Cisco ASA Series ASDM Configuration Guide, 7.0
Configuring DHCP
Downloads: This chapterpdf (PDF - 133.0KB) The complete bookPDF (PDF - 38.02MB) | Feedback

Table of Contents

Configuring DHCP

Information About DHCP

Licensing Requirements for DHCP

Guidelines and Limitations

Configuring a DHCP Server

Editing DHCP Server Settings

Configuring Advanced DHCP Options

Configuring the DHCP Relay Service

Editing DHCP Relay Agent Settings

Adding or Editing Global DHCP Relay Server Settings

Additional References

RFCs

DHCP Monitoring

Feature History for DHCP

Information About DHCP

The DHCP Relay Agent sends Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and servers on different IP networks. DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server or DHCP relay service to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. The DHCP relay service sends DHCP requests received on one interface to an external DHCP server located on a different interface.

A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which indicates that the client and server should be attached to the same link. However, in some cases where ease of management, economy, or scalability is the concern, we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link. The DHCP relay agent, which may reside on the client network, can relay messages between the client and server. The relay agent operation is transparent to the client.

DHCP for IPv6 (DHCPv6) specified in RFC 3315 enables IPv6 DHCP servers to send configuration parameters such as network addresses or prefixes and DNS server addresses to IPv6 nodes (that is, DHCP clients). DHCPv6 uses the following multicast addresses:

  • All_DHCP_Relay_Agents_and_Servers (FF02::1:2) is a link-scoped multicast address used by a client to communicate with neighboring (that is, on-link) relay agents and servers. All DHCPv6 servers and relay agents are members of this multicast group.
  • The DHCPv6 relay service and server listen for messages on UDP port 547. The ASA DHCPv6 relay agent listens on both UDP port 547 and the All_DHCP_Relay_Agents_and_Servers multicast address.

Licensing Requirements for DHCP

Table 1-1 shows the licensing requirements for DHCP.

Table 1-1 Licensing Requirements

 

Model
License Requirement

All models

Base License.

For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license:

  • If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.
  • If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses.
  • If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.

Note The ASA 5505 ships with a 10-user license.


Guidelines and Limitations

Use the following guidelines to configure the DHCP server:

  • You can configure only one DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
  • You cannot configure a DHCP client or DHCP relay service on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled.
  • The ASA does not support QIP DHCP servers for use with the DHCP proxy service.
  • The relay agent cannot be enabled if the DHCP server is also enabled.
  • The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay service on an interface that is used by more than one context.
  • When it receives a DHCP request, the ASA sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) that was configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, the server sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message.

For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the ASA.

Use the following guidelines to configure the DHCP relay service:

  • DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router.
  • For multiple context mode, you cannot enable DHCP relay service on an interface that is used by more than one context.
  • The DHCP relay service is not available in transparent firewall mode. An ASA in transparent firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP requests and replies through the ASA in transparent firewall mode, you must configure two access lists: one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.
  • When the DHCP relay service is enabled and more than one DHCP relay server is defined, the ASA forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the ASA receives any of the following DHCP messages: ACK, NACK, or decline.
  • You cannot enable DHCP relay service on an interface running as a DHCP proxy service. You must remove the VPN DHCP configuration first or an error message appears. This error occurs if both DHCP relay and DHCP proxy services are enabled. Make sure that either the DHCP relay or DHCP proxy service is enabled, but not both.

Firewall Mode Guidelines

Supported in routed firewall mode.

Not supported in transparent firewall mode.

Context Mode Guidelines

Supported in single and multiple context mode.

Failover Guidelines

Supports Active/Active and Active/Standby failover.

IPv6 Guidelines

Supports IPv6.

Configuring a DHCP Server

This section includes the following topics:

To configure an ASA interface as a DHCP server, perform the following steps:


Step 1 In the Global DHCP Options area, check the Enable Auto-configuration from interface check box to enable DHCP auto configuration and choose the interface from the drop-down list.

DHCP auto configuration enables the DHCP Server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If information obtained through auto configuration is also specified manually in the Global DHCP Options area, the manually specified information takes precedence over the discovered information.

Step 2 To override the interface DHCP or PPPoE client WINS parameter with the VPN client parameter, check the Allow VPN override check box.

Step 3 In the DNS Server 1 field, enter the IP address of the primary DNS server for a DHCP client.

Step 4 In the DNS Server 2 field, enter the IP address of the alternate DNS server for a DHCP client.

Step 5 In the Domain Name field, enter the DNS domain name for DHCP clients (for example, example.com).

Step 6 In the Lease Length field, enter the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).

Step 7 In the Primary WINS Server field, enter the IP address of the primary WINS server for a DHCP client.

Step 8 In the Secondary WINS Server field, enter the IP address of the alternate WINS server for a DHCP client.

Step 9 To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client. In the Ping Timeout field, enter the amount of time, in milliseconds, that the ASA waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.

Step 10 To specify additional DHCP options and their parameters, click Advanced to display the Configuring Advanced DHCP Options dialog box. For more information, see the “Configuring Advanced DHCP Options” section.

Step 11 In the Dynamic DNS Settings for DHCP Server area, you configure the DDNS update settings for the DHCP server. Check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:

    • Check the Update Both Records check box to specify that the DHCP server should update both the A and PTR RRs.
    • Check the Override Client Settings check box to specify that the DHCP server actions should override any update actions requested by the DHCP client.

Step 12 To modify DHCP server settings, click Edit to display the Edit DHCP Server dialog box. Alternatively, you may double-click the row for a particular interface to open the Edit DHCP Server dialog box for that interface. For more information, see the “Editing DHCP Server Settings” section.

Step 13 Click Apply to save your changes, or click Reset to discard them and enter new ones.


 

Editing DHCP Server Settings

To enable DHCP, specify the DHCP address pool, and modify other DHCP server parameters for the selected interface, perform the following steps:


Step 1 The selected interface ID appears as display-only . To enable the DHCP server on the selected interface, check the Enable DHCP Server check box. To disable DHCP on the selected interface, uncheck this check box. Disabling the DHCP server on the selected interface does not clear the specified DHCP address pool.

Step 2 In the DHCP Address Pool field, enter the range of IP addresses from lowest to highest that is used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.

Step 3 Check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:

    • To specify that the DHCP server should update both the A and PTR RRs, check the Update Both Records check box.
    • To specify that DHCP server actions should override any update actions requested by the DHCP client, check the Override Client Settings check box

Step 4 To enable DHCP on the interface, check the Enable DHCP Server check box. The DHCP Enabled column displays “Yes” if DHCP is enabled, or “No” if DHCP is disabled on the interface.

Step 5 In the DNS Address Pool field, enter the revised range of IP addresses that have been assigned to the DHCP address pool.

Step 6 In the Optional Parameters area, modify the following settings:

a. The DNS servers (1 and 2) configured for the interface.

b. The WINS servers (primary and secondary) configured for the interface.

c. The domain name of the interface.

d. The time in milliseconds that the ASA will wait for an ICMP ping response on the interface.

e. The duration of time that the DHPC server configured on the interface allows DHCP clients to use an assigned IP address.

f. The interface on a DHCP client that provides DNS, WINS, and domain name information for automatic configuration.

Step 7 To configure more DHCP options, click Advanced to display the Advanced DHCP Options dialog box. For more information, see the “Configuring Advanced DHCP Options” section.

Step 8 Click OK to close the Edit DHCP Server dialog box.

Step 9 Click Apply to save your changes, or click Reset to discard them and enter new ones.


 

Configuring Advanced DHCP Options

You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients. You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:

1. Manually configured settings.

2. Advanced DHCP options settings.

3. DHCP automatic configuration settings.

For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.

To configure advanced DHCP options, perform the following steps:


Step 1 In the Option to be Added area, define the following settings:

a. Choose the option code from the drop-down list. All DHCP options (options 1 through 255) are supported except 1, 12, 50–54, 58–59, 61, 67, and 82.

b. Choose the options that you want to configure. Some options are standard. For standard options, the option name is shown in parentheses after the option number and the option parameters are limited to those supported by the option. For all other options, only the option number is shown and you must choose the appropriate parameters to supply with the option. For example, if you choose DHCP Option 2 (Time Offset), you can only enter a hexadecimal value for the option. For all other DHCP options, all of the option value types are available and you must choose the appropriate options value type.

c. In the Option Data area, specify the type of information that the option returns to the DHCP client. For standard DHCP options, only the supported option value type is available. For all other DHCP options, all of the option value types are available. Click Add to add the option to the DHCP option list. Click Delete to remove the option from the DHCP option list.

Click IP Address to indicate that an IP address is returned to the DHCP client. You can specify up to two IP addresses. IP Address 1 and IP Address 2 indicate an IP address in dotted-decimal notation.


Note The name of the associated IP address fields can change based on the DHCP option that you chose. For example, if you choose DHCP Option 3 (Router), the fields names change to Router 1 and Router 2.


Click ASCII to specify that an ASCII value is returned to the DHCP client. In the Data field, enter an ASCII character string. The string cannot include spaces.


Note The name of the associated Data field can change based on the DHCP option that you chose. For example, if you choose DHCP Option 14 (Merit Dump File), the associated Data field names change to File Name.


Click Hex to specify that a hexadecimal value is returned to the DHCP client. In the Data field, enter a hexadecimal string with an even number of digits and no spaces. You do not need to use a 0x prefix.


