DHCP1

I will start with the basic Fundamentals of how DHCP requests work first here

A Client initiates the DHCP Process by sending out a “DHCP Discover” Broadcast packet to the network, to find a DHCP Server that will respond back with a “DHCP Offer” Broadcast packet, the Offer packet containing Usable IP Address / Lease Time / DNS Server info / and many other options that can be set on the DHCP Server.

The Client accepts the first Offer packet it receives, and responds with another Broadcast “DHCP Request” packet to indicate it accepted to DHCP Offer, which includes the IP Address of the DHCP Server that sent the Offer to indicate to that Server it is accepting the request – And finally the DHCP Server responds back with a “DHCP Ack” packet to indicate it acknowledges that IP Address is now being leased to the Client.

If a server receives a DHCP Request message that does not include its own IP Address, this indicates that its offer was not accepted, and it stores the offered IP Address back into the DHCP IP Pool to Offer to other DHCP Clients.

So step by step of packet flow between Client and DHCP Server:

  1. Client sends DHCP Discover packet
  2. DHCP Server responds with offer
  3. Client accepts first offer it receives
  4. Client send DHCP Request packet containing IP of Server it accepted Offer from
  5. DHCP Server either sends DHCP Ack or places offer IP Address back into its pool

Configuring SW1 (Cisco MLS Switch) as a DHCP Server

When configuring an MLS as a DHCP Server, the MLS must be assigned an IP Address from the subnet that it is handing out addresses for, so I’ve configured Host A and Host B in VLAN 10 SVI 10.0.10.1 /24 and lets get right into the configuration!

Choosing IP range(s) to exclude from the IP Address Pool:

SW1(config)#ip dhcp ?
aaa Configure aaa attributes
binding DHCP address bindings
bootp BOOTP specific configuration
class Configure DHCP classes
conflict DHCP address conflict parameters
database Configure DHCP database agents
excluded-address Prevent DHCP from assigning certain addresses
limit Limit DHCP Lease
limited-broadcast-address Use all 1’s broadcast address
ping Specify ping parameters used by DHCP
pool Configure DHCP address pools
relay DHCP relay agent parameters
remember Remember released bindings
route Specify the type of routes for clients on
unnumbered interfaces
smart-relay Enable Smart Relay feature
snooping DHCP Snooping
subscriber-id Global subscriber-id configuration
use Configure use of certain parameters during
allocation

SW1(config)#ip dhcp excluded-address ?
A.B.C.D Low IP address
vrf VRF name for excluded address range

SW1(config)#ip dhcp excluded-address 10.0.10.0 ?
A.B.C.D High IP address
<cr>

SW1(config)#ip dhcp excluded-address 10.0.10.0 10.0.10.100 ?
<cr>

SW1(config)#ip dhcp excluded-address 10.0.10.0 10.0.10.100
SW1(config)#ip dhcp excluded-address 10.0.10.200 10.0.10.255
SW1(config)#

I only want Clients to be able able to get 10.0.10.101 – 10.0.10.199 from this DHCP Server, as lower and higher end numbers tend to be configured for static devices like routers / printers / servers / etc.

Reviewing configuration options for the DHCP Pool:

SW1(config)#ip dhcp pool ?
WORD Pool name

SW1(config)#ip dhcp pool DHCP_POOL
SW1(dhcp-config)#?
DHCP pool configuration commands:
accounting Send Accounting Start/Stop messages
address Configure a reserved address
bootfile Boot file name
class Specify a DHCP class
client-identifier Client identifier
client-name Client name
default-router Default routers
dns-server DNS servers
domain-name Domain name
exit Exit from DHCP pool configuration mode
hardware-address Client hardware address
host Client IP address and mask
import Programatically importing DHCP option parameters
lease Address lease time
netbios-name-server NetBIOS (WINS) name servers
netbios-node-type NetBIOS node type
network Network number and mask
next-server Next server in boot process
no Negate a command or set its defaults
option Raw DHCP options
origin Configure the origin of the pool
relay Function as a DHCP relay
remember Remember released bindings
renew Configure renewal policy
reserved-only Only allocate reserved addresses
server Configure the server ID option value
subnet Subnet allocation commands
update Dynamic updates
utilization Configure various utilization parameters
vrf Associate this pool with a VRF

