I have deployed a new NSX-T environment with 2 edge nodes, both combined into an edge cluster. All transport and edge nodes are part of the same VLAN and Overlay transport zones.
There is no dynamic routing configured, so no T0 and T1 gateways, virtual machines are to be placed in standalone VLAN-backed segments for now.
I want to distribute IP addressess using a local DHCP server in some of the segments.
For that I have created a new DHCP profile without an IP address and a new nsx segment with the VLAN-TZ assigned. No gateway is configured on the segment. A VLAN ID is set. The DHCP configuration has the DHCP profile assigned, with the DHCP server IP address from a subnet that is assigned to the VLAN. I have also created a small DHCP range as an address pool for my vms.
After assigning the nsx segment to a vm vnic, there is no effect, that is, no address is assigned to the virtual machine. The network configuration is set to dhcp in the guest system. In the segment statistics I can see some broadcast traffic, like here:
The VMs do not receive a DHCP offer.
The DFW configuration has not been touched so far and I also see traffic in the default DHCP rule:
I am currently at a loss how this is happening. Any ideas are appreciated!
Make sure the following configured
-Custom Segment security profile with Server Block "Disabled" and attached to the segment.
-Accept forged transmit on the edge (where the DHCP enabled) VLAN uplink port group.
On top of that make sure that the Edge Node can actually be 'plumbed' to those VLANs. If the Edge connects via a trunk PG make sure the trunk allows the VLAN ids of the VLAN segments. Also make sure that the VLAN VDS PG and the VLAN segment can communicate at L2. Its not because the VLAN ID is the same that they can,
What if the VLAN uplink port group was created with NSX..?
I have created a custom segment security profile with Server Block "Disabled" as you mentioned, and applied this profile both to the VLAN-backed segment with the Local DHCP Server, and to the VLAN uplink port group. However, DHCP is still not working on the VLAN-backed segment.
On Layer 2 everything seems to be okay, because I see the DHCP Requests of a VM attached to the VLAN-backed segment coming in on a Service Interface of a T1 running on the Edge Node Cluster that is also assigned to the DHCP Profile.
Thanks for your help!
Like @sekar_neo said, you have to use forged transmits or disable Server Block, depending on which type of edge uplink (edge trunk) network you use - either a vsphere port group or a nsx vlan segment. With those settings DHCP works with both setups.
I believe the issue to be related to MAC Learning being disabled in the MAC Discovery Profile being used for the NSX-T VLAN Trunk Segment that is used for the uplink of the Edge Nodes.
On the Edge Node running the active DHCP server, I see the DHCP Request coming in, and also the DHCP Offer being sent out. It is probably being dropped by the vSwitch, as it is using a different MAC address than the Edge Node's interface MAC:
edge> start capture interface fp-eth0 expression udp port 67 or udp port 68
17:38:49.788687 00:50:56:02:22:c0 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan N, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:50:56:02:22:c0, length 300
<base64>. . .</base64>
17:38:49.789998 00:50:56:98:7d:d7 > 00:50:56:02:22:c0, ethertype 802.1Q (0x8100), length 346: vlan N, p 0, ethertype IPv4, 10.X.Y.142.67 > 10X.Y.132.68: BOOTP/DHCP, Reply, length 300
<base64>. . .</base64>
Also see the 'get dhcp servers' command, that shows the MAC address of the DHCP server:
edge> get dhcp servers
. . .
PS: So the Server Block feature does NOT seem to impact the Local DHCP Server functionality. This feature is there to block 'regular' VMs from providing DHCP services.
Update: to get it working, I had to enable MAC Learning and disable DHCP Server Block on the uplink trunk segment of the edge nodes.
PS: Also see the remarks at the bottom of this page: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-370D06E1-1BB6-4144-A654-7A...
Thank you for posting this! Can confirm that with VM-based Edge connected to vDS 7 portgroup, I only had to enable Mac Learning and Forged Transmits on the vDS portgroup to get a working NSX-T local DHCP server on VLAN-backed segment.