: 6 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Once the appropriate information has been entered click OK:
The configured interface relay is shown under the DHCP Relay Interfaces tab:
Once configured the entry can be edited, deleted, disabled or enabled by clicking the appropriate button under the Action tab. A new entry can be added by clicking the Add button.
CG030819 1.00 August 2003 Page: 7 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
To edit any of the parameters click Edit. The DHCP RelayÆ Edit screen appears. The current configuration is shown under the DHCP Relay Interface List tab. Edit the appropriate fields and click OK:
To delete the configuration of the DHCP Relay on the interface click Delete. The confirmation DHCP RelayÆDelete screen appears, click OK to delete or Cancel not to:
To disable the interface relay click Disable. The screen refreshes and the Enable button appears in place of the Disable. To enable the interface relay, click Enable:
CG030819 1.00 August 2003 Page: 8 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
2.1.3. Checking the Status
The status of the DHCP Relay can be checked by clicking the Statistics button under the Status tab on the DHCP Relay screen:
The DHCP RelayÆ Statistics screen will appear showing how many packets were received by the DHCP Relay interface (In), how many packets were sent out (Out), how many packets were discarded by the Contivity (Discarded), how many packets were relayed to the server (Relayed To Server), and how many packets were relayed to the client (Relayed To Client). To refresh the statistics, click on the Refresh button, to return to the DHCP screen click Close:
2.2. Event Log messages
The DHCP Relay was globally enabled:
08/19/2003 14:24:46 0 tHttpd [33] DHCPRelayGlobal.DhcpRelayEnabled changed from 'DISABLED' to 'ENABLED' by user 'admin' @ '192.168.50.6' 08/19/2003 15:30:40 0 Security [01] Security: rule[5] FILTER 1 permit UDP any any EQ 67
08/19/2003 15:30:40 0 Security [01] Security: rule[6] FILTER 1 permit UDP any any EQ 68
The DHCP Relay has been enabled for the 192.168.50.10 interface:
08/19/2003 15:24:03 0 DHCP Relay Table [00] Config node for interface 192.168.50.10:P inserted successfully
08/19/2003 15:24:03 0 DHCP Relay Table [00] Printing info for relay node 1
08/19/2003 15:24:03 0 DHCP Relay Table [00] Interface address: 192.168.50.10 Admin State 0
08/19/2003 15:24:03 0 DHCP Relay Table [00] DHCP Servers: 0.0.0.0 0.0.0.0
CG030819 1.00 August 2003 Page: 9 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
08/19/2003 15:24:03 0 tHttpd [35] DHCPRelay[192.168.50.10:P] created by user 'admin' @ '192.168.50.6'
08/19/2003 15:24:03 0 DHCP Relay Table [00] Server 1 state for interface 192.168.50.10 set to 1
08/19/2003 15:24:03 0 tHttpd [33]
DHCPRelay[192.168.50.10:P].DHCPServer1State changed from 'DISABLED' to 'ENABLED' by user 'admin' @ '192.168.50.6'
08/19/2003 15:24:03 0 DHCP Relay Table [00] Server 1 for interface 192.168.50.10 set to 192.168.60.1
08/19/2003 15:24:03 0 tHttpd [33] DHCPRelay[192.168.50.10:P].DHCPServer1 changed from '0.0.0.0' to '192.168.60.1' by user 'admin' @ '192.168.50.6'
08/19/2003 15:24:03 0 DHCP Relay Table [00] Admin State for interface 192.168.50.10 changed to 1
08/19/2003 15:24:03 0 tHttpd [33]
DHCPRelay[192.168.50.10:P].AdminEnabled changed from 'DISABLED' to 'ENABLED' by user 'admin' @ '192.168.50.6'
The DHCP Relay has been disabled for the interface:
08/19/2003 15:26:07 0 DHCP Relay Table [00] Admin State for interface 192.168.50.10 changed to 0
08/19/2003 15:26:07 0 tHttpd [33]
DHCPRelay[192.168.50.10:P].AdminEnabled changed from 'ENABLED' to 'DISABLED' by user 'admin' @ '192.168.50.6'
The DHCP Relay has been deleted for the interface:
08/19/2003 15:27:23 0 tHttpd [35] DHCPRelay[192.168.50.10:P] destroyed by user 'admin' @ '192.168.50.6'
The DHCP Relay has been globally disabled:
08/19/2003 15:28:50 0 tHttpd [33] DHCPRelayGlobal.DhcpRelayEnabled changed from 'ENABLED' to 'DISABLED' by user 'admin' @ '192.168.50.6'
The DHCP Relay has relayed the request to the server:
08/19/2003 15:33:04 0 DHCP Relay [00] Sending DHCP request to server 192.168.60.1
CG030819 1.00 August 2003 Page: 10 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
2.3 Configuration using CLI
To configure Contivity using CLI you need to either telnet to Contivity or connect to it through the serial interface -> option “L” on the menu.
