NZ ISPs / DHCP Auth / Classless Routes

EngageTechNZ
Here to help

NZ ISPs / DHCP Auth / Classless Routes

Hello fellow NZers.

Chorus recently enabled DHCP Auth on their network, so then a number of ISPs followed and enabled DHCP on their networks.

Where this becomes sticky is when assigning a single static ip - a /32

PPPoE is fine, that just works, however with DHCP assigning a static /32 its a bit trickier. This is where RFC 3442 comes in. DHCP Option 121 inserts a classless static route into the request to ensure there is a default route, e.g 0.0.0.0/0 via ISP default gateway.

Here is an example in RouterOS

/ip dhcp-server optionadd code=121 name=Classless-Route value=0x20C0A8640100000000202278FFF40000000000647FFF05
/ip dhcp-server networkadd ... dhcp-option=Classless-Route ...

 What I discovered is that Netcomm devices don't respond to DHCP option 121 so can not use them for DHCP WAN with a /32 IP. You can not set a manual default route. Which means a decent number of ISPs who use these will have to stick to PPPoE

Where I am going with this, is that I attempted to set my MX at home to DHCP for the WAN, and the same thing happens. DHCP assigns the WAN IP to the interface, however I can not browse the internet / ping / tracert as my guess is that the MX is not responding to DHCP option 121. I,ve spoken to the owner of the ISP as we have a close relationship and their auth servers are doing exactly the right thing, and the issue is with the firewall.

During the testing, i used both an RB5009 mikrotik, and a Unifi UDM Pro, and both picked up the IP and had its route set via option 121 and just worked.

I have a case open with support.

I want to see if other partners in NZ have this issue with MX's or if they are using them on DHCP. One thing to point out is that DHCP makes the MX a true zero touch deployment, and also reducing CPU overheads when not using PPPoE.

Cheers
Sean

4 Replies 4
GIdenJoe
Kind of a big deal
Kind of a big deal

I don't understand what option 121 has to do with DHCP Auth?
So according the the RFC the option can provide classless routes with subnetmasks to devices that understand this.
I have not seen a document that Meraki MX would support this option and by the RFC it MUST ignore this option.  Maybe talk to your Meraki rep about this so they can see if this feature is on the roadmap.

So from what I can gather they are trying to save IPv4 space by assigning a /32 to your device and then try to add the 0.0.0.0/0 route with a gateway of 0.0.0.0?

Damn, IP space is really becoming sparse.
This or next year will be the year for IPv6.  I hope Meraki will soon start supporting IPv6 on HA pairs...

EngageTechNZ
Here to help

Not so much saving IP space, but the ISP(s) have options to allow CPE to use one or the other without changes to their IP addressing.

I am assuming the MX doesnt support the RFC and therefore no gateway is assigned.

My commend to support was that the firewall endeavours to ensure traffic going through it meets RFC compliance, so perhaps the other mechanisms on the MX should too! 🙂

 

EngageTechNZ
Here to help

FYI, after a bit of back and forwards with support, the MX doesnt support the RFC to insert a classless default route against a /32 address.

Only the RFC for a /31

I have added a feature request..........................

Given the RFC is from 2002 I am not holding my breath.

EngageTechNZ
Here to help

Righto - after giving up on this and in turn having my support case closed, there is clearly some bug with the MX.

 

What I failed to mention, was my fibre connection is (was) vlan tagged (10) and every time I attempted to set the interface to DHCP with the vlan tag, the MX would always seem to time out, and take a while to recover.

So after configuring up an MX in the office for a customer, I left it on DHCP and boom, its worked with the fibre connection. Odd I thought, had Meraki performed stealth firmware updates?

I went home and tried mine again. Nope, same issue. Device would spit the dummy and and not route, although the ISP sees an IP being assigned via DHCP.

I then thought there are two differences, one the hardware, and two the VLAN tagging. I asked our ISP to remove VLAN 10, and within moments, DHCP worked and I could reach the internet.

Ive had other devices using vlan10 without issues.

Odd.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels