.. _c-and-b_ip-clos_fabric_dhcp_relay: IP-Clos Fabric DHCP Relay Lab ============================= In this Lab we will use the right side of the Lab Topology with a preconfigured IP-Clos Fabric. .. image:: ./images/58.png :alt: A computer screen shot of a diagram Description automatically generated Prepare and check your Lab -------------------------- Configure DHCP-Relay in Fabric ------------------------------ We must configure DHCP-Relay at all. Do NOT configure it locally directly on the Switch. **Always use the Fabric dialogue to configure it as part of the Fabric**. Go to **Organization -> Campus Fabric** and select “Topology 2”-Site then click on the “IP-Clos Fabric” similar to below. .. image:: ./images/59.png :alt: A screenshot of a computer Description automatically generated Using the “Edit Configuration” option go to the “Choose Campus Fabric Topology” Panel and check that you have a configured Loopback Pool for DHCP-Relay. .. image:: ./images/60.png :alt: A screenshot of a phone number Description automatically generated Then configure under “Configure Networks” the VLANs 1099, 1088 and 1033 for DHCP-Relay with the DHCP-Server which is in this Lab the IP-Address 192.168.122.12 ! Example for vlan 1099 is below: .. image:: ./images/61.png :alt: A screenshot of a computer Description automatically generated The end result of your configuration should look like the below: .. image:: ./images/62.png :alt: A screenshot of a computer program Description automatically generated Go further through the next windows with “Continue” until you can “Apply changes” to your fabric .. image:: ./images/63.png :alt: A blue and red button with white text Description automatically generated Check Loopback IP-Address exchange with WAN-Router -------------------------------------------------- Check **Access1** Switch that you see in status window **lo0.1-3** Loopback IP’s. IGNORE lo0.0 as this is underlay for the VTEP’s and control plane. .. image:: ./images/64.png :alt: A screenshot of a computer Description automatically generated Check **Access2** Switch that you see in status window **lo0.1-3** Loopback IP’s. IGNORE lo0.0 as this is underlay for the VTEP’s and control plane. .. image:: ./images/65.png :alt: A screenshot of a computer Description automatically generated Now check if those IP-Addresses are on the WAN-Router seen and exchanged via BGP-Peering. We use in this lab the routing instance public-int hence they should appear there. .. code-block:: none root@wanrouter> show route table public-int.inet.0 public-int.inet.0: 29 destinations, 35 routes (29 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 13:23:17 > to 192.168.10.1 via ge-0/0/6.0 10.33.31.0/24 *[BGP/170] 1d 13:05:05, localpref 100, from 10.255.226.5 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 to 10.255.226.5 via ge-0/0/5.1031 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 10.33.33.0/24 *[BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified to 10.255.224.5 via ge-0/0/4.1031 > to 10.255.226.5 via ge-0/0/5.1031 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 10.88.81.0/24 *[BGP/170] 1d 13:05:05, localpref 100, from 10.255.226.3 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 to 10.255.226.3 via ge-0/0/5.1081 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 10.88.88.0/24 *[BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified to 10.255.224.3 via ge-0/0/4.1081 > to 10.255.226.3 via ge-0/0/5.1081 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 10.99.91.0/24 *[BGP/170] 1d 13:05:05, localpref 100, from 10.255.226.1 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 to 10.255.226.1 via ge-0/0/5.1091 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 10.99.99.0/24 *[BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65002 65004 65005 65007 I, validation-state: unverified to 10.255.224.1 via ge-0/0/4.1091 > to 10.255.226.1 via ge-0/0/5.1091 [BGP/170] 1d 13:05:05, localpref 100 AS path: 64911 65001 65004 65005 65007 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 10.255.224.0/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/4.1091 10.255.224.0/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/4.1091 10.255.224.2/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/4.1081 10.255.224.2/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/4.1081 10.255.224.4/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/4.1031 10.255.224.4/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/4.1031 10.255.226.0/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/5.1091 10.255.226.0/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/5.1091 10.255.226.2/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/5.1081 10.255.226.2/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/5.1081 10.255.226.4/31 *[Direct/0] 1d 13:23:17 > via ge-0/0/5.1031 10.255.226.4/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/5.1031 172.16.192.7/32 *[BGP/170] 1d 13:23:08, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.1 via ge-0/0/5.1091 172.16.192.8/32 *[BGP/170] 1d 13:23:09, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.3 via ge-0/0/5.1081 172.16.192.9/32 *[BGP/170] 1d 13:23:10, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.5 via ge-0/0/5.1031 172.16.192.10/32 *[BGP/170] 1d 13:05:17, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 172.16.192.11/32 *[BGP/170] 1d 