This document describes how to configure the Dynamic Host Configuration Protocol (DHCP) relay feature introduced in Cisco VPN 3000 Concentrator version 3.6. With this feature enabled, a VPN Concentrator can relay the DHCP message between the DHCP client on the side of its public or external interface and the DHCP server behind its private interface.
This example shows how to apply the DHCP Relay feature in a wireless LAN (WLAN) and VPN environment. The wireless client first associates with a wireless Access Point (AP) located in front of a VPN Concentrator and gets an IP address via DHCP. Then the wireless client can launch a VPN connection to the VPN Concentrator to secure its access to internal network resources; see Configuring Automatic VPN Initiation on Cisco VPN Client in a Wireless LAN Environment for details. The client gets a private IP address during the Internet Key Exchange (IKE) negotiation via DHCP. Using the DHCP Relay feature saves the cost of maintaining a separate DHCP server at the public side of the VPN Concentrator to allocate IP addresses for the wireless clients when they associate with the wireless AP.
Note: One possible misleading use of the DHCP feature is that Cisco VPN Concentrator can support being a DHCP relay agent. The Cisco VPN Concentrator cannot act as a DHCP relay agent. It can only act as a pass through device. The Cisco VPN Concentrator can be configured to use a DHCP server in which it can proxy arp on behalf of the VPN Clients for an IP address assignment.
Before attempting this configuration, ensure that you meet these requirements:
Cisco VPN Client administration
Cisco VPN Concentrator administration
The information in this document is based on these software and hardware versions:
Cisco VPN 3000 Concentrator with version 3.6
Cisco Aironet 340 AP
Cisco VPN Client version 3.6
CNR is used as the DHCP server
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses the network setup shown in the diagram below.
The IP address of the DHCP server is 10.1.1.253. On the DHCP server, a scope with IP address ranging from 184.108.40.206 to 220.127.116.11 is created from the Wireless clients.
Use this procedure to configure a VPN Concentrator for DHCP relay:
From the VPN Concentrator console, select Configuration > System > IP Routing > DHCP Relay. Select the Enabled check box to activate DHCP relay, and enter the forwarding IP address and subnet mask.
In this example, the DHCP message sent from the DHCP client is relayed to the DHCP server at 10.1.1.253.
From the VPN Concentrator console, select Configuration > Policy Management > Traffic Management > Assign Rules to Filter. In the resulting screen (shown below), move the DHCP In and DHCP Out rules from Available Rules to Current Rules in Filter.
This section provides information you can use to confirm your configuration is working properly.
An administrator can enable the DHCP and DHCPDBG event classes with severity level 1-9 to verify and troubleshoot the DHCP Relay feature. This event log demonstrates how DHCP messages from the client are relayed by the VPN Concentrator to the DHCP server.
The event log shows that the VPN 3000 Concentrator relays the DHCP Discover messages sent from the wireless client to the DHCP server, and places its public interface IP address in the giaddr (gateway IP address) field. The DHCP server then sends the IP address 18.104.22.168 back to the wireless client.
1 01/01/1999 00:05:49.300 SEV=9 DHCPDBG/22 RPT=7 Sockets got data for DHCP sock_rcv_cb: sd 1, buf 0x1e3e000 2 01/01/1999 00:05:49.300 SEV=6 DHCP/77 RPT=7 Relaying DHCP Packet: DHCP Discover 3 01/01/1999 00:05:49.300 SEV=6 DHCP/79 RPT=7 TX:DHCPDISCOVER ciaddr:0.0.0.0 yiaddr:0.0.0.0 siaddr:0.0.0.0 giaddr:22.214.171.124 chaddr:00.09.E8.62.A3.24 6 01/01/1999 00:05:49.310 SEV=9 DHCPDBG/22 RPT=8 Sockets got data for DHCP sock_rcv_cb: sd 1, buf 0x1d32000 7 01/01/1999 00:05:49.310 SEV=6 DHCP/77 RPT=8 Relaying DHCP Packet: DHCP Offer 8 01/01/1999 00:05:49.310 SEV=6 DHCP/79 RPT=8 TX:DHCPOFFER ciaddr:0.0.0.0 yiaddr:126.96.36.199 siaddr:0.0.0.0 giaddr:188.8.131.52 chaddr:00.09.E8.62.A3.24 11 01/01/1999 00:05:49.310 SEV=9 DHCPDBG/22 RPT=9 Sockets got data for DHCP sock_rcv_cb: sd 1, buf 0x1e3e800 12 01/01/1999 00:05:49.310 SEV=6 DHCP/77 RPT=9 Relaying DHCP Packet: DHCP Request 13 01/01/1999 00:05:49.310 SEV=6 DHCP/79 RPT=9 TX:DHCPREQUEST ciaddr:0.0.0.0 yiaddr:0.0.0.0 siaddr:0.0.0.0 giaddr:184.108.40.206 chaddr:00.09.E8.62.A3.24 16 01/01/1999 00:05:49.340 SEV=9 DHCPDBG/22 RPT=10 Sockets got data for DHCP sock_rcv_cb: sd 1, buf 0x1d32800 17 01/01/1999 00:05:49.340 SEV=6 DHCP/77 RPT=10 Relaying DHCP Packet: DHCP Ack 18 01/01/1999 00:05:49.340 SEV=6 DHCP/79 RPT=10 TX:DHCPACK ciaddr:0.0.0.0 yiaddr:220.127.116.11 siaddr:0.0.0.0 giaddr:18.104.22.168 chaddr:00.09.E8.62.A3.24 21 01/01/1999 00:05:51.710 SEV=9 DHCPDBG/16 RPT=22 DHCP task: Periodic timer expired (ticks 22) 22 01/01/1999 00:05:51.710 SEV=9 DHCPDBG/29 RPT=22 DHCP poll timeouts routine entered 23 01/01/1999 00:05:51.710 SEV=9 DHCPDBG/30 RPT=22 DHCP poll stats: callbacks 0, active CBs 0, total CBs 0 24 01/01/1999 00:06:06.710 SEV=9 DHCPDBG/16 RPT=23 DHCP task: Periodic timer expired (ticks 23) 25 01/01/1999 00:06:06.710 SEV=9 DHCPDBG/29 RPT=23 DHCP poll timeouts routine entered 26 01/01/1999 00:06:06.710 SEV=9 DHCPDBG/30 RPT=23 DHCP poll stats: callbacks 0, active CBs 0, total CBs 0
An administrator can enable the DHCP and DHCPDBG event classes with severity level 1-9 to verify and troubleshoot the DHCP Relay feature.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.