Setting up a DHCP Relay in NSX-T 3.0

In this tutorial I’m going to show you step by step how to use the DHCP relay function in NSX-T 3.0. We’ll be setting up a DHCP enabled segment that is assigned addresses by an external DHCP server.

Setting up a DHCP relay profile

The first step is to create a DHCP server profile to be used by our segment later.

  1. Start in the Policy view
  2. Navigate to the Networking tab
  3. Click DHCP under IP Management
  4. Click ADD DHCP PROFILE
  1. Enter a profile name
  2. Choose DHCP Relay for the Profile Type
  3. Enter your DHCP server IP addresses
  4. Click Save

Create a new Segment

Next we’ll create our segment that uses our DHCP profile

  1. Start from the Networking tab
  2. Navigate to the Segments view
  3. Click ADD SEGMENT
  1. Enter a segment name
  2. Connect it to a Tier 0 or Tier 1 gateway
  3. Choose the appropriate Transport Zone
  4. Enter the IP address for this segment’s gateway in CIDR format
  5. Click SET DHCP CONFIG
  1. Choose DHCP Relay for the DHCP Type
  2. Choose your DHCP profile we created earlier
  3. Click APPLY
  1. Click SAVE to create the segment

East / West Security

In my environment we have the distributed firewall enabled with a default deny policy. This means we have to write rules to allow specific traffic in and out of every virtual machine. There’s a couple rules we need to write to make DHCP function. In this example I’m creating the policy in the EMERGENCY category just for the sake of the post. My production DHCP rules are in the INFRASTRUCTURE category.

We’ll create a rule to allow clients to broadcast DHCP requests first, then a second rule to allow the gateway to respond with the address.

  1. Navigate to the Security tab
  2. Click Distributed Firewall under the East West Security heading
  3. Click CATEGORY SPECIFIC RULES
  4. Choose the appropriate category for your environment
  5. Click ADD POLICY
  1. Enter the name of the policy
  2. Click the three dots at the left of the policy
  1. Click Add Rule
  1. Enter the policy name, in this case “Clients”
  2. Click the pencil icon in the Services column
  1. Scroll down in the service list and check the box for DHCP-Server
  2. Click APPLY
  1. Click the three dots at the left of our first rule
  2. Click Add Rule
  1. Enter the name of the rule, in the case “Server”
  2. Click the pencil icon in the Sources column
  1. Navigate to the IP Addresses tab
  2. Enter the Gateway IP address of our new segment.
  3. Click APPLY
  1. Click the pencil icon in the Services column
  1. Scroll down in the services list and choose DHCP-Client
  2. Click APPLY
  1. Finally, click PUBLISH to commit the security policy

Closing thoughts

It’s relatively straightforward to set up the DHCP relay service. However I struggled with it for a few days when we first set up NSX-T 2.5, and ultimately we ended up using the built in DHCP server to get us down the road. Now that we’ve upgraded to NSX-T 3.0 I wanted to give it another shot and this time around it worked. I suspect my security policy may have been the missing link the first time around.

One particularly annoying thing I’ve learned though: once you have a segment that’s using a DHCP profile you can’t change the DHCP settings on that segment. To change it you have to delete the whole segment and recreate it. The same quirk applies to the DHCP profile itself, you can’t edit the DHCP server IP addresses if any segments are configured to use the profile which means if you want to change your DHCP server address you have to delete EVERY segment that’s configured to use it, edit your settings, and then create new segments using the updated profile. This seems like a pretty horrible oversight, so keep that in mind if you’re thinking of changing DHCP servers.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: