VMware NSX

 Configuring DHCP to be offered by server outside of NSX-T

jmv5010's profile image
jmv5010 posted Oct 23, 2024 05:52 PM

Hi everyone,

I have NSX-T 3.2.3 running with just the distributed firewall in use. Currently, the DHCP server is not on the NSX segment. When it is, then servers stop receiving DHCP. 

The applied profiles to the segment are just the default ones, so they can't be edited to turn off server block.

There are no Tier-0 or Tier-1 gateways in place.

Is it going to be possible to get the DHCP server to work without any Tier-0 or Tier-1 gateways? 

Thank you.

Peter Neumann's profile image
Peter Neumann posted Oct 24, 2024 12:33 AM

So you have a security only deployment that has no T1/T0 routers, no Edge Nodes, literally no overlay segments and you consume DFW on your vDS port groups that are backed by VLANs. DHCP Server is a stateful thing and it does require Edge Nodes.

You might want to change Segment Security policy that allows DHCP to work if you place a VM with DHCP Server enable on a segment.

Sriram ChunchankatteMelukote's profile image
Broadcom Employee Sriram ChunchankatteMelukote posted Oct 24, 2024 12:27 PM

Hello,

From my knowledge I think you can make the dhcp work for you if its connected as a profile attached to your concerned segment. In this scenario it would work without a t0 or t1 but we would need to confirm this through some testing.

Regards

Martin Kiefer's profile image
Martin Kiefer posted Oct 25, 2024 04:43 AM

By default DHCP on same segment as the clients are blocked by the segment security profiles. So like Peters states you need to have a custom security profile added to your segment that is allowing DHCP traffic on the segment. The default profiles cannot be edited, you will need to create a custom profile.

If the DHCP server is outside your VLAN you will need to have a dhcp relay on the gateway just like you would if this was outside of NSX. 

Luca Camarda's profile image
Broadcom Employee Luca Camarda posted Oct 25, 2024 10:56 AM

NSX Segments have a default security profile that blocks any DHCP server traffic to clients to prevent rouge DHCP servers from providing IP addresses to clients and performing MITM.

You have to create a new profile with DHCP server block disabled and apply it to the whole segment or even better to the individual port where your DHCP server is connected.

jmv5010's profile image
jmv5010 posted Oct 29, 2024 02:44 PM

Thank you for the replies, everyone.

I'll review and try and get this working.