Friday, September 25, 2015

Cisco DHCP client bummer

It looks to me like the Cisco IOS DHCP client mis-handles the DNS server option when it's working in a VRF.

I'm working on an IOS 15.4 router with an empty startup-config and only the following configuration applied:
 interface FastEthernet4  
  ip address dhcp  
  no shutdown  

debug dhcp detail produces the following when the DHCP lease is claimed:
 Sep 25 19:48:23.316: DHCP: Received a BOOTREP pkt  
 Sep 25 19:48:23.316: DHCP: Scan: Message type: DHCP Offer  
 ...  
 Sep 25 19:48:23.316: DHCP: Scan: DNS Name Server Option: 192.168.100.4  

Indeed, we can resolve DNS. We can also see that the DNS server learned from DHCP has been configured (is there a better way to see this?):
 lab-C881#ping google.com  
 Translating "google.com"...domain server (192.168.100.4) [OK]  
 Type escape sequence to abort.  
 Sending 5, 100-byte ICMP Echos to 205.158.11.53, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms  
 lab-C881#show hosts summary  
 Default domain is fragmentationneeded.net  
 Name/address lookup uses domain service  
 Name servers are 192.168.100.4  
 Cache entries: 5  
 Cache prune timeout: 50  
 lab-C881#  

If I put the interface into a VRF, like this...
 ip vrf INTERNET  
 interface FastEthernet4  
  ip vrf forwarding INTERNET  
  ip address dhcp  
  no shutdown  

Debugs look the same, but we can't find google, and we don't seem to have a DNS server configured:
 lab-C881#ping vrf INTERNET google.com    
 % Unrecognized host or address, or protocol not running.  
 lab-C881#show hosts vrf INTERNET summary  
 lab-C881#  

The global forwarding table has no interfaces up, but it's trying to use the DNS server which is reachable only within the VRF:
 lab-C881#ping google.com    
 Translating "google.com"...domain server (192.168.100.4)  
 % Unrecognized host or address, or protocol not running.  
 lab-C881#show hosts summary  
 Default domain is fragmentationneeded.net  
 Name/address lookup uses domain service  
 Name servers are 192.168.100.4  
 Cache entries: 1  
 Cache prune timeout: 42  

Of course, without any interfaces, attempts to talk to the DNS server from the global table will fail. This is kind of a bummer.

2 comments:

  1. Hello,
    Have you tried using the ip domain lookup source-interface fa4 command?
    By default IOS will only try to do a lookup from interfaces in the global vrf.

    The question for me is whether or not IOS will install the DHCP DNS and perform the lookup with that server, which is something I can't lab at the moment. You can force the name server by using up name-server vrf and see if that works before trying put dhcp.
    Good luck.

    ReplyDelete
    Replies
    1. "By default IOS will only try to do a lookup from interfaces in the global vrf."

      That's not correct. IOS has "VRF Aware DNS", which (aside from this issue) does the right thing: Lookups get done against the correct server depending on the VRF context of the query.

      Forcing the VRF to use the correct server (ip name-server vrf x.x.x.x) works, but it presumes that I know beforehand what server is available for me to use. In this case, I do not know where the DNS server is. I need to learn it from DHCP.

      Delete