[c-nsp] unicast rpf dhcp drops after routing adjustment

Brett Frankenberger rbf+cisco-nsp at panix.com
Fri Dec 9 18:21:54 EST 2005


On Fri, Dec 09, 2005 at 03:20:40PM -0500, Tim Durack wrote:
> 
> 4. Configure router DHCP relay to use a loopback source address instead of
> the interface address.
> 
> This would fix this potential problem for many cases, but this is not
> currently configurable.
> 
> Seems like a logical IOS feature request. TAC Engineer says I will have to
> pursue it with an SE or Cisco Account Manager. The platform is EOS and
> approaching EOL, so I'm not sure the request would really go anywhere.

That won't generally work.  The DHCP server will send the response to
the IP address in the giaddr field in the packet, and that address has
to be the IP address on the interface from which the request was
received, so that the DHCP server can figure out what subnet the
request came from.  (If you put the loopback address in the giaddr
field, they DHCP server wouldn't know which subnet the request came
from and wouldn't be able to assign an IP address.) 

There are ways to work around this, but they aren't trivial (and all
involve violations of the DHCP RFC) and thus would reduce the number of
sites that would find the feature you describe useful.  (Some that come
to mind are hacking the DHCP server to respond to the source address of
the packet instead of giaddr, then getting Cisco to use loopback for
the packet source address but not for the giaddr field ... if
everything is static in your environment, hacking the DHCP server to
not care about giaddr ... and so on.  The router code would also have
to be modified (if necessary) to accept DHCP responses addressed to lo0
that are for other interfaces.)

> Looks like option 2 is the one we will go with. Anybody else run into
> this?

Yep.  I use interface-specific ACLs in place of RPF on platforms where
RPF w/ an ACL isn't supported (or where it forces me into a slower
switching path), and an RPF ACL on platforms where it is supported.

     -- Brett


More information about the cisco-nsp mailing list