Cisco DHCP configuration
From Ever changing code
This configuration will be applied to Cisco 1941 with EHWIC-3G-HSPA+7 card and Light Weigh Access Point.
- 1 Theory
- 2 DHCPv4 configuration
- 3 DHCP IP bindings
- 4 DHCP snooping
- 5 Troubleshooting
- 6 DHCPv6 and IPv6 SLAAC
- 7 Configure DHCPv6
- 8 References
A Cisco IOS feature set (called ”Easy IP)” offers an optional, full-featured DHCPv4 server, with 3 different address allocation mechanisms:
- Manual Allocation - static binding of a pre-allocated IPv4 address to the client
- Automatic Allocation - DHCPv4 automatically assigns a static IPv4 address permanently to a device, selecting it from a pool of available addresses. There is no lease and the address is permanently assigned to the device.
- Dynamic Allocation - DHCPv4 dynamically assigns, or leases, an IPv4 address from a pool for a limited period of time.
- DHCPv4 Lease Origination
Abbreviations used in the graphic below:
- MAC - Media Access Control Address
- CIADDR - Client IP Address
- GIADDR - Gateway IP Address aka default gateway ip address - ip helper IP address. If zero/blank than the client is on the same segment
- CHADDR - Client Hardware Address
##SERVER# ##CLIENT## 192.168.1.254/24 I'd like to request an address <------------------------------------- [ DHCPDISCOVER ] IPv4 broadcast CIAADDR: 0.0.0.0 IP src: 0.0.0.0 dst: 255.255.255.255 UDP 67 GIAADDR: 0.0.0.0 MAC src: MAC_eth0 dst: ff:ff:ff:ff:ff:ff Mask: 0.0.0.0 CHADDR: MAC_A I'm DHCPsrv and an address I can offer [ DHCPOFFER ] -----------------------------------> unicast IP src 192.168.1.254 dst 192.168.1.10 UDP 68 CIADDR: 192.168.1.10 MAC src: MAC_Serv dst: MAC_A GIADDR: 0.0.0.0 Mask: 255.255.255.0 CHADDR: MAC_A I accept the IP address offer <------------------------------------- [ DHCPREQUEST ] broadcast Your acceptance is acknowledged [ DHCPACK ] --------------------------------------> unicast It sends ICMP to the IP offer address to verify if it is not in use, then sends DHCPACK
- DHCPv4 Lease renewal
##SERVER## ##CLIENT## I'd like to renew my lease <--------------------------------------[ DHCPREQUEST ] unicast when the lease expired 1st request is unicats to the server that made the offer, if times-out 2nd request is broadcast to reach other DHCPv4 servers Your request is acknowledged [ DHCPACK ] -----------------------------------> unicast
- DHCPv4 message format
- send from client using UDP source port 68 and dst 67
- send form server using UDP src port 67 dst 68
configure terminal service dhcp ip dhcp pool LAN-POOL-1 network 192.168.100.0 255.255.255.0 !defines the range of available addresses default-router 192.168.100.254 !sets default gateway dns-server 192.168.100.254 18.104.22.168 netbios-name-server 192.168.100.100 !defines the NetBIOS WINS server can be SAMBA server or Windows machine domain-name home.gateway lease 0 8 !sets 8 hrs lease, the value represents: Days Hours Minutes or infinite ip dhcp excluded-address 192.168.100.1 192.168.100.10 ip dhcp excluded-address 192.168.100.240 192.168.100.255
- Cisco router interface configured to obtain an IP Address from DHCP server
configure terminal r1-basic(config)#int gi 0/0 r1-basic(config-if)#ip address dhcp r1-basic(config-if)#no shutdown r1-basic(config-if)#end
once ip is assigned you will see
*Sep 1 22:08:50.003: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address 192.168.1.66, mask 255.255.255.0, hostname r1-basicchanged state to up
- Clear DHCP binding will clear the current assignment then resetting a client interface will trigger to re negotiate IP address
R1#clear ip dhcp binding ? * Clear all automatic bindings A.B.C.D Clear a specific binding vrf DHCP vrf bindings
- Renew DHCP address on an access point
ap1#renew dhcp Gi0
DHCP relay agent
Cisco routers can relay broadcast DHCP messages received on an interface segment as unicast messages dircectly to DHPCP server.
r1(config)# interface g0/0 r1(config-if)# ip helper-address 192.168.11.6 r1(config-if)# do show ip interface g0/0 | include Helper
By default, the ip helper-address command forwards the following eight UDP services:
- Port 37: Time
- Port 49: TACACS
- Port 53: DNS
- Port 67: DHCP/BOOTP client
- Port 68: DHCP/BOOTP server
- Port 69: TFTP
- Port 137: NetBIOS name service
- Port 138: NetBIOS datagram service
Configure DHCPv4 on a switch
S1# show sdm prefer !verify Switch Database Manager (SDM) current template The current template is "default" template. The selected template optimizes the resources in the switch to support this level of features for 0 routed interfaces and 255 VLANs. number of unicast mac addresses: 8K number of IPv4 IGMP groups: 0.25K number of IPv4/MAC qos aces: 0.125k number of IPv4/MAC security aces: 0.375k S1(config)# sdm prefer lanbase-routing !sets lanbase-routing template S1(config)# reload !reboot is required to change the configuration template. From then DHPPv4 configuration is the same as on a router. S1(config)# ip routing !required if you want to have inter-vlan routing enabled
DHCP IP bindings
This is an example of manual IP binding, dhcp POOL need to be created per ip address binding.
ip dhcp pool AP1 host 10.0.99.1 255.255.255.128 client-identifier 017c.69f6.e1d8.7d client-name ap1 ! client-name has not worked for me, it did not assign 'ap1' hostname to a client/AP
If you configure a Cisco router as a DHCP client, you'll notice that it uses weird client-id in its DHCP requests (assuming you care about client IDs on the DHCP server). Instead of using the interface MAC address as the client ID (as most workstations do), the client ID is the string 'cisco-dotted.mac.ascii-ifname' where the dotted.mac.ascii is the interface MAC address in ascii and the ifname is the short interface name.
+-----------+ +-------------+ |Router | Gi0/1/0<--------->Gi0 | Access point| |DHCP server| / +-------------+ +-----------+ / MAC address client-identifier 017c.69f6.e1d8.7d
debug dhcp detail
Note that if you have client-id cc05.12bc.0000 on your client ; on your server, you need to use client-id 01cc.0512.bc00.00. So there's a 01 prefix to add on the server where 01 represents the Ethernet media type.
By default, DHCP implementations typically employ the client's MAC address for this purpose, but the DHCP protocol allows other options as well. In any case, in order for DHCP to function, we must be certain that no other client is using the client ID we choose, and we must be sure the DHCP server will accept it. What is termed the Client ID for the purposes of the DHCP protocol is whatever is used by the protocol to identify the client computer.
A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client identifier is an ASCII value. That is what happens if we just use
ip address dhcp without any options. We can override the default by using
ip address dhcp client-id <interface> command, and then it will use the hexadecimal MAC address of the named interface as the client identifier.
There is also DHCP option 12 that is used to send the hostname to the Server. By default option 12 also will be sent with the configured hostname as the value, but we can change it with
ip address dhcp hostname host-name.
- Binding configured can be preview
R1#sh ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 10.0.99.1 017c.69f6.e1d8.7d Infinite Manual 10.0.99.2 017c.69f6.e1d9.18 Infinite Manual 10.0.99.3 017c.69f6.e1d9.78 Infinite Manual
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.
- trusted ports can source all DHCP messages
- untrusted ports can source requests only
Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. Untrusted ports are those not explicitly configured as trusted.
A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.
s1(config)# ip dhcp snooping !enable dhcp snooping s1(config)# ip dhcp snooping vlan 5,10 !enable dhcp snooping for specific VLANs s1(config)# interface gi0/0/0 s1(config-if)# ip dhcp snooping trust !path to a dhcp server s1(config)# interface gi0/0/1 s1(config-if)# ip dhcp snooping limit rate 5 !limit the rate of dhcp requests come from untrusted ports
show running-config | section dhcp show ip dhcp binding show ip dhcp server statistics !verifies that messages are being received or sent by the router show ip dhcp conflict
Deep dive to see all DHCPv4 packets travel:
access-list 100 permit udp any any eq 67 !permit only dhcp packets access-list 100 permit udp any any eq 68 debug ip packet 100 !debug access list debug ip dhcp server events !reports server events
DHCPv6 and IPv6 SLAAC
IPv6 has two methods of assigning of global unicast ip addresses:
- Stateless Address Autoconfiguration (SLAAC). Stateless means there is no service running or database that maintains IPv6 allocation on a network segment. SLAAC is the default option on Cisco routers.
- Dynamic Host Configuration Protocol for IPv6 (Stateful DHCPv6)
SLAAC uses only the information that is provided by RA messages to configure IPv6 settings.
- Router Solicitation (RS) message - sends by a client when configured to obtain IPv6 address via SLAAC. The RS message is sent to the IPv6 all-routers multicast address FF02::2.
- Router Advertisement (RA) message - ICMPv6 RA is sent periodically or in response to RS message by routers to clients configured to obtain their IPv6 addresses automatically. It contains the prefix and prefix length of the local segment DNS server, MTU adn DGateway information only. The client creates its own Interface ID via EUI-64 process or randomly generated by OS. The client will use the router link-local address as its default gateway address. Cisco routers send RA messages every 200 seconds. RA messages are always sent to the IPv6 all-nodes multicast address FF02::1.
Router interfaces by default are in SLAAC operation where Managed Address Configuration flag (M flag) and the Other Configuration flag (O flag) set to 0.
no ipv6 nd managed-config-flag !default flag M = 0 no ipv6 nd other-config-flag !default flag O = 0
IP addresses are configured via RA messages, the stateless DHCPv6 server is only providing other configuration parameters for clients, not IPv6 addresses.
Flags for Stateless DHCPv6 are set to: O(ther) = 1 and M(anaged) = 0 (default).
router(config-if)# ipv6 nd other-config-flag !O flag =1, modifies the RA message sent on the interface of a router to indicate stateless DHCPv6
Stateful DHCPv6 (DHCPv6 only)
Most similar to DHCPv4, server allocates IPv6 addresses and track their state. RA message informs the client not to use the information in the RA message.
router(config-if)# ipv6 nd managed-config-flag !M flag =1, the M flag indicates whether or not to use stateful DHCPv6
# DHCPv6 # # DHCPv6 # # Server # # Client # S L A A C Operations RS to IPv6 all-routers FF02::2 <---------------------------------------- Router Solicitation reserved multicast RA to IPv6 all-nodes FF02::1 Router ---------------------------------------> Advertisement reserved multicast D H C P v6 Operations to all-DHCPv6-servers FF02::1:2 <---------------------------------------- SOLICIT reserved multicast ADVERTISE ---------------------------------------> unicast <---------------------------------------- DHCPv6 REQUEST - stateful DHCPv6 client, requests IPv6 address and other parameters or INFORMATION-REQUEST - stateless DHCPv6 client, requests only parameters, InterfaceID is self generated unicast REPLAY ---------------------------------------> unicast
Router(config)# ipv6 unicast-routing Router(config)# ipv6 dhcp pool pool-name Router(config-dhcpv6)# address prefix ipv6-prefix lifetime infinite !Used in STATEFULL configuration DHCPv6 server, !indicates the pool of addresses to be allocated by the server. It's not required for STATELESS DHCPv6 configuration. Router(config-dhcpv6)# dns-server 2001:db8:cafe:1::1/64 Router(config-dhcpv6)# domain-name example.com Router(config-dhcpv6)# exit
Router(config)# interface g0/0 !below set of commands configure the interface as a STATELESS DHCPv6 client Router(config-if)# ipv6 address 2001:db8:cafe:1::1/64 Router(config-if)# ipv6 dhcp server pool-name Router(config-if)# ipv6 nd other-config-flag !sets O flag =1, obtain only other then IPv6 parameters from DHCPv6 server
Router(config)# interface g0/0 !below set of commands configure the interface as a STATELESS DHCPv6 client using SLAAC Router(config-if)# ipv6 enable !enables IPv6 on an interface and allows the router to configure its link-local address Router(config-if)# ipv6 address autoconfig !enables automatic configuration of global unicast IPv6 addressing using SLAAC !An RA message is then used to inform the client router to use stateless DHCPv6.
Router(config)# interface g0/0 !below set of commands configure the interface as a STATEFULL DHCPv6 client Router(config-if)# ipv6 dhcp server pool-name Router(config-if)# ipv6 nd managed-config-flag !sets M flag =1, obtain IPv6 address and all parameters from STATEFULL DHCPv6 server
Configuring the DHCPv6 Relay Agent
Although configuration is similar to DHCPv4 the mechanism behind differs significantly.
Router(config)# interface g0/0 Router(config-if)# ipv6 dhcp relay agent destination 2001:db8:beef:1::6 Router(config)# do show ipv6 dhcp interface g0/0 | begin relay
show ipv6 dhcp pool show ipv6 interface gi0/0 !shows that the router has Stateless address autoconfig enabled show ipv6 dhcp binding show ipv6 dhcp conflict debug ipv6 dhcp detail
- Configuring the Cisco IOS DHCP Server first published on May 2, 2005, and last updated on June 28, 2007.