dhcprelay command

[blackrabbit]

We have about 30 remote offices using pix 501's to create a vpn tunnel to our pix 515 in our main office. Our main office uses a win 2k3 dhcp server for the main office and some of the other offices are using the pix 501 as a dhcp server and the rest use static ip's on the workstations. I'm trying to understand the dhcprelay command and see if i ca use that to setup diferent scopes on my 2k3 dhcp server to server all my location.

Even if its not a good idea i'd like to try it as a test on one pix box so i can get a better understanding of pix commands. Does anyone have any suggestions or has anyone ever used the dhcprelay command

 

[chicocouk]

Not tried it, but if your dhcp server goes down on the main site, or the link goes down, you've potentially got 30 sites who don't get ip addresses, so can't get local networks. Sounds like a bad idea ... I can see why you'd like to try it for research, but as a solution in the real world it's a terrible idea

 

[blackrabbit]

yeah it is a bad idea from that standpoint but it would be fun to learn how to make it work. thanks.

 

[MichealC4]

I'd be interested in the dhcprelay command as well. In the next day or so (hopefully today), I have to use it. So it would be nice to know about it. Right now we have the firewall giving out dhcp information. Bad thing™. It keeps bringing the firewall to its knees for some reason. So, we have an inside dhcp server for clients to use.

Sorry for hijacking your post, I'm just curious about this as well.

I am Comptia A+ Certified

 

[Pilot1]

I am also very curious about using this feature as we are set up this way on our Frame Relay site to site, now converting to IPSEC between our main branch and offices. Cisco tells me this is possible, so I hope they are correct.

 

[dopehead]

I have not used it, but in generel terms, the pix will take a 255.255.255.255 dhcp request from the lan and convert it to a unicast packet and put it's own address in the gateway field in the dhcp request, the dhcp server will then use the scope that the pix inside address is in, so you configure a scope for each location, and define the router to be the pix inside address, this will make the dhcp server assign addresses from the right scope. If you would want this to travel within a vpn tunnel you would prolly have to include the outside address of the pix -> dhcp server in your acl for the crypto map.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[MichealC4]

I use it now. For some reason I couldn't get it to work on the command line so I just went in to the PDM. But it seems to be working correctly. We have an inside DHCP server for the firewall to relay the packets to get an address.

----------------------------
I am Comptia A+ Certified

 

[Pilot1]

A quick clarification, are you employing ezvpn in your configuration? Will this work with PIX 50x's only? I've got 831's in our small branch offices

 

[MichealC4]

No, we don't use ezvpn. Can't say I have ever heard of ezvpn.

----------------------------
I am Comptia A+ Certified