Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

HP 5406Rzl2 switches and IP helper not working

 
sambaram
Occasional Contributor

HP 5406Rzl2 switches and IP helper not working

Hi there. 

We seem to have a problem getting DHCP relay/IP helper for our servers sitting in the datacenters. 

Scenario:

2 DataCenters - Datacenter A and DataCenter B both connected viz 10G dark fibre (layer 2) between 2 core switches - HP 5406R zl2 on port B21. 

DataCenter A IP Schema - 192.168.8.0/24 - Gateway 192.168.8.254

DataCenter B IP Schema - 192.168.9.0/24 - Gateway 192.168.9.254

DHCP service runs on the Network Interface of VLAN 1 on firewall at both locations. 

Problem :

Servers in Datacenter A are sometimes getting IP address from Datacenter B. In other words it would get an IP of 192.168.9.xxx Gateway 192.168.9.254

Servers in Datacenter B are sometimes getting IP address from Datacenter A. In other words, it would get an IP of 192.168.8.xxx Gateway 192.168.8.254

When this happens - an extra hop is added which possibly causes some applications to perform slower than usual. 

The firewall has dhcp relay set on the interface at both ends but thats causing the above problem. 

I ended up attempting to add ip helper-address on VLAN 1 on the switches at both end but nevertheless the issue seems to still persist. 

The config on VLAN 1 and port B21 to which the fibre is connected at each datacenter is as follows :

Datacenter A has the following config :

 vlan 1
name "DEFAULT_VLAN"
no untagged B12-B13,C12-C14
untagged A1-A8,B6-B11,B14,B16,B19-B20,C6-C11,C15-C16,C19-C21,Trk1-Trk8,Trk10
no ip address
ip helper-address 192.168.8.254
ipv6 enable
ipv6 address dhcp full
exit

interface B21
name "10G OFFICEWAVE TO DATACENTER B"
untagged vlan 1
trunk trk2 trunk
exit

DATACENTER B Switch has the following config :

vlan 1
name "DEFAULT_VLAN"
no untagged B1-B4,C3-C4
untagged A8,B9-B20,B22-B24,C2,C9-C14,C19-C21,C24,D8,Trk1-Trk12
ip address 192.168.0.222 255.255.255.0
ip helper-address 192.168.9.254
ipv6 enable
ipv6 address autoconfig
ipv6 address dhcp full
exit

interface B21
name "10G OFFICEWAVE TO DATACENTER A"
untagged vlan 1
trunk trk2 trunk
exit

Kindly advise how to permanently fix this problem ? At this point in time, i cannot move servers away from the default VLAN as that is a legacy configuration I have inherited and making the change now would be a big chunk of work. 

Any tips on the above would be greatly appreciated. Thank you.

 

Samit

 

1 REPLY 1
Emil_G
HPE Pro

Re: HP 5406Rzl2 switches and IP helper not working

Hello ,

If I understand the design correctly you have a flat network. All devices are in VLAN 1 and both datacenters connected at Layer 2 thus 2 different IP ranges are in the same broadcast domain. That means that the broadcasts of datacenter A are flooded in datacenter B and vice versa.  DHCP discovery is broadcast and the switches in both datacenters cannot determine if the packet is coming from datacenter A or datacenter B. Enabling DHCP relay doesnt stop the flooding of the DHCP broadcast packets so they will still be seen by both switches and both will forward them to the respective firewall. Sometimes it can happen that the switch in the remote DC is faster and the server will get IP in the wrong IP range.

I think the ultimate solution would be indeed to redesign the network and connect both datacenters ar layer 3.

Another possible solution or workaround: the switches also support DHCP snooping. DHCP snooping will allow you to define trusted ports and trusted DHCP servers. If your firewall is reachable via a port different than B21, you can define that port as DHCP snooping trusted port. This will make the switch drop DHCP server packets from all other ports including B21 except the trusted port of the firewall.

If you are reaching the firewall via the same port which connects to the other data center or you want to add more granular control, you can add the IP address of the authorized DHCP server. For every data center this will be the IP of the firewall in the respective IP range. When the switch is configured with an authorized DHCP server it will drop all DHCP server packets originating from other IP addresses even when they arive on the trusted port. You can find more details about DHCP snooping here.

https://techhub.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch11s02.html

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c01979055

This is one possible solution, you can have a look and decide if this will work in your environment or not.

There may be other solutions so if anyone has ideas, please feel free to share!

 

I am an HPE employee

Accept or Kudo