Jesse, You can experiment with firewall rules/SG, but in general you should not have more than 1 DHCP server in a single network. I assume your VMs would be assigned one part of the net/subnet, while your external DHCP server should be serving your non-ACS infra - i.e. if your acs network for VMs is 192.168.1.1-128, while 192.168.1.129-254(non-ACS infra) should be served by your external DHCP, then I would think of blocking dhcp ports (dhcp discover) from whole 192.168.1.1-128 network on your external DHCP server - i.e. this way your external DHCP SERVER would be "deaf" to all dhcp discover messages sent from ACS VMs to itself and thus would not issue leases to ACS VMs. Hope that makes sense. Best Andrija On Tue, Jul 9, 2019, 21:16 wrote: > My vm was assigned an ip from our endpoint DHCP server, not from VR. Do I > need to add firewall rule(s) to force DHCP request to VR? I probably missed > a part of setup w/KVM hosts and or within management when I defined the > zone/pod/... > > This seems to be correct, VR is running on a different host then the vm. > > Chain i-2-11-VM-eg (1 references) > pkts bytes target prot opt in out source > destination > 0 0 RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 > > Chain i-2-11-def (2 references) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > udp spt:68 dpt:67 > 0 0 ACCEPT udp -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 > --physdev-is-bridged > udp spt:67 dpt:68 > 0 0 DROP all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > ! match-set i-2-11-VM src > 0 0 RETURN udp -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > match-set i-2-11-VM src udp dpt:53 > 0 0 RETURN tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > match-set i-2-11-VM src tcp dpt:53 > 0 0 i-2-11-VM-eg all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 --physdev-is-bridged > match-set i-2-11-VM src > 15 1963 i-2-11-VM all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 > --physdev-is-bridged > > > > Thanks for quick response Andrija! > > - Jesse > > > > > On Tue, Jul 9, 2019 at 10:39 AM Andrija Panic > wrote: > > > ACS will only offer DHCP leases to its VMs, via DHCP reservation.. If you > > have another DHCP server in your area, than it might be quicker to offer > a > > lease to a VM. You have to either remove your non-ACS DHCP server > > completely, OR make sure it uses reservation for non-ACS servers/hosts > i.e. > > NOT let it issue leases freely to anyone who asks for it. Pure DHCP > > "problem" - i.e. nothing to do with ACS specifically. > > > > Best, > > Andrija > > > > On Tue, Jul 9, 2019, 20:27 wrote: > > > > > Have a DHCP issue where vm pulls from ACS proxy properly sometimes and > > > other when it pulls from our normal dhcp server for end-points. > > > > > > Network layout is flat, and I ACS is using basic network with security > > > groups. IP range for acs is within range of our normal network so vms > > and > > > endpoints will flow without additional hardware. How do I ensure dhcp > > > requests are served by router vm and not our normal dhcp server? > > > > > > TIA, > > > Jesse > > > > > >