Cisco DHCP configuration

From Ever changing code
Jump to navigation Jump to search

This configuration will be applied to Cisco 1941 with EHWIC-3G-HSPA+7 card and Light Weigh Access Point.


A Cisco IOS feature set (called ”Easy IP)” offers an optional, full-featured DHCPv4 server, with 3 different address allocation mechanisms:

  • Manual Allocation - static binding of a pre-allocated IPv4 address to the client
  • Automatic Allocation - DHCPv4 automatically assigns a static IPv4 address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to the device.
  • Dynamic Allocation - DHCPv4 dynamically assigns, or leases, an IPv4 address from a pool for a limited period of time.

DHCPv4 Lease Origination

Abbreviations used in the graphic below:

  • MAC - Media Access Control Address
  • CIADDR - Client IP Address
  • GIADDR - Gateway IP Address aka default gateway ip address - ip helper IP address. If zero/blank than the client is on the same segment
  • CHADDR - Client Hardware Address
##SERVER#                                           ##CLIENT##

             I'd like to request an address
            <-------------------------------------  [ DHCPDISCOVER ] IPv4 broadcast
                             CIAADDR:                        IP src:  dst:   UDP 67
                             GIAADDR:                        MAC src: MAC_eth0 dst: ff:ff:ff:ff:ff:ff
                             CHADDR: MAC_A

               I'm DHCPsrv and an address I can offer			
[ DHCPOFFER ]  -----------------------------------> 
  IP src dst UDP 68      CIADDR:
  MAC src: MAC_Serv dst: MAC_A                      GIADDR:
                                                    CHADDR: MAC_A

             I accept the IP address offer
            <-------------------------------------  [ DHCPREQUEST ] broadcast 

             Your acceptance is acknowledged												 
[ DHCPACK ] -------------------------------------->
  unicast    It sends ICMP to the IP offer address to verify 
             if it is not in use, then sends DHCPACK
DHCPv4 Lease renewal
##SERVER##                                     ##CLIENT##
            I'd like to renew my lease         
        <--------------------------------------[ DHCPREQUEST ] unicast
           when the lease expired               
           1st request is unicats to the server that made the offer, if times-out
           2nd request is broadcast to reach other DHCPv4 servers

	      Your request is acknowledged
[ DHCPACK ] ----------------------------------->
DHCPv4 message format
  • send from client using UDP source port 68 and dst 67
  • send form server using UDP src port 67 dst 68

DHCPv4 configuration

configure terminal
 service dhcp
 ip dhcp pool LAN-POOL-1
  network   !defines the range of available addresses
  default-router        !sets default gateway
  netbios-name-server   !defines the NetBIOS WINS server can be SAMBA server or Windows machine
  domain-name home.gateway
  lease 0 8                             !sets 8 hrs lease, the value represents: Days Hours Minutes or infinite
ip dhcp excluded-address
ip dhcp excluded-address
Cisco router interface configured to obtain an IP Address from DHCP server
configure terminal
r1-basic(config)#int gi 0/0
r1-basic(config-if)#ip address dhcp
r1-basic(config-if)#no shutdown

once ip is assigned you will see

*Sep  1 22:08:50.003: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address, mask, hostname r1-basicchanged state to up
Clear DHCP binding will clear the current assignment then resetting a client interface will trigger to re negotiate IP address
R1#clear ip dhcp binding ?
 *        Clear all automatic bindings
 A.B.C.D  Clear a specific binding
 vrf      DHCP vrf bindings
Renew DHCP address on an access point
ap1#renew dhcp Gi0

DHCP relay agent

Cisco routers can relay broadcast DHCP messages received on an interface segment as unicast messages dircectly to DHPCP server.

r1(config)# interface g0/0
r1(config-if)# ip helper-address
r1(config-if)# do show ip interface g0/0 | include Helper

By default, the ip helper-address command forwards the following eight UDP services:

  • Port 37: Time
  • Port 49: TACACS
  • Port 53: DNS
  • Port 67: DHCP/BOOTP client
  • Port 68: DHCP/BOOTP server
  • Port 69: TFTP
  • Port 137: NetBIOS name service
  • Port 138: NetBIOS datagram service

Configure DHCPv4 on a switch

S1# show sdm prefer       !verify Switch Database Manager (SDM) current template
The current template is "default" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
 number of unicast mac addresses: 8K
 number of IPv4 IGMP groups: 0.25K
 number of IPv4/MAC qos aces: 0.125k
 number of IPv4/MAC security aces: 0.375k

