Cisco ACI: DHCP Relay Support

Cisco ACI: DHCP Relay Support

Introduction to DHCP Relay
Each DHCP client is given the ability to automatically receive an IP address from a DHCP server as needed via the Dynamic Host Configuration Protocol (DHCP). In order to locate the DHCP server, a client connecting to a network broadcasts an IP packet that is only accessible inside the subnet on which the requester resides. DHCP servers are typically centralized and do not exist on every subnet.

When there are no DHCP servers on the local network, DHCP Relay gives DHCP clients a mechanism to connect to DHCP servers. Discover messages are forwarded by a Relay Agent to a configured DHCP server using IP routing. The DHCP offer is then sent back to the client network by the relay agent.

DHCP Relay in Cisco ACI
DHCP servers can provide IP addresses to all endpoints connected to an EPG if they are located under that 
EPG.DHCP servers may not exist in the same EPG, BD, or VRF as all the clients that require them in many deployment scenarios.

An L3Out connection can be used to connect an external server to the fabric in these cases and allow endpoints in one EPG to obtain IP addresses via DHCP from an external server in another EPG in a different site.

To configure the relay, you can create a DHCP Relay policy in the MSO GUI. To provide specific configuration details, you can also create a DHCP Option policy to configure additional options.

Cisco ACI: DHCP Relay Support
Fig 1.1-Cisco ACI: DHCP Relay Support

As part of creating a DHCP relay policy, you specify either an external EPG or an application EPG for the DHCP server. DHCP policies are associated with bridge domains, which are then associated with application EPGs, which allows endpoints in those EPGs to communicate with the DHCP server.

To allow communication between the relay EPG and application EPG, you create a contract between them. As soon as the bridge domain associated with the policy is deployed to a site, the DHCP policies you create are pushed to the APIC.

DHCP Relay guidelines and limitations

  • Fabrics running Cisco APIC Release 4.2(1) or later support DHCP relay policies. 
  • DHCP Relay Agent Information Option must be supported by the DHCP servers (Option 82).
  • When an ACI fabric operates as a DHCP relay, it includes the DHCP Relay Agent Information Option in DHCP requests that it proxies on clients' behalf. If a response (DHCP offer) from a DHCP server does not include Option 82, it is discreetly dropped by the fabric.
  • Only user tenants and the common tenant support DHCP relay rules. For infra or mgmt tenants, DHCP policies are not supported.
  • Cisco advises defining shared resources and services in the common tenant when configuring the ACI fabric so that any user tenancy may use them.
  • DHCP relay server must be in the same user tenant as the DHCP clients or in the common tenant. 
  • The server and the clients cannot be in different user tenants. 
  • DHCP relay policies can be configured for the primary SVI interface only. 
  • If the bridge domain to which you assign a relay policy contains multiple subnets, the first subnet you add becomes the primary IP address on the SVI interface, while additional subnets are configured as secondary IP addresses. In certain scenarios, such as importing a configuration with a bridge domain with multiple subnets, the primary address on the SVI may change to one of the secondary addresses, which would break the DHCP relay for that bridge domain.
  • if you make changes to the DHCP policy after you have assigned it to a bridge domain and deployed the bridge domain to one or more sites, you will need to re-deploy the bridge domain for the DHCP policy changes to be updated on each site's APIC. 
  • For inter-VRF DHCP relay with the DHCP server reachable via an L3Out, DHCP relay packets must use site-local L3Out to reach the DHCP server. Packets using an L3Out in a different site (Inter-site L3Out) to reach the DHCP server is not supported. 

Not Supported DHCP relay configurations
  • DHCP relay clients behind an L3Out. 
  • Importing existing DHCP policies from APIC. 
  • DHCP relay policy configuration in Global Fabric Access Policies is not supported 
  • Multiple DHCP servers within the same DHCP relay policy and EPG
  • If you configure multiple providers under the same DHCP relay policy, they must be in different EPGs or external EPGs.