Enter the privileged mode: CES>enable Password:
Enter configuration mode:
CES#configure terminal
Enter configuration commands, one per line. End with Ctrl/z. CES(config)#
To enable the DHCP Relay globally on the Contivity:
CES(config)#ip forward-protocol dhcp-relay
To enable the DHCP Relay on the interface (192.168.50.10): CES(config)#ip dhcp-relay 192.168.50.10 enable
To set the first DHCP server helper address (192.168.60.1) for the relay interface (192.168.50.10):
CES(config)#ip helper-address 192.168.50.10 server 1 192.168.60.1
To enable forwarding to the first DHCP server:
CES(config)#ip helper-address 192.168.50.10 server 1 CES(config)#exit CES#
To view the configuration for the DHCP Relay: CES#show dhcp-relay config DHCPRelay ON
Physical State DHCP Servers
192.168.50.10 ENABLED 192.168.60.1(On)
To view the statistics for the DHCP Relay:
CES#show dhcp-relay config statistics
DHCP Relay Packets Number of Packets In 12 Out 12 Discarded 0 Relayed To Server 10 Relayed To Client 2
CG030819 1.00 August 2003 Page: 11 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
3. Sample configuration 3.1. Setup 192.168.50.0/24192.168.60.0/24DHCP WS CES Server WS – Windows 2000 workstation configured to obtain the IP address dynamically; CES – Contivity Secure IP Services Gateway with the DHCP Relay enabled, code version V04_80.124, management IP 192.168.50.1/24, private IP 192.168.50.10/24, public IP 192.168.60.7; DHCP Server – Contivity Secure IP Services Gateway with DHCP Server enabled, code version V04_70.120, management IP 192.168.60.1/24, private IP 192.168.60.10/24. The goal of the configuration is to configure the CES to relay the DHCP traffic between the client and the server on different subnets. CG030819 1.00 August 2003 Page: 12 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
3.2. Configuring WS
Select the Obtain an IP address automatically for the network card:
CG030819 1.00 August 2003 Page: 13 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
3.3. Configuring CES
Configure IP addresses for the management (192.168.50.1/24), private (192.168.50.10/24) and public interface (192.168.60.7/24):
Set the “permit all” filter for the interfaces. Click Edit next to interface addresses on the LAN Interfaces screen. Select the “permit all” filter from the drop down list next to Interface Filter and click OK:
CG030819 1.00 August 2003 Page: 14 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The “permit all” filter will be applied to the interface.