S1(config)# sdm prefer lanbase-routing    !sets lanbase-routing template
S1(config)# reload              !reboot is required to change the configuration template. From then DHPPv4 configuration is the same as on a router.
S1(config)# ip routing    !required if you want to have inter-vlan routing enabled

DHCP IP bindings

This is an example of manual IP binding, dhcp POOL need to be created per ip address binding.

ip dhcp pool AP1
 client-identifier 017c.69f6.e1d8.7d
 client-name ap1   ! client-name has not worked for me, it did not assign 'ap1' hostname to a client/AP

If you configure a Cisco router as a DHCP client, you'll notice that it uses weird client-id in its DHCP requests (assuming you care about client IDs on the DHCP server). Instead of using the interface MAC address as the client ID (as most workstations do), the client ID is the string 'cisco-dotted.mac.ascii-ifname' where the dotted.mac.ascii is the interface MAC address in ascii and the ifname is the short interface name.

+-----------+                       +-------------+
|Router     | Gi0/1/0<--------->Gi0 | Access point|
|DHCP server|                  /    +-------------+
+-----------+                 /
                       MAC address 
client-identifier 017c.69f6.e1d8.7d
debug dhcp detail

Note that if you have client-id cc05.12bc.0000 on your client ; on your server, you need to use client-id 01cc.0512.bc00.00. So there's a 01 prefix to add on the server where 01 represents the Ethernet media type.

By default, DHCP implementations typically employ the client's MAC address for this purpose, but the DHCP protocol allows other options as well. In any case, in order for DHCP to function, we must be certain that no other client is using the client ID we choose, and we must be sure the DHCP server will accept it. What is termed the Client ID for the purposes of the DHCP protocol is whatever is used by the protocol to identify the client computer.

A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client identifier is an ASCII value. That is what happens if we just use ip address dhcp without any options. We can override the default by using ip address dhcp client-id <interface> command, and then it will use the hexadecimal MAC address of the named interface as the client identifier.

There is also DHCP option 12 that is used to send the hostname to the Server. By default option 12 also will be sent with the configured hostname as the value, but we can change it with ip address dhcp hostname host-name.

Binding configured can be preview
R1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name           017c.69f6.e1d8.7d       Infinite                Manual           017c.69f6.e1d9.18       Infinite                Manual           017c.69f6.e1d9.78       Infinite                Manual

DHCP snooping

DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

  • trusted ports can source all DHCP messages
  • untrusted ports can source requests only

Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Untrusted ports are those not explicitly configured as trusted.

A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.

s1(config)# ip dhcp snooping                   !enable dhcp snooping
s1(config)# ip dhcp snooping vlan 5,10         !enable dhcp snooping for specific VLANs
s1(config)# interface gi0/0/0
s1(config-if)# ip dhcp snooping trust          !path to a dhcp server
s1(config)# interface gi0/0/1
s1(config-if)# ip dhcp snooping limit rate 5   !limit the rate of dhcp requests come from untrusted ports


show running-config | section dhcp
show ip dhcp binding
show ip dhcp server statistics  !verifies that messages are being received or sent by the router
show ip dhcp conflict

Deep dive to see all DHCPv4 packets travel:

access-list 100 permit udp any any eq 67      !permit only dhcp packets
access-list 100 permit udp any any eq 68
debug ip packet 100                      !debug access list
debug ip dhcp server events              !reports server events


IPv6 has two methods of assigning of global unicast ip addresses:

  • Stateless Address Autoconfiguration (SLAAC). Stateless means there is no service running or database that maintains IPv6 allocation on a network segment. SLAAC is the default option on Cisco routers.
  • Dynamic Host Configuration Protocol for IPv6 (Stateful DHCPv6)


SLAAC uses only the information that is provided by RA messages to configure IPv6 settings.

  • Router Solicitation (RS) message - sends by a client when configured to obtain IPv6 address via SLAAC. The RS message is sent to the IPv6 all-routers multicast address FF02::2.
  • Router Advertisement (RA) message - ICMPv6 RA is sent periodically or in response to RS message by routers to clients configured to obtain their IPv6 addresses automatically. It contains the prefix and prefix length of the local segment DNS server, MTU adn DGateway information only. The client creates its own Interface ID via EUI-64 process or randomly generated by OS. The client will use the router link-local address as its default gateway address. Cisco routers send RA messages every 200 seconds. RA messages are always sent to the IPv6 all-nodes multicast address FF02::1.