13:05:09, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 172.16.192.12/32 *[BGP/170] 1d 13:05:08, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 192.168.10.0/24 *[Direct/0] 1d 13:23:17 > via ge-0/0/6.0 192.168.10.59/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/6.0 192.168.122.0/24 *[Direct/0] 1d 13:23:17 > via ge-0/0/3.0 192.168.122.23/32 *[Local/0] 1d 13:23:17 Local via ge-0/0/3.0 In the above example those IP-Addresses are NOT seen. The IP-Addresses 172.16.192.7 to 172.16.192.12 ARE from the needed Pool-range but are configured on the service1/2 Switches if you review it. You need to check two things: #. Are they configured to be exported on the service 1/2 switches that do the BGP-Peering with the WAN-Router? Check the export rule set on service 1/2 .. image:: ./images/66.png :alt: A screenshot of a login Description automatically generated You need to ensure that Host Routes are exported as well hence you can NOT write a Rule 172.16.192.0/19 like the other networks! The rule would have to be 172.16.192.0/19-32 instead as below correct. .. image:: ./images/67.png :alt: A screenshot of a computer Description automatically generated #. If the Fabric was deployed before late June 2024 it needs some additional CLI still. Go to the Switch Template of Topology 2 .. image:: ./images/68.png :alt: A screenshot of a website Description automatically generated Go to access1 config for CLI .. image:: ./images/69.png :alt: A screenshot of a computer Description automatically generated Add the below additional CLI .. code-block:: none set groups top policy-options prefix-list irb_networks apply-path "interfaces irb unit <*> family inet address <*>" set groups top policy-options prefix-list loopbacks apply-path "interfaces lo0 unit <*> family inet address <*>" set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from prefix-list loopbacks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO then accept set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from prefix-list irb_networks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB then accept set groups top routing-instances customera protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances customerb protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances devices protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES .. image:: ./images/70.png :alt: A screenshot of a computer Description automatically generated Then go to access2 config for CLI .. image:: ./images/71.png :alt: A screenshot of a computer Description automatically generated Add the below additional CLI (same as switch1) .. code-block:: none set groups top policy-options prefix-list irb_networks apply-path "interfaces irb unit <*> family inet address <*>" set groups top policy-options prefix-list loopbacks apply-path "interfaces lo0 unit <*> family inet address <*>" set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from prefix-list loopbacks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO then accept set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from prefix-list irb_networks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB then accept set groups top routing-instances customera protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances customerb protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances devices protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES .. image:: ./images/72.png :alt: A screenshot of a computer Description automatically generated Then go to service config for CLI .. image:: ./images/73.png :alt: A screenshot of a computer Description automatically generated Add the below additional CLI which has two more lines of config then the previous two examples .. code-block:: none set groups top policy-options prefix-list irb_networks apply-path "interfaces irb unit <*> family inet address <*>" set groups top policy-options prefix-list loopbacks apply-path "interfaces lo0 unit <*> family inet address <*>" set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO from prefix-list loopbacks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_LO then accept set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from protocol direct set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB from prefix-list irb_networks set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_IRB then accept set groups top routing-instances customera protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances customerb protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top routing-instances devices protocols evpn ip-prefix-routes export EXPORT-T5-ROUTES set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_BGP from protocol bgp set groups top policy-options policy-statement EXPORT-T5-ROUTES term TERM_BGP then accept .. image:: ./images/74.png :alt: A screenshot of a computer Description automatically generated Click on “Save” .. image:: ./images/75.png :alt: A close-up of a button Description automatically generated Ack the Dialogue .. image:: ./images/76.png :alt: A screenshot of a computer Description automatically generated Go to Access1, Access2, Service1 and Service2 Switch to review the config is pushed. Example below is Access1 Switch. .. image:: ./images/77.png :alt: A screenshot of a computer Description automatically generated Now review back on WAN-Router that the Loopback IP-Addresses 172.16.192.1 to 172.16.192.6 are finally visible. .. code-block:: none root@wanrouter> show route table public-int.inet.0 public-int.inet.0: 35 destinations, 53 routes (35 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 14:03:30 > to 192.168.10.1 via ge-0/0/6.0 . . . 