SW1(dhcp-config)#

Excuse the giant list of DHCP options, I’ve highlighted the normally configured ones like domain name / DNS Server / option (for phones) / network, which that last one is what will be using to configure the network of the DHCP Pool.

Configuring the DHCP Pool:

SW1(dhcp-config)#network ?
A.B.C.D Network number in dotted-decimal notation

SW1(dhcp-config)#network 10.0.10.0 ?
/nn or A.B.C.D Network mask or prefix length
<cr>

SW1(dhcp-config)#network 10.0.10.0 /24 ?
secondary Configure as secondary subnet
<cr>

SW1(dhcp-config)#network 10.0.10.0 /24
SW1(dhcp-config)#domain-name ?

WORD Domain name

SW1(dhcp-config)#domain-name loopedback.com ?
<cr>

SW1(dhcp-config)#domain-name loopedback.com
SW1(dhcp-config)#dns-server ?
Hostname or A.B.C.D Server’s name or IP address

SW1(dhcp-config)#dns-server 10.0.10.5 ?
Hostname or A.B.C.D Server’s name or IP address
<cr>

SW1(dhcp-config)#dns-server 10.0.10.5
SW1(dhcp-config)#default-router 10.0.10.1 ?
Hostname or A.B.C.D Router’s name or IP address
<cr>

SW1(dhcp-config)#default-router 10.0.10.1
SW1(dhcp-config)#lease ?
<0-365> Days
infinite Infinite lease

SW1(dhcp-config)#lease 7 ?
<0-23> Hours
<cr>

SW1(dhcp-config)#lease 7
SW1(dhcp-config)#

To review quick what we configured there:

  • Network number for Pool with CIDR notation mask (groovy)
  • Domain Name
  • DNS Server (option for a second available)
  • Default-Router IP Address (SVI IP Address for VLAN)
  • Lease which goes in Days Hours and Minutes – But I just chose 7 days

A Cisco Router / MLS does IP Conflict checks against Clients requesting an IP Address, by sending two pings to that IP address, which will time out in 500 milliseconds by default.

If the pings timeout there is no conflict and the IP is assigned to the DHCP Client, however if the ping gets a response, the address cannot be assigned.

To adjust these IP Conflict pings (Back in Global Config):

SW1(config)#ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout

SW1(config)#ip dhcp ping packets ?
<0-10> Number of ping packets (0 disables ping)
<cr>

SW1(config)#ip dhcp ping timeout ?
<100-10000> Ping timeout in milliseconds

SW1(config)#ip dhcp ping timeout 100 ?
<cr>

SW1(config)#

There is no good reason to ever touch these unless tasked to on exam day, just wanted to mention this IP Conflict check behavior, along with where to adjust its attributes.

Verification command for DHCP Pool Config:

SW1(config)#do sh ip dhcp pool

Pool DHCP_POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 155
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.10.1 10.0.10.1 – 10.0.10.254        0    /     155   /    254
SW1(config)#

In this output we can see the DHCP Pool name at the top along with DHCP Pool Utilization, and we get a lot of repeat values like leased addresses / excluded / etc.

SW1(config)#do sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1(config)#

No bindings yet, dynamic or static.

Now that DHCP is configured on SW1, time to turn on DHCP for Host A and B

My hosts are (as you probably know) Cisco Routers, and the command to configure an interface for DHCP is simply “ip add dhcp” on the interface connected to the switch.