Router interfaces by default are in SLAAC operation where Managed Address Configuration flag (M flag) and the Other Configuration flag (O flag) set to 0.

no ipv6 nd managed-config-flag     !default flag M = 0
no ipv6 nd other-config-flag       !default flag O = 0

Stateless DHCPv6

IP addresses are configured via RA messages, the stateless DHCPv6 server is only providing other configuration parameters for clients, not IPv6 addresses.

Flags for Stateless DHCPv6 are set to: O(ther) = 1 and M(anaged) = 0 (default).

router(config-if)# ipv6 nd other-config-flag    !O flag =1, modifies the RA message sent on the interface of a router to indicate stateless DHCPv6

Stateful DHCPv6 (DHCPv6 only)

Most similar to DHCPv4, server allocates IPv6 addresses and track their state. RA message informs the client not to use the information in the RA message.

router(config-if)# ipv6 nd managed-config-flag  !M flag =1, the M flag indicates whether or not to use stateful DHCPv6

DHCPv6 Operations

# DHCPv6 #                                             # DHCPv6 #
# Server #                                             # Client #

                   S L A A C Operations

               RS to IPv6 all-routers FF02::2
           <----------------------------------------[1] Router Solicitation
                                                        reserved multicast

                RA to IPv6 all-nodes FF02::1
Router     [2]--------------------------------------->
reserved multicast

                    D H C P v6 Operations

              to all-DHCPv6-servers FF02::1:2
           <----------------------------------------[3] SOLICIT
                                                        reserved multicast

ADVERTISE  [4]--------------------------------------->

           <----------------------------------------[5] DHCPv6 REQUEST      - stateful DHCPv6 client, requests IPv6 address and other parameters 
                                                     or INFORMATION-REQUEST - stateless DHCPv6 client, requests only parameters, InterfaceID is self generated
REPLAY     [6]--------------------------------------->

Configure DHCPv6

Server configuration

Router(config)# ipv6 unicast-routing
Router(config)# ipv6 dhcp pool pool-name
Router(config-dhcpv6)# address prefix ipv6-prefix lifetime infinite    !Used in STATEFULL configuration DHCPv6 server, 
                                                                       !indicates the pool of addresses to be allocated by the server. It's not required for STATELESS DHCPv6 configuration.
Router(config-dhcpv6)# dns-server 2001:db8:cafe:1::1/64
Router(config-dhcpv6)# domain-name
Router(config-dhcpv6)# exit

Interface configuration

Router(config)# interface g0/0      !below set of commands configure the interface as a STATELESS DHCPv6 client
Router(config-if)# ipv6 address 2001:db8:cafe:1::1/64
Router(config-if)# ipv6 dhcp server pool-name
Router(config-if)# ipv6 nd other-config-flag     !sets O flag =1, obtain only other then IPv6 parameters from DHCPv6 server


Router(config)# interface g0/0      !below set of commands configure the interface as a STATELESS DHCPv6 client using SLAAC
Router(config-if)# ipv6 enable      !enables IPv6 on an interface and allows the router to configure its link-local address
Router(config-if)# ipv6 address autoconfig   !enables automatic configuration of global unicast IPv6 addressing using SLAAC
                                             !An RA message is then used to inform the client router to use stateless DHCPv6.


Router(config)# interface g0/0      !below set of commands configure the interface as a STATEFULL DHCPv6 client
Router(config-if)# ipv6 dhcp server pool-name
Router(config-if)# ipv6 nd managed-config-flag     !sets M flag =1, obtain IPv6 address and all parameters from STATEFULL DHCPv6 server

Configuring the DHCPv6 Relay Agent

Although configuration is similar to DHCPv4 the mechanism behind differs significantly.

Router(config)# interface g0/0 
Router(config-if)# ipv6 dhcp relay agent destination 2001:db8:beef:1::6 
Router(config)# do show ipv6 dhcp interface g0/0 | begin relay

DHCPv6 troubleshooting

show ipv6 dhcp pool
show ipv6 interface gi0/0 !shows that the router has Stateless address autoconfig enabled
show ipv6 dhcp binding
show ipv6 dhcp conflict
debug ipv6 dhcp detail