10.255.226.4/32 *[Local/0] 1d 14:03:30 Local via ge-0/0/5.1031 172.16.192.1/32 *[BGP/170] 00:02:05, localpref 100, from 10.255.224.1 AS path: 64911 65001 65004 65006 65008 I, validation-state: unverified to 10.255.224.1 via ge-0/0/4.1091 > to 10.255.226.1 via ge-0/0/5.1091 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65002 65004 65006 65008 I, validation-state: unverified > to 10.255.226.1 via ge-0/0/5.1091 172.16.192.2/32 *[BGP/170] 00:02:05, localpref 100, from 10.255.224.3 AS path: 64911 65001 65004 65006 65008 I, validation-state: unverified to 10.255.224.3 via ge-0/0/4.1081 > to 10.255.226.3 via ge-0/0/5.1081 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65002 65004 65006 65008 I, validation-state: unverified > to 10.255.226.3 via ge-0/0/5.1081 172.16.192.3/32 *[BGP/170] 00:02:05, localpref 100, from 10.255.224.5 AS path: 64911 65001 65004 65006 65008 I, validation-state: unverified to 10.255.224.5 via ge-0/0/4.1031 > to 10.255.226.5 via ge-0/0/5.1031 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65002 65004 65006 65008 I, validation-state: unverified > to 10.255.226.5 via ge-0/0/5.1031 172.16.192.4/32 *[BGP/170] 00:02:07, localpref 100 AS path: 64911 65002 65003 65005 65007 I, validation-state: unverified to 10.255.224.1 via ge-0/0/4.1091 > to 10.255.226.1 via ge-0/0/5.1091 [BGP/170] 00:02:07, localpref 100 AS path: 64911 65001 65003 65005 65007 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 172.16.192.5/32 *[BGP/170] 00:02:07, localpref 100 AS path: 64911 65002 65003 65005 65007 I, validation-state: unverified to 10.255.224.3 via ge-0/0/4.1081 > to 10.255.226.3 via ge-0/0/5.1081 [BGP/170] 00:02:07, localpref 100 AS path: 64911 65001 65003 65005 65007 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 172.16.192.6/32 *[BGP/170] 00:02:07, localpref 100 AS path: 64911 65002 65003 65005 65007 I, validation-state: unverified to 10.255.224.5 via ge-0/0/4.1031 > to 10.255.226.5 via ge-0/0/5.1031 [BGP/170] 00:02:07, localpref 100 AS path: 64911 65001 65003 65005 65007 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 172.16.192.7/32 *[BGP/170] 1d 14:03:21, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.1 via ge-0/0/5.1091 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65001 65003 65002 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 172.16.192.8/32 *[BGP/170] 1d 14:03:22, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.3 via ge-0/0/5.1081 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65001 65003 65002 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 172.16.192.9/32 *[BGP/170] 1d 14:03:23, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.226.5 via ge-0/0/5.1031 [BGP/170] 00:02:05, localpref 100 AS path: 64911 65001 65003 65002 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 172.16.192.10/32 *[BGP/170] 1d 13:45:30, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.1 via ge-0/0/4.1091 [BGP/170] 00:02:08, localpref 100 AS path: 64911 65002 65004 65001 I, validation-state: unverified > to 10.255.226.1 via ge-0/0/5.1091 172.16.192.11/32 *[BGP/170] 1d 13:45:22, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.3 via ge-0/0/4.1081 [BGP/170] 00:02:08, localpref 100 AS path: 64911 65002 65004 65001 I, validation-state: unverified > to 10.255.226.3 via ge-0/0/5.1081 172.16.192.12/32 *[BGP/170] 1d 13:45:21, localpref 100 AS path: 64911 I, validation-state: unverified > to 10.255.224.5 via ge-0/0/4.1031 [BGP/170] 00:02:08, localpref 100 AS path: 64911 65002 65004 65001 I, validation-state: unverified > to 10.255.226.5 via ge-0/0/5.1031 192.168.10.0/24 *[Direct/0] 1d 14:03:30 > via ge-0/0/6.0 192.168.10.59/32 *[Local/0] 1d 14:03:30 Local via ge-0/0/6.0 192.168.122.0/24 *[Direct/0] 1d 14:03:30 > via ge-0/0/3.0 192.168.122.23/32 *[Local/0] 1d 14:03:30 Local via ge-0/0/3.0 Testing your DHCP-Relay configuration ------------------------------------- You can go to either desktop1 or desktop2 VM via Apache Guacamole and open a Terminal. You then need to issue for a test the following 4 lines: .. code-block:: none ifconfig ens5 0.0.0.0 up pkill dhclient rm -f /var/lib/dhcp/*.leases dhclient -v ens5 If you made everything right you will get a lease from the DHCP-Server .. image:: ./images/78.png :alt: A computer screen shot of a computer Description automatically generated .. warning:: It may happen that the reported IP-Address is from an Access Switch where the Client is not connected to (but the same VLAN configured). **Ignore this!** This is a known limit of vJunos-switch VM not implementing correctly the Junos “set interfaces irb unit no-dhcp-flood” . Hence, the broadcast of the client is not stopped at the attached Access-Switch and flooded to others as well causing this behaviour. OPTIONAL: Check the DHCP-Relay server. Login to the Kea1-VM and issue a tcpdump like the below. .. code-block:: none tcpdump –vv -eni ens3 port 67 .. image:: ./images/79.png Re-do the 4 lines asking for a DHCP-Lease on your Desktop VM. You should see not more and detailed information like the below. .. image:: ./images/80.png :alt: A screenshot of a computer screen Description automatically generated