Now I have two hosts that should be pulling addresses:

SW1#sh ip dhcp pool

Pool DHCP_POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Excluded addresses : 155
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.10.103 10.0.10.1 – 10.0.10.254 2 / 155 / 254
SW1#

Looks like we have a couple bites on the Lease # in this output.

SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.10.101 0063.6973.636f.2d30. Mar 08 1993 01:21 AM Automatic
3031.652e.6637.3937.
2e66.3134.622d.4661.
302f.31
10.0.10.102 0063.6973.636f.2d30. Mar 08 1993 01:21 AM Automatic
3031.622e.3533.3336.
2e66.3263.642d.4661.
302f.31
SW1#

This shows we also now have two new bindings, “Automatic” means dynamically assigned with the IP Addresses they got from the DHCP Server and Lease time, however I am not sure what all that mess is about Client-ID / Hardware-Address / User name.

I can tell by looking at the strings that they match characters identical to one another, and I can see which hosts have the IP Addresses simply by using “sh cdp nei detail” to see the routers have those two IP addresses, but I may come back to that long string of text.

Next we will configure an IP Helper Address for the DHCP Server

This is because Routers do not forward Broadcasts, however the ip helper-address command turns that broadcast into a Unicast packet, and forwards it onto the DHCP Server request to respond back to.

I have a link that goes into detail about “ip helper-address” and “ip forward-protocol” for other traffic that needs help being forwarded in another blog post here, check it out.

There are no routers in the way of my Hosts getting their DHCP addresses, so I’ll configure this on an unused interface to demonstrate, this should always be configured on the ingress or receiving interface of potential Broadcasts.

Demonstrating the IP Helper-Address command on Host A / R1:

HostA#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HostA(config)#int fa0/0
HostA(config-if)#ip helper-address ?
A.B.C.D IP destination address
global Helper-address is global
vrf VRF name for helper-address (if different from interface VRF)

HostA(config-if)#ip helper-address 10.0.10.1 ?
redundancy defines VRG group name
<cr>

HostA(config-if)#ip helper-address 10.0.10.1

You can use the “ip helper-address” more than once on an interface, if you have traffic destined for several different destination IPs, so it can be entered several times if needed.

This configuration will help forward the following protocols Broadcast traffic by converting it to Unicast traffic and forwarding it on to its destination:

  • TIME (TimeServer) = 37  *** Note this is not NTP and has nothing to do with NTP ***
  • TACACS = 49
  • DNS = 53
  • BOOTP (DHCP SERVER) = 67
  • BOOTP (DHCP CLIENT) = 68
  • TFTP (Trivial File Transfer Protocol) = 69
  • NETBIOS Name Service = 137
  • NETBIOS Datagram Service = 138

DHCP, TFTP, DNS, TACACS, etc.

So “ip helper-address” is not just for DHCP requests, but a Cisco Phone requesting its “load” (config) from the TFTP server, a DNS request cross a router, authentication trying to make it to a TACACS Server.

Configuring a Static DHCP Binding, utilizing both the Router (Host A) and MLS

As seen in the “sh ip dhcp binding” table, the Client-ID / whatever other addresses it gives the long string of hex for does not help to ID the device obtaining that IP, so to fix this we need to go over to the Router and issue an extension of the “ip add dhcp …” command.

First over on Host A / R1’s connected interface Fa0/1:

HostA(config-if)#int fa0/1
HostA(config-if)#ip add dhcp ?
client-id Specify client-id to use
hostname Specify value for hostname option
<cr>

HostA(config-if)#ip add dhcp client-id ?
FastEthernet FastEthernet IEEE 802.3

HostA(config-if)#ip add dhcp client-id fa0/1 ?
hostname Specify value for hostname option
<cr>

HostA(config-if)#ip add dhcp client-id fa0/1
HostA(config-if)#
*Aug 5 07:43:35.995: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address 10.0.10.103, mask 255.255.255.0, hostname HostA
HostA(config-if)#
HostA(config-if)#

Now to verify what changed on the MLS Binding table:

SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.10.102 0063.6973.636f.2d30. Mar 08 1993 01:21 AM Automatic
3031.622e.3533.3336.
2e66.3263.642d.4661.
302f.31
10.0.10.103 0100.1ef7.97f1.4b Mar 08 1993 03:09 AM Automatic

Much better, so now we have a smaller value of: 0100.1ef7.97f1.4b, which we will now use to create our static DHCP Bindings!

Configuring Static DHCP Bindings, which requires a new DHCP Pool config

When trying to enter the commands for static binding on the only DHCP Pool configured on this MLS, I get the following errors:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip dhcp pool DHCP_POOL
SW1(dhcp-config)#host 10.0.10.103
% This command may not be used with network, origin, vrf or relay pools.
SW1(dhcp-config)#client-identifier ?
WORD Dotted-hexadecimal string (aabb.ccdd.eeff …)

SW1(dhcp-config)#client-identifier 0100.1ef7.97f1.4b
% This command may not be used with network, origin, vrf or relay pools.
SW1(dhcp-config)#

I’m not sure what that error is referring to exactly, but I know what it means, we need a whole new DHCP Pool to configure our Static Bindings within.

SW1(config)#ip dhcp pool Static_Bindings
SW1(dhcp-config)#host 10.0.10.103
% A binding already exists for 10.0.10.103.

Being that there is a Dynamic entry for this DHCP Binding, this error would make sense, so to clear out the Binding I just shut the interface down on the Router and re-issued the commands needed in the new DHCP Pool Static_Bindings:

SW1(dhcp-config)#client-identifier 0100.1ef7.97f1.4b
SW1(dhcp-config)#host 10.0.10.103

Everything looks good so lets verify we are good to go:

SW1(dhcp-config)#do sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.10.102 0063.6973.636f.2d30. Mar 08 1993 01:21 AM Automatic
3031.622e.3533.3336.
2e66.3263.642d.4661.
302f.31
10.0.10.103 0100.1ef7.97f1.4b Infinite Manual
SW1(dhcp-config)#

So Manual = Static Binding, and when a Binding is Manual its Lease time is infinite, and I want to look at “sh ip dhcp pool” as well to be familiar with that output for a static binding:

SW1(dhcp-config)#do sh ip dhcp pool

Pool DHCP_POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 1
Excluded addresses : 156
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.10.104 10.0.10.1 – 10.0.10.254 1 / 156 / 254

Pool Static_Bindings :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 1
Leased addresses : 1
Excluded addresses : 1
Pending event : none
0 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.0.10.103 10.0.10.103 – 10.0.10.103 1 / 1 / 1
SW1(dhcp-config)#

I really want to focus on just that lower DHCP Pools output, because if you see a pools output with a single IP in the range and 1/1/1 for leased / excluded / total, you are looking at a Static DHCP Binding my friend!

DHCPv6 / “Autoconfiguration” to wrap up the DHCP Basics for SWITCH!

Autoconfiguration is DHCPv6, which has two different types, those being stateless and stateful.

  • Stateful Autoconfiguration = IPv6 Host obtains IPv6 Address, and all related info (DNS Server, TFTP info, etc) from a DHCP Server – Exactly like DHCP for v6!
  • Stateless Autoconfiguration = IPv6 Host does not obtain an IP Address from a DHCP Server, but rather configures is own link-local Address and then confirming with the network if the IPv6 Address is being used by any other Hosts

Stateful relies on a DHCP Server, which if the Server goes down, Hosts are unable to get an IP Address from the network – So Autoconfiguration protects you from this issue.

Stateless Autoconfiguration creates a 128-bit IPv6 Address broken into two halves:

The first half being a 64-bit auto-generated IPv6 Address beginning with FE80, or 1111 1110 10, follow by 54 zeros – So you will want to know your zero compression.

The second half of the Address will be the “interface identifier” portion, which consists of the follow format: First half of interface MAC – FFFE – Second half of interface MAC.

So this Stateless Autoconfiguration IPv6 Address should always be unique because it is utilizing the Interface MAC Address, however it does have a system to check called DAD.

DAD / Duplicate Address Detection is an IPv6 feature to check that the IPv6 created is not in use by the Host going through a sequence of messages sent out, and replies back.

This is a lengthy process of verification / info gathering shown here step by step:

  • Host A sends a Neighbor Solicitation (NS) message to other Hosts on the link asking if any other Hosts on the link are using its newly created Link-Local Address
  • If another Host IS using this IPv6 Address, it replies with a Neighbor Advertisement (NA) message to indicate the address is in use
  • If Host A receives this NA, it disables the link-local Address, however if there is no response to the NS message it will consider its Link-Local address safe to use
  • Host A then sends a Router Solicitation (RS) message to the “All Routers” IPv6 Multi-cast Address of FF02::2 for additional info like DNS Server info, Gateway IP, etc
  • The Router will respond with a Router Advertisement back in with this information, though it does periodically send this info (about every 10 seconds), which includes information whether DHCP is in use, and the network Prefix information, so the Host can add this to its own Link-Local Address to join the network segment

To wrap up some demo from the lab, but not a full blown lab

IPv6 DHCP config is almost identical to the directions above:

HostA(config)#ipv6 ?
access-list Configure access lists
cef Cisco Express Forwarding for IPv6
dhcp Configure IPv6 DHCP
general-prefix Configure a general IPv6 prefix
hop-limit Configure hop count limit
host Configure static hostnames
icmp Configure ICMP parameters
inspect Context-based Access Control Engine
local Specify local options
mobile Mobile IPv6
nat NAT-PT Configuration commands
nd Configure IPv6 ND
neighbor Neighbor
port-map Port to application mapping (PAM) configuration commands
prefix-list Build a prefix list
route Configure static routes
router Enable an IPV6 routing process
source-route Process packets with source routing header options
unicast-routing Enable unicast routing

HostA(config)#ipv6 dhcp ?
database Configure IPv6 DHCP database agents
ping Configure IPv6 DHCP pinging
pool Configure IPv6 DHCP pool
server Configure IPv6 DHCP server

HostA(config)#ipv6 dhcp pool ?
WORD DHCP pool name

HostA(config)#ipv6 dhcp pool CCIE

Notice that there is no exclusion option for IP Addresses from the IPv6 Pools, because IPv6 is so smug, it thinks it will never run out of addresses (which is true until we find 5.6 billion Hosts that need addresses)!

So something to be aware of.

Then it drops into config mode for the pool, which we’ll see some options missing:

HostA(config-dhcpv6)#?
IPv6 DHCP configuration commands:
address IPv6 address allocation
default Set a command to its defaults
dns-server DNS servers
domain-name Domain name to complete unqualified host names
exit Exit from DHCPv6 configuration mode
import Import options
information Information refresh option
link-address Link-address to match
nis NIS server options
nisp NISP server options
no Negate a command or set its defaults
prefix-delegation IPv6 prefix delegation
sip SIP server options
sntp SNTP server options
vendor-specific Configure Vendor-specific option

HostA(config-dhcpv6)#

So we don’t see a Default Router option, an “option” option for TFTP options for Cisco Phones, etc.

Finally on the interface itself for IPv6 DHCP config:

HostA(config-if)#ipv6 dhcp ?
client Act as an IPv6 DHCP client
relay Act as an IPv6 DHCP relay agent
server Act as an IPv6 DHCP server

HostA(config-if)#ipv6 dhcp

Note that there is no client-identifier option, because with IPv6 DHCP (or DHCPv6), there is no option to manually bind addresses on the DHCPv6 Server.

That wraps it up for DHCP Basics, finally!

That seemed like a very long section to make it through, however next up I will examine DHCP Snooping, to keep on track with SWITCH Security topics!