MS120 - DHCP relay doesn't work

Adam2104
Building a reputation

MS120 - DHCP relay doesn't work

I have a few MS120 switches in use. According to the Routing & DHCP page these switches should support DHCP relay (but no other L3 functions). I'm currently using my MX67 for DHCP relay but I thought I'd test it out on the MS120 to see what happened. Well, it doesn't work, no DHCP messages are seen at the DHCP server sourced from the switch. I'd expect to see a forwarded DHCP request with the GiAddr set, but nothing shows up. As soon as I enable DHCP relay on the MX67 again, for the same VLAN, the messages start appearing, so I would expect the switch to do the same.

 

Has anyone tried and/or tested this on the MS120? It seems broken to me. My switch is running whatever the current stable release is. I haven't jumped on the beta release yet to see if that changes anything.

16 Replies 16
kYutobi
Kind of a big deal

Can you give a little more info on the DHCP server what's plugged into what etc?

Enthusiast
Adam2104
Building a reputation

DHCP server is running Dnsmasq, running on a Raspberry Pi3, and plugged into the same switch, but in a different VLAN. An MX67 provides intervlan routing.
kYutobi
Kind of a big deal

The port that the DHCP server is in. Is that a trunk port? You also said it's in a different VLAN are you sure the VLAN on the MX is configured correctly to route to other VLANs. I know sometimes you have to enable it on MX ports.

Enthusiast
Adam2104
Building a reputation

Nope, it's an access port in a different VLAN. The MX has all the required VLANs and DHCP relay works just fine with the MX does it. It just doesn't work when the MS is supposed to be doing it.
PhilipDAth
Kind of a big deal
Kind of a big deal

I think for DHCP relay to work (not sure on this one) the MS120 management IP address would need to be in the source VLAN that is being forwarded.

Asavoy
Building a reputation

Do you have DHCP Scopes setup?  We have a single domain that uses 5 different /19 scopes across our sites, with MS320s setup to relay to Windows DHCP servers.  However, the one that has it's interface IP set in the same scope as the DHCP server cannot be set to relay.  If I recall right, the web interface won't allow you to make this change if that's the case.  I wouldn't imagine it's much different for the MS120.

Adam2104
Building a reputation

Yep, everything on the DHCP server is setup. Relay works fine with my MX67. It doesn't work, at all, on the MS120. It never relays a single DHCP packet. I upgraded the switch to the newest beta and it still doesn't work.
Asavoy
Building a reputation

@Adam2104  What is the IP address of your DHCP server and the IP address of the interface on the MS120 from the Routing and DHCP page?

Adam2104
Building a reputation

I have multiple networks:

vlan 1 - 172.28.0.0/24
vlan 10 - 172.28.1.0/24
vlan 20 - 172.28.2.0/24
vlan 30 - 172.28.3.0/24
vlan 40 - 172.28.4.0/24

My main switch has an IP in each of those blocks for IGMP querier purposes, the IPs are:

vlan 1 - 172.28.0.250
vlan 10 - 172.28.1.250
vlan 20 - 172.28.2.250
vlan 30 - 172.28.3.250
vlan 40 - 172.28.4.250

IGMP querier works fine, i see the switch sending queries on each VLAN, sourced from the IPs listed above. The DHCP server lives in VLAN40 as 172.28.4.254.
Asavoy
Building a reputation

From what I can tell, a DHCP relay should work on all but the VLAN 40.

 

Essentially it should look like this (I think):

VLAN 1

Int IP 172.28.0.250

Enable IGMP

DHCP Relay to 172.28.4.254

 

Rinse and repeat, except for VLAN 40 which should not be able to have a relay set.  Again, this is my experience with my MS320s which are a bit more robust on L3, but I do have some MS220s that are comparable to the 120 and that looks like an appropriate config for them.  I can check later when I won't interfere with business functions.

Adam2104
Building a reputation

Yep, that's exactly how I configured it, but it doesn't work. I've noticed two things about that:

1. I cannot ping the switch on the configured address(es), even though it's sending out IGMP queries using those same addresses. I've verified that with a pcap.

2. Once you enable DHCP relay on an interface in Dashboard you can't turn it off (error message is shown). I have to delete the interface and recreate it.

m_Andrew
Meraki Employee
Meraki Employee

There used to be a bug that existed on the MS120 where configured pseudo-L3 interfaces (for IGMP / DHCP) did not respond to received ARP requests. This was fixed in MS 10.42. I know you mention you are running stable firmware, currently 10.45. If somehow you're below 10.42 though, an upgrade would be worthwhile to rule out the known issue.

Adam2104
Building a reputation

I actually upgraded to the latest/newest beta, 11.15. I still can't ping the pseudo interfaces. Maybe there was a regression? It isn't responding to arp, as you said.
m_Andrew
Meraki Employee
Meraki Employee

I actually just tested this on current 11.x with an MS120 and I do see it responding to ARPs for pseudo interfaces configured with DHCP relay. You may want to open a support case in the event something else is going on in the environment. Note if the interface is configured only for IGMP and not DHCP relay, it may not respond to ARPs. The IGMP case is even simpler, it just transmits a flooded IGMP multicast packet periodically. There is no ARP or next-hop resolution involved with this.

 

I can share two data points regarding these interfaces that are helpful to be aware of:

 

1. Packets generated by the pseudo interface which need to be routed, such as a DHCP Discover being routed to the configured relay IP(s), will always route to the next hop of the gateway being used for the uplink interface of the switch. You will note when configuring a pseudo interface, there is no configuration for subnet. This is because packets always route to the default gateway in use by the uplink interface. So whatever this gateway is, it will need to accept and route this traffic properly.

 

2. Pseudo interfaces will not respond to ICMP / pings. They only accept and route the requisite DHCP packets. They are very limited in terms of additional functionality that would work on a full fledged SVI. This is because they exist on an L2 switch -- the switching ASIC using on the MS120 does not support L3 routing, so the very specific use cases of having an IGMP querier and DHCP relay endpoint are implemented in software.

Adam2104
Building a reputation

@m_Andrew thanks for the extra info! I was able to confirm a few things:

1. The switch is responding to arp, but not ICMP, as you suggested.

2. The switch is actually doing the relay operation, but the "use the uplink for the mgmt interface" seems to be a fundamentally flawed design. Let me explain:

Switch uplink IP - 172.28.0.2
Switch DHCP relay interface IP - 172.28.1.250
DHCP server - 172.28.4.254

So, the switch is relaying from the 172.28.1.x network and sending the relayed packet to the DHCP server at 172.28.4.254 it does this over the uplink interface. The problem is, it's sourcing the packet from the DHCP relay interface IP, 172.28.1.250. But, it's sending it on the uplink interface which is the 172.28.0.0/24 subnet. The MX67 IP spoofing protection eats the packet because the source IP doesn't match the subnet of the incoming interface. I can't see any situation where the MS120 would be able to relay for VLANs other than the management VLAN when the traffic is being handled by an MX with IP spoof protection turned on (it is by default).

redsector
Head in the Cloud

On Cisco "classic" you have to put ip-helper addresses to the VLAN´s to allow DHCP requests over different VLANs:

 

interface Vlan1
description Management VLAN
ip address 10.1.0.1 255.255.254.0
ip helper-address 10.1.2.10
ip helper-address 10.1.2.11
ip helper-address 10.1.2.12
no ip redirects
ip directed-broadcast 101
no ip proxy-arp
arp timeout 60

 

maybe you can do this on a MX ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels