How to configure DHCP relay in VSX Mode with Check Point R75.40VS and higher on the X-Series

book

Article ID: 168830

calendar_today

Updated On:

Products

CPM XOS APM

Issue/Introduction

The goal is to enable DHCP relay functionality in one or more VS (Virtual systems) running Check Point VSX R75.40VS and higher. 

Please note the following exception: With Check Point R77, DHCP Relay does not function in VSX mode installations. See the following Known Anomaly in the Check Point R77 for XOS Release Notes:

ID 102118 DHCP Relay does not function in VSX mode installations.
Workaround: Contact Check Point Customer Support for a patch to resolve this issue.

Resolution

1. In CLI, add the following DHCP-related flow rules to the relevant VAP group. These rules cover both client-to-server and server-to-client traffic directions. You may need to adjust the "priority" value to make sure there is no conflict with existing flow rules:

ip-flow-rule dhcp_client_server
  action pass-to-master
  priority 11
  destination-port 67
  source-port 68
  protocol 17
  activate
    
ip-flow-rule dhcp_server_client
  action pass-to-master
  priority 11
  destination-port 68
  source-port 67
  protocol 17
  activate

2. On each VAP in the VAP group, perform the following steps, as specified in the corresponding Check Point R7x Installation  Guide section on "Configuring DHCP Relay for VSX Mode":

a) Create a symbolic link using the following command:

# ln -s /etc/init.d/dhcrelay /etc/rc3.d/S99dhcrelay

b) Create the following directory:

# mkdir -p /etc/sysconfig/dhcrelay.vrf

c) Create a configuration file per Virtual System. (The configuration file must be identical on all members. <VSID> is the ID of each Virtual System.)

# vi /etc/sysconfig/dhcrelay.vrf/dhcrelay-vrf<VSID>

d) Add the following settings to the dhcrelay-vrf<VSID> configuration file:

ENABLED=yes
DHCPSERVERS="<DHCP_server_IP_Address>"
INTERFACES="<participating_interfaces>"
VRF=<VSID>


NOTE: Include the quotation marks in the DHCPSERVERS and the INTERFACES variables.

e) Restart the daemons to load the new configuration, using the following command:

# /etc/init.d/dhcrelay restart
 

3. Verify that the DHCP traffic is directed to master VAP by the NPM module:
# show flow active destination-port 67 protocol 17 verbose 
--> for client to server traffic 

# show flow active destination-port 68 protocol 17 verbose 
--> for server to client traffic