Enable the Contivity Interface Filter. Navigate ServicesÆFirewall/NAT. Check the box next to Contivity Interface Filter and click OK at bottom of the screen:
CG030819 1.00 August 2003 Page: 15 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The confirmation screen appears. Click OK to reboot:
The System Shutdown screen appears. Click OK at the bottom of the screen to proceed with the reboot:
CG030819 1.00 August 2003 Page: 16 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The System Shutdown confirmation screen appears. Click OK to reboot:
Once CES has been rebooted, navigate ServersÆDHCP Relay. The DHCP Relay screen appears:
Check the box next to Enable to enable the DHCP Relay service, click OK:
CG030819 1.00 August 2003 Page: 17 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Click Add under the DHCP Relay Interfaces to add interface for the DHCP Relay:
Select the private IP address (192.168.50.10) from the drop-down list, select the Enable State, enter the Helper IP address of the DHCP server (192.168.60.1), check the box next to Enabled and click OK:
At this point the configuration of the CES is complete:
CG030819 1.00 August 2003 Page: 18 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
3.4. Configuring DHCP Server
Configure IP addresses for the management (192.168.60.1) and private interface (192.168.60.10):
Set the filter for the private interface to “permit all”. Click Edit next to IP address for the private interface on the LAN Interfaces screen. Select the “permit all” filter from the drop-down list next to Interface Filter and click OK:
CG030819 1.00 August 2003 Page: 19 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The filter will be applied to the interface:
Enable the Contivity Interface Filter on the ServicesÆFirewall/NAT screen:
CG030819 1.00 August 2003 Page: 20 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The confirmation screen appears, click OK to reboot the Contivity:
Complete the system shutdown procedure to reboot the Contivity.
Once rebooted, navigate ServersÆDHCP. Check the box under the Debug Message Log
Enabled. Check the box under the DHCP Server Enabled for the private interface to enable the DHCP server service on the interface. Click OK:
CG030819 1.00 August 2003 Page: 21 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The screen refreshes. Click Add under the Pool tab on the DHCP screen to define the pool of addresses to be used by the client. The Add Pool screen appears. Enter the IP address for the pool (192.168.50.0), mask to be associated with the pool (255.255.255.0) and the optional description (DHCP Pool), click OK:
The configured address pool is listed under the Pool tab. Click Configure to specify the addresses to be available for the assignment and the default gateway option:
CG030819 1.00 August 2003 Page: 22 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The Pool screen appears; click Add under the Standard Options tab to allow the default gateway to be supplied to the client:
The Add Option screen appears. Select the option 3 Router form the Option drop-down list, select the IP as the type and enter the CES private interface as the default gateway for the WS (For more information on DHCP Options consult Configuration Guide – DHCP Server):
CG030819 1.00 August 2003 Page: 23 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The configured option is listed under the Standard Options tab. To configure the pool of address to be available for the assignment click Add under the Inclusion Range tab:
The Pool Inclusion screen appears. Enter the staring IP address (192.168.50.12) and the ending IP address (192.168.50.15). Click OK:
CG030819 1.00 August 2003 Page: 24 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The configured range is listed under the Inclusion Range tab. Click OK at the bottom of the screen:
CG030819 1.00 August 2003 Page: 25 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Click Restart Service on the DHCP Server screen to apply all the changes:
The status message “The DHCP Server is now restarting” appears; click Refresh to refresh the status:
CG030819 1.00 August 2003 Page: 26 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The status changes to “The DHCP Server is enabled and running”, click Close to return to the DHCP screen:
At this point the configuration of the DHCP server is complete. For more information on DHCP server configuration consult the Configuration Guide – DHCP Server.
