[c-nsp] unicast rpf dhcp drops after routing adjustment
Tim Durack
tdurack at gmail.com
Fri Dec 9 22:06:42 EST 2005
On 12/9/05, Brett Frankenberger <rbf+cisco-nsp at panix.com> wrote:
>
> On Fri, Dec 09, 2005 at 03:20:40PM -0500, Tim Durack wrote:
> >
> > 4. Configure router DHCP relay to use a loopback source address instead
> of
> > the interface address.
> >
> > This would fix this potential problem for many cases, but this is not
> > currently configurable.
> >
> > Seems like a logical IOS feature request. TAC Engineer says I will have
> to
> > pursue it with an SE or Cisco Account Manager. The platform is EOS and
> > approaching EOL, so I'm not sure the request would really go anywhere.
>
> That won't generally work. The DHCP server will send the response to
> the IP address in the giaddr field in the packet, and that address has
> to be the IP address on the interface from which the request was
> received, so that the DHCP server can figure out what subnet the
> request came from. (If you put the loopback address in the giaddr
> field, they DHCP server wouldn't know which subnet the request came
> from and wouldn't be able to assign an IP address.)
Ah yes, scratch that idea. RFC2131 says:
"If the 'giaddr' field in a DHCP message from a client is non-zero,
the server sends any return messages to the 'DHCP server' port on the
BOOTP relay agent whose address appears in 'giaddr'."
Makes me wonder why the response has to go back to giaddr as opposed to
whatever the relay decided to use for source address.
Anyway, I'll go with what works.
> Looks like option 2 is the one we will go with. Anybody else run into
> > this?
>
> Yep. I use interface-specific ACLs in place of RPF on platforms where
> RPF w/ an ACL isn't supported (or where it forces me into a slower
> switching path), and an RPF ACL on platforms where it is supported.
>
> -- Brett
>
More information about the cisco-nsp
mailing list