bootp through the ltm

Question

Below is the setup i have. I have LTM with two interfaces, one connected to dmz vlan and the other connected to a cisco firewall. The firewall is connected to a switch and behind the switch i have DHCP server. What i need is to get a server we are building on the dmz to get ip address from the DHCP server(192.168.80.100) bootpc. &nbsp;
&nbsp;                                   DMZ Servers (DMZ Vlan)
&nbsp;                                      -
&nbsp;                                      -  10.1.0.1/254 -(LTM Internal Int)
&nbsp;                                    BIP LTM
&nbsp;                                      -  10.2.0.1/24 -(LTM external Int)
&nbsp;                                      -  10.2.0.2/24 -(Firewall DMZ Int)
&nbsp;                                    Firewall 
&nbsp;                                      -  10.3.0.1/24 -(Firewall Inside) 
&nbsp;                                      -
&nbsp;                                    Switch
&nbsp;                                     Vlan 80
&nbsp;                                    DHCP Server - 172.25.80.100&nbsp;&nbsp;&nbsp;
&nbsp;To allow new servers on the to get ip from dhcp servers enable BOOTP and PXE traffic through the LTM, i have setup the following&nbsp;&nbsp;
&nbsp;Step 1: run this CLI command:
&nbsp;b db TM.AllowMulticastL2DestinationTraffic enable&nbsp;
&nbsp;Setup 2:  create a set of pool/ virtual server: 
&nbsp;BOOTP and DHCP traffic is sent to the destination port 67/udp.&nbsp;
&nbsp;Setup 3: create a pool that contains your PXE server. 172.25.80.100
&nbsp;Pool member: PXE server; Service port "* all services"&nbsp;
&nbsp;Setup 4: create a virtual server listening on the port 67
&nbsp;Destination Type: Network
&nbsp;Address: 0.0.0.0
&nbsp;Mask: 0.0.0.0
&nbsp;Service port: Other &gt; 67
&nbsp;Default pool: pool created above&nbsp;
&nbsp;Setup 5: And another one listening on port 68
&nbsp;Destination Type: Network
&nbsp;Address: 0.0.0.0
&nbsp;Mask: 0.0.0.0
&nbsp;Service port: Other &gt; 68
&nbsp;Default pool: pool created above&nbsp;
&nbsp;This should allow the BIG-IP to forward the BOOTP and DHCP traffic to the PXE server located on the other VLAN. BUT it doesnt work. infact i dont see any traffic when i look at the pool members statictics or vitual server statictics.&nbsp;
&nbsp;Please advise.&nbsp;&nbsp;&nbsp;

jrahm · Answer

bootp is a broadcast, and the LTM is not yet capable of dhcp relay.  You'll need to configure a relay agent in the DMZ to handle this for you.

jrahm · Answer

Please open a support case against the CR noted in this thread:&nbsp;
&nbsp;http://devcentral.f5.com/Default.aspx?tabid=53&amp;view=topic&amp;postid=19651&amp;ptarget=19782 &nbsp;

james_thomson · Answer

I can get the initial bootp request through the LTM, but the response doesn't make it back through because of what a dhcp response looks like. Here is what I see in my testing.&nbsp;
&nbsp;DHCP Server: 10.10.10.100
&nbsp;External: 10.10.10.10
&nbsp;Internal: 192.168.10.10
&nbsp;Client: none (about to get dhcp to 192.168.10.100)&nbsp;
&nbsp;Client sends out bootp request destination 255.255.255.255 and source 0.0.0.0
&nbsp;LTM catches it in the vip and shoots it out the other end.
&nbsp;                Here we can either SNAT it or not SNAT it.  Either way, the source mac address is now the BIG-IP.
&nbsp;When the DHCP server gets it, it responds with a packet, source IP 10.10.10.100 dest ip:  (192.168.10.100). Destination mac, LTM’s mac address.
&nbsp;Now that packet reaches the LTM
&nbsp;If you have a forwarding virtual on the external side, TMM accepts it and then says, ok, where is this destination IP 192.168.10.100? I have no arp entry so I’ll ask. It then sends and arp query out the client side asking for 192.168.10.100.  No one owns it and the packet dies.&nbsp;
&nbsp;Something in the LTM needs to receive the DHCP request and act as a dhcp proxy where it remembers the original bootp request and can recognize that the bootp response belongs to that client’s mac. 
&nbsp;That’s what a linux program called dhcprelay is designed to do, but we haven’t implemented that on LTM.&nbsp;
&nbsp;I think we need to request that F5 add this to their product by creating a support case.&nbsp;

jrahm · Answer

The more customers who open cases against this, the more visible the request becomes...the CR is CR50233

francisco_1_162 · Answer

I have already open a case with F5 support. i will speak to them tomorrow morning about CR50233.
&nbsp;thanks chaps. &nbsp;&nbsp;
&nbsp;Franco.

Forum Discussion

bootp through the ltm

6 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Relaying netboot/bootp/DHCP traffic for VPN user

Re: APM-DHCP Access Policy Example and Detailed Instructions

DHCP Relay Virtual Server

DHCP relay on LTM viprion vcmp guest version 12.1.6

Move DHCP Server for SSL VPN (with Edge Client) to an internal MS DHCP via iAPP