Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DHCP relay

Solved
CeeDub
Here to help
‎Jun 13 2023 11:39 AM
‎Jun 13 2023 11:39 AM

DHCP relay

We have a retail store that is directly connected to our network via fiber, thus we have the AutoVPN disabled (as it is not needed).

 

The store is coming into our gateway (Cisco ASA) on VLAN 100.

 

The store is using an MX85 with SFP on WAN1 to connect directly to the fiber. WAN2 is disabled. WAN1 is configured to tag traffic with VLAN 100 and has an IP of 10.100.1.6/24. The Cisco ASA (being the gateway) has the following config:

 

interface Port-channel12.100
vlan 100
nameif vlan100-int
security-level 0
ip address 10.100.1.1 255.255.255.0 standby 10.100.1.2

 

The MX85 has three VLANs configured. VLAN 5 (10.10.1.0/25), VLAN 10 (10.10.1.128/26) and VLAN 15 (10.10.1.192/26).

 

Our DHCP server (10.50.1.7) sits on another VLAN (VLAN 50) which is connected to the gateway (Cisco ASA).

 

The routing table on the MX85 looks as such:

 

Stat Ver Subnet Name VLAN Next hop Dest Type
- IPv4 0.0.0.0/0 Default - - WAN uplink Default WAN Route
- IPv4 10.10.10.0/25 Retail 5 10.10.10.1 10.10.10.1 Local VLAN
- IPv4 10.10.10.128/26 Retail 10 10.10.10.129 10.10.10.129 Local VLAN
- IPv4 10.10.10.192/26 Retail 15 10.10.10.193 10.10.10.193 Local VLAN

 

Using the "Tools" on the "MX Security & SD-WAN" page I can ping (and get responses from) the DHCP server from the Internet interface and I can ping (and get responses from) the DHCP server from the VLAN 5, 10 and 15 interfaces. Connectivity is established. BUT, when I try to connect clients on the network behind the MX85 and permit them to use DHCP for addresses, they never get a response. I try to enable the DHCP relay on the "Security & SD-WAN" -> "DHCP" page and I get the error: "The DHCP relay IP address must be in a subnet or static route in this network."

 

Connectivity is clearly established and the route exists, so why can I not enable DHCP relay?

 

Is there an option I am missing?

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to CeeDub
ww
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 1:10 PM
‎Jun 13 2023 1:10 PM

The ping tool is not representative for client traffic.  https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Ping_Liv...

 

The ping tool vlans are not getting natted. Clients on mx vlans are getting natted  by default to the mx wan ip. (Unless you have requested no nat at support.)

View solution in original post

Subscribe
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 11:52 AM
‎Jun 13 2023 11:52 AM

Did you create a static route in the MX pointing to the subnet of your DHCP server and the ASA as next hop?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 11:57 AM
‎Jun 13 2023 11:57 AM

I can't see any routes to the 10.50.1.x subnet in the information you've given us.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
ww
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 12:04 PM
‎Jun 13 2023 12:04 PM

Its part of the default route. That subnet is behind the mx nat interface

0 Kudos
Subscribe
In response to ww
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 12:26 PM
‎Jun 13 2023 12:26 PM

I'm not talking about rotes on  the ASA I'm talnikg about route on the MX. Because it will not work through the WAN interface.

 

Because it will not work through the WAN interface.
 
 
I use it that way on my network.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
CeeDub
Here to help
‎Jun 13 2023 12:43 PM
‎Jun 13 2023 12:43 PM

That fails with the error: "The static LAN route "Primary" has an invalid next hop IP. The IP address 10.100.1.1 is not on a configured subnet."

0 Kudos
Subscribe
In response to CeeDub
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 1:10 PM
‎Jun 13 2023 1:10 PM

Are you using routed mode or Passthrough or VPN Concentrator?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 11:54 AM
‎Jun 13 2023 11:54 AM

Note: The DHCP server configured must be in a subnet configured on the MX, including directly-connected VLANs, static routes, and subnets participating in AutoVPN. 

 

https://documentation.meraki.com/MX/DHCP/Configuring_DHCP_Relay

 

Why not use the mx dhcp server? 

Subscribe
In response to ww
CeeDub
Here to help
‎Jun 13 2023 12:38 PM
‎Jun 13 2023 12:38 PM

We could use the MX DHCP server, however we have many other retail sites that use MXs and the AutoVPN connected to a central DHCP server.  We would like to keep everything together. -- I have read the article that you posted before.  We are not utilizing a third-party VPN peer.  There isn't a VPN at all. The MX is directly connected to the primary network and traffic is coming in on a specific VLAN to its gateway.  While a specific route does not appear in the routing table, the network path exists because I can ping the DHCP server from the MX toolset.  I just can't enable or use DHCP relay. Why?

0 Kudos
Subscribe
In response to CeeDub
ww
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 12:45 PM
‎Jun 13 2023 12:45 PM

Its not part of a local vlan /autovpn or a defined static route. That subnet is on your asa so Its routed using  the default route on the mx nat interface.

I dont now if dhcp relay works on other vendors with nat/pat but meraki does not support it.

 

You cant use autovpn to reach the dhcp server like on your other retail sites?

0 Kudos
Subscribe
In response to ww
CeeDub
Here to help
‎Jun 13 2023 1:06 PM
‎Jun 13 2023 1:06 PM

There is no need to use the AutoVPN.  The retail store's network is coming in direct and the VLAN terminates on the ASA. There is no NAT being performed. So, in this scenario DHCP relay is not possible? The route exists (through the primary "WAN" link) but it is not in the route table so DHCP relay can't pick it up?

0 Kudos
Subscribe
In response to CeeDub
ww
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 1:10 PM
‎Jun 13 2023 1:10 PM

The ping tool is not representative for client traffic.  https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Ping_Liv...

 

The ping tool vlans are not getting natted. Clients on mx vlans are getting natted  by default to the mx wan ip. (Unless you have requested no nat at support.)

Subscribe
In response to ww
CeeDub
Here to help
‎Jun 13 2023 1:29 PM
‎Jun 13 2023 1:29 PM

You are correct and I have been schooled.  Did not realize the NAT was taking place. I had never assigned a static IP to a device on the inside of the MX for testing.

0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 13 2023 12:22 PM
‎Jun 13 2023 12:22 PM

If I'm following your description of the topology the MX is the edge FW for this remote site. Outbound traffic will be natted to the WAN int IP. It sounds more like you want a traditional router function here vs. what the MX is going to do which is NAT on the outbound.

 

I'd say either run DHCP on the MX or use AutoVPN to a headend MX so there's a routed VPN path and NAT doesn't come into play.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Subscribe
In response to Ryan_Miles
CeeDub
Here to help
‎Jun 13 2023 12:56 PM
‎Jun 13 2023 12:56 PM

The MX is the edge router for this remote site, but it is directly connected to the primary network. There is no NAT being performed. A capture on the ASA interface shows ICMPs from the MX Toolset for Internet (10.100.1.1) and VLAN 5 (10.10.10.1).

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.