Support Center > Search Results > SecureKnowledge Details
How to configure BootP/DHCP Relay with IPSO/Gaia and Security Gateway
Solution

Table of Contents:

  • Configuring IPSO OS
  • Configuring Gaia OS
  • Configuring the Security Gateway
  • Allowing DHCP relay traffic to cross a VPN tunnel

 


 

Configuring IPSO OS

  1. To configure the BootP/DHCP Relay Agent, select 'Configuration > Router Services > BOOTP/DHCPP Relay' on the main Configuration menu.

  2. Turn on the interfaces that will need to be listening for the BootP or DHCP packets and click "Apply".

  3. Enter the address of the BootP or DHCP server into the New Server field and click "Apply".

  4. Be sure to set the Wait Time to "0". The IPSO platform is attempting to allow a local BootP/DHCP server to respond to the initial broadcast by waiting until the client increments its Elapsed Time value to "3". Some implementations of DHCP, most commonly Microsoft's, do not increment this value until after an address has been leased. As a result, the Wait Time on the IPSO platform must be set to "0" to allow interoperability.

  5. If multiple IP addresses have been defined for a particular interface, IPSO will use the numerically lowest IP address bound to that interface as the Source IP address of any BootP/DHCP Packets sent from that interface.

  6. Using the Primary IP address field, the administrator can define the use of some other address that is bound to that interface. For example in Fig.1, if multiple addresses have been defined for the internal interface int.if, then the administrator can define the address to be used as the source for BootP/DHCP transmission to "Client". Traffic between the external interface ext.if and the server will use an address bound to ext.if

 

Configuring Gaia OS

  1. To configure the BootP/DHCP Relay Agent, select 'Advanced Routing > DHCP Relay' on the main Configuration menu.

  2. Add interfaces that will need to be listening for the BootP or DHCP packets and click "Apply".

  3. Enter the address of the BootP or DHCP server into the New Server field and click "Apply".

  4. Be sure to set the Wait Time to "0", as similar as described above in the "Configuring IPSO" section.

  5. If multiple IP addresses have been defined for a particular interface, Gaia will use the numerically lowest IP address bound to that interface as the Source IP address of any BootP/DHCP Packets sent from that interface.

  6. Similar to IPSO, the administrator can define the use of some other address that is bound to that interface. For example in Fig.1, if multiple addresses have been defined for the internal interface int.if, then the administrator can define the address to be used as the source for BootP/DHCP transmission to "Client". Traffic between the external interface ext.if and the server will use an address bound to ext.if

Fig 1:

Client --- (int.if) [ GW ] (ext.if) ---- DHCP Server

Related solution: sk97642 (Troubleshooting DHCP Relay Issues).

 

Configuring the Security Gateway

In SmartDashboard, configure specific security rules using the following legacy services:

Relevant DHCP Traffic Service to Use in Security Rule
DHCP Requests from Hosts to DHCP Server bootp
DHCP Replies from DHCP Server to Hosts bootp
DHCP Relay from Security Gateway / Cluster to DHCP Server dhcp-relay
DHCP Requests from Security Gateway / Cluster itself to DHCP Server dhcp-req-localmodule
DHCP Replies from DHCP Server to Security Gateway / Cluster itself dhcp-rep-localmodule

In SmartDashboard, install policy onto involved Security Gateway / Cluster object.

For more details, please refer to sk98839.

Allowing DHCP relay traffic to cross a VPN tunnel

  1. To allow the DHCP relay traffic to cross the VPN tunnel, the relay agent Security Gateway must be included in the encryption domain. However, one should consider using a dedicated DHCP relay agent inside the Security Gateway, rather the using the Security Gateway itself to relay the DHCP traffic.

  2. To get the relayed traffic to work, create a group object. Include the internal subnet object(s) as well as the Security Gateway object. This group will serve as both the encryption domain of the Security Gateway, as well as the SRC or DST object of the relevant Encrypt rules. If the relayed traffic was passing the Security Gateway before, it should now be encrypted. As you design your other rules, remember that the external interface of the Security Gateway will be the SRC IP address of the relayed DHCP packet.

Related Solution(s):
sk26154: How to configure DHCP Relay for a VLAN interface on SecurePlatform

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment