DHCP relay support for Multiprotocol Label Switching (MPLS) VPNs enables a network administrator to conserve address space by allowing overlapping addresses. The relay agent can support multiple clients on different VPNs, and many of these clients from different VPNs can share the same IP address.
Configuring VPNs involves an adjustment to the usual DHCP host IP address designation. VPNs use private address spaces that might not be unique across the Internet.
In some environments, a relay agent resides in a network element that also has access to one or more MPLS VPNs. A DHCP server that provides service to DHCP clients on those different VPNs must locate the VPN in which each client resides. The network element that contains the relay agent typically captures the VPN association of the DHCP client and includes this information in the relay agent information option of the DHCP packet.
DHCP relay support for MPLS VPNs allows the relay agent to forward this necessary VPN-related information to the DHCP server using the following three suboptions of the DHCP relay agent information option:
- VPN identifier
- Subnet selection
- Server identifier override
The VPN identifier suboption is used by the relay agent to inform the DHCP server about the VPN for every DHCP request that the relay agent passes on to the DHCP server; the VPN identifier suboption is also used to properly forward any DHCP reply that the DHCP server sends back to the relay agent. The VPN identifier suboption contains the VPN ID configured on the incoming interface to which the client is connected. If you configure the VPN routing and forwarding (VRF) name but not the VPN ID, the VRF name is used as the VPN identifier suboption. If the interface is in the global routing space, VPN suboptions are not added.
The subnet selection suboption allows the separation of the subnet, where the client resides, from the IP address used to communicate with the relay agent. In typical DHCP processing, the gateway address specifies both the subnet on which a DHCP client resides and the IP address that the server can use to communicate with the relay agent. Situations exist where the relay agent needs to specify the subnet on which a DHCP client resides that is different from the IP address that the server can use to communicate with the relay agent. The subnet selection suboption is included in the relay agent information option and passed on to the DHCP server. The gateway address is changed to the outgoing interface of the relay agent toward the DHCP server. The DHCP server uses this gateway address to send reply packets back to the relay agent.
The server identifier override suboption value is copied in the reply packet from the DHCP server instead of the normal server ID address. The server identifier override suboption contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release packets to the relay agent. The relay agent adds all the VPN suboptions to the packets and forwards the packets to the original DHCP server.
After adding these suboptions to the DHCP relay agent information option, the gateway address is changed to the outgoing interface of the relay agent toward the DHCP server. When the packets are returned from the DHCP server, the relay agent removes the relay agent information options from the packets and forwards the packets to the DHCP client on the correct VPN.
The figure below shows a VPN scenario where the DHCP relay agent and DHCP server can recognize the VPN within which each client resides. DHCP client 1 is part of VPN green, and DHCP client 2 is part of VPN red, and both have the same private IP address 192.168.1.0/24. Because the clients have the same IP address, the DHCP relay agent and DHCP server use the VPN identifier, subnet selection, and server identifier override suboptions of the relay agent information option to distinguish the correct VPN of the client.
|Figure 3 ||VPN DHCP Configuration |