The private default route must be specified so the DHCP server will be able to communicate with the client on the other subnet. Navigate RoutingÆStatic Routes. Make sure the Static Routes Enabled box is checked (enabled). Click Add Private Route under the Default Routes tab:
CG030819 1.00 August 2003 Page: 27 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
The Static RoutesÆ Add Private Default Route screen appears. Enter the address of the CES’ public interface (192.168.50.7) and click OK:
The configured default gateway is listed under the Default Routes tab:
CG030819 1.00 August 2003 Page: 28 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
3.5. Testing the Connection
Clear the log on both CES and the DHCP Server from the StatusÆEvent screen:
Check the status for the DHCP Relay on the CES. Navigate StatusÆHealth Check. Scroll down to the DHCP Relay and note the status:
CG030819 1.00 August 2003 Page: 29 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Check the status for the DHCP Server on the StatusÆHealth Check screen:
CG030819 1.00 August 2003 Page: 30 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Disable the Network card:
Enable the Network card:
CG030819 1.00 August 2003 Page: 31 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Click No when asked to restart the computer:
Check the IP configuration on the WS:
C:\\>ipconfig/all
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) #3
Physical Address. . . . . . . . . : 00-08-74-9A-E5-85 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.50.12 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.50.10 DHCP Server . . . . . . . . . . . : 192.168.60.1 DNS Servers . . . . . . . . . . . : 192.168.60.1 NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : Wednesday, August 20, 2003 11:02:29 AM
Lease Expires . . . . . . . . . . : Wednesday, August 20, 2003 11:02:29 PM
The CES DHCP Relay service relayed the DHCP request from the WS to the DHCP Server and from DHCP server to the client and WS was able to obtain its IP address and the default router information.
Check the Event Log on CES:
08/20/2003 11:06:31 0 DHCP Relay [00] Sending DHCP request to server 192.168.60.1
Check the Event Log on DHCP Server:
08/20/2003 11:07:01 0 tDhcpServer [11] DHCPDISCOVER from 00:08:74:9a:e5:85 via 192.168.50.10
08/20/2003 11:07:02 0 tDhcpServer [11] DHCPOFFER of 192.168.50.12 to 00:08:74:9a:e5:85 via 192.168.50.10
08/20/2003 11:07:02 0 tDhcpServer [11] DHCPREQUEST for 192.168.50.12 from 00:08:74:9a:e5:85 via 192.168.50.10
08/20/2003 11:07:02 0 tDhcpServer [11] DHCPACK of 192.168.50.12 to 00:08:74:9a:e5:85 via 192.168.50.10
CG030819 1.00 August 2003 Page: 32 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Make sure the WS can access the outside world (public side of the CES) using its IP address. Enter the management IP of the Contivity running DHCP Server in to the browsers address window. The page loads:
The WS is able to communicate using its obtained IP address.
Let’s take a look at the traces of the DHCP conversation.
Client sends the DHCP Discover to a broadcast address 255.255.255.255:
CG030819 1.00 August 2003 Page: 33 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
CES DHCP Relay receives the DHCP Discover and forwards it out of it public interface directly (unicast) to the DHCP server adding its relay interface as the Relay agent IP address (192.168.50.10):
CG030819 1.00 August 2003 Page: 34 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
DHCP server receives the DHCP Discover, probes the address it is about to issue using ICMP Request and sends the DHCP Offer using the Relay agent’s address as the destination address:
CG030819 1.00 August 2003 Page: 35 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Relay agent (CES) receives the DHCP Offer and forwards it to the broadcast address 255.255.255.255 out of its private interface:
CG030819 1.00 August 2003 Page: 36 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
In response to the DHCP Offer client sends the DHCP Request to confirm the acceptance of the offer and to request the offered configuration parameters to the broadcast address 255.255.255.255 with the server identifier (192.168.60.1) received from the offer:
CG030819 1.00 August 2003 Page: 37 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
CES receives the DHCP Request and forwards it directly (unicast) to the DHCP server:
CG030819 1.00 August 2003 Page: 38 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
DHCP server receives the DHCP Request, allocates the requested address and sends the DHCP ACK with the confirmation of the assigned IP address and the configuration parameters to the DHCP Relay agent (CES):
CG030819 1.00 August 2003 Page: 39 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
CES receives the DHCP ACK from its public interface and broadcasts it out of it private interface:
Client receives the IP address, probes it with the ARP to make sure nobody else is using it and, if no owner for the address was found, accepts the address as its own.
CG030819 1.00 August 2003 Page: 40 of 41
Configuration Guide
Contivity Secure IP Services Gateway
DHCP Relay
Copyright 2003, Nortel Networks. All rights reserved. *Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are trademarks of Nortel Networks. 因篇幅问题不能全部显示,请点此查看更多更全内容