VMware NSX

 View Only
  • 1.  DHCP with NSX-T

    Posted Mar 23, 2020 02:32 AM

    When NSX-T is managing an environment does DHCP relay on a VLAN not work?

    For example I have a segment backed by a VLAN and in that VLAN I have a DHCP server.

    After deploying NSX-T and creating the VLAN backed segments and moving the VMs from vDS to N-DVS I am no longer able to obtain a DHCP lease from the Windows Server on the same segment.

    Looking at how NSX-T DHCP Relay works you can't use it with a VLAN backed segment unless I am missing something.



  • 2.  RE: DHCP with NSX-T
    Best Answer

    Broadcom Employee
    Posted Mar 23, 2020 07:31 PM

    Every segment in NSX-T, regardless if it is Overlay or VLAN backed has segment profiles attached to it. One of these is the security profile which, among other security features, has DHCP protections to prevent unknow/undesired DHCP servers on the network. This might be preventing the DHCP packets from the VMs reach the DHCP server. Have you taken a look at the segment profiles attached to this segment?



  • 3.  RE: DHCP with NSX-T

    Posted Mar 23, 2020 10:08 PM

    Never thought there would be a firewall rule on the switchport blocking DHCP but sure enough.

    For someone else finding this thread:

    Advanced Networking & Security > Networking > Switches > Switching Profiles

    Select nsx-default-switch-security-vif-profile > Actions >  Clone Profile

    Uncheck Server Block under DHCP

    Then click on Ports and select your DHCP server(s) > Edit > Switching Profiles

    Change Switch Security to the new profile you just created

    That'll keep DHCP Server blocked for all other servers except the one(s) you want DHCP available from

    Thanks



  • 4.  RE: DHCP with NSX-T

    Broadcom Employee
    Posted Mar 24, 2020 12:36 PM

    It is not actually a firewall but common security features available on L2 switches. This control regarding DHCP is like DHCP snooping with trusted interfaces on any common switch.



  • 5.  RE: DHCP with NSX-T

    Posted Apr 12, 2022 08:43 AM

    Hello   

     

    in DHCP snooping i can add a interface that i trust to relay.

    But in this can i add a server that is trusted? 

    so in vlan 2 can i add a server that is trusted to handel DHCP ? 



  • 6.  RE: DHCP with NSX-T

    Posted Sep 13, 2022 04:49 PM

    Thank you for posting this, but apparently they changed it in NSX 4.

    I found it in Networking, Segments, Profiles.

    I could not clone the default profile, so I created a new profile.  Add Segment Profile, Segment Security, turned the Server Block turned off.

    Then went to the Distributed Port Groups tab, and on each Distributed Port Group, changed the segment security profile to the new one I created.

    I hope this helps, because it's panic time when you implement NSX and suddenly users are not getting DHCP addresses.



  • 7.  RE: DHCP with NSX-T

    Posted Sep 13, 2022 04:52 PM

    And I don't see where you can add the DHCP servers that you want to allow (in NSX 4)



  • 8.  RE: DHCP with NSX-T

    Posted Nov 09, 2022 10:13 AM

    I assume you'll need to add a relay to get DHCP to work so 

    networking >> DHCP & add a DHCP relay profile. Then add the profile to the segment.