Note The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 2 (Time Offset), the associated Data field becomes the Offset field.


Step 2 Click OK to close the Advanced DHCP Options dialog box.

Step 3 Click Apply to save your changes, or click Reset to discard them and enter new ones.


 

Configuring the DHCP Relay Service

The DHCP Relay pane lets you configure the DHCP relay service on the ASA through ASDM.

This section includes the following topics:

To configure the DHCP relay service, perform the following steps:


Step 1 In the ASDM main application window, choose Configuration > Device Management > DHCP > DHCP Relay .

Step 2 To configure a new external server to which DHCP requests may be relayed, click Add to display the Add Global DHCP Relay Server dialog box. You can define up to ten global DHCP relay servers for IPv4 and ten global DHCP relay servers for IPv6 on the ASA. If you already have defined ten DHCP relay global servers for IPv4 and ten DHCP relay global servers for IPv6, the Add button is dimmed.

Step 3 Enter the IP address of the DHCP server, or click the ellipses to display the Browse DHCP Server dialog box.

Step 4 Double-click a DHCP server from the list to add it to the DHCP Server field, then click OK to close the Browse DHCP Server dialog box.

The newly selected DHCP server appears in the DHCP Server field.

Step 5 Choose the interface to which the specified DHCP server is attached from the drop-down list, then click OK to close the Add Global DHCP Relay Server dialog box.

The newly added global DHCP relay server appears in the Global DHCP Relay Servers list.

Step 6 To change a selected DHCP relay server settings, click Edit to display the Edit Global DHCP Relay Server dialog box.

Step 7 Make your desired changes, then click OK to close the Edit Global DHCP Relay Server dialog box. To remove a selected DHCP relay server from the list, click Delete .

Step 8 The DHCP Relay Agent area shows the following information:

    • The configured interfaces.
    • The IPv4 DHCP Relay Enabled column and IPv6 DHCP Relay Enabled column indicate whether or not the selected DHCP relay agent is enabled on the interface. The check box is checked if the DHCP relay agent is enabled, and is unchecked if the DHCP relay agent is not enabled on the interface.
    • The Set Route column indicates whether or not the selected DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server. The check box is checked if the DHCP relay agent is configured to change the default router address to the interface address, and is unchecked if the DHCP relay agent does not modify the default router address.

Step 9 Enter the amount of time, in seconds, allowed for DHCP address handling in the IPv4 timeout or IPv6 timeout field. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.

Step 10 Click Apply to save your settings, or click Reset to discard them and enter new ones.

Step 11 To change DHCP relay agent settings, see the “Editing DHCP Relay Agent Settings” section.


 

Editing DHCP Relay Agent Settings

To modify DHCP relay agent settings, perform the following steps:


Step 1 To enable the DHCP relay agent on the selected interface, check the Enable DHCP Relay Agent check box.

Step 2 To specify whether the DHCP relay agent is configured to modify the default router address in the information returned from the DHCP server, check the Set Route check box. The DHCP relay agent then substitutes the address of the selected interface for the default router address in the information returned from the DHCP server.

Step 3 Click Apply to save your changes, or click Reset to discard them and enter new ones.

Step 4 To add or edit global DHCP relay server settings, see the “Adding or Editing Global DHCP Relay Server Settings” section.


 

Adding or Editing Global DHCP Relay Server Settings

To add or edit a global DHCP relay server to which DHCP requests are relayed, perform the following steps:


Step 1 In the Global DHCP Relay Servers area, click Add to display the Add Global Relay Servers dialog box.

Step 2 In the DHCP Server field, enter either the IP4 address or hostname or the IPv6 address or hostname of the external DHCP server to which DHCP requests are forwarded. Alternatively, click the ellipses to display the Browse DHCP Server dialog box.

Step 3 Double-click a DHCP server from the list, then click OK to close the Browse DHCP Server dialog box.

The newly added external DHCP server appears in the list.

Step 4 Choose the interface through which DHCP requests are forwarded to the external DHCP server from the drop-down list.

Step 5 Click OK to close the Add Global Relay Servers dialog box.

The newly added global DHCP relay server appears in the list.

Step 6 To modify global DHCP relay server settings, click Edit to display the Edit DHCP Global Relay Servers dialog box.

Step 7 Make the desired changes, then click OK to close the Edit DHCP Global Relay Servers dialog box. The updated global DHCP relay server settings appear in the list.

Step 8 To change the timeout value, enter the number of seconds for IPv4 or IPv6.

Step 9 Click Apply to save your changes, or click Reset to discard them and enter new ones.


 

Additional References

For additional information related to implementing DHCPv6, see the following section:

RFCs

 

RFC
Title

2132

DHCP Options and BOOTP Vendor Extensions

2462

IPv6 Stateless Address Autoconfiguration

5510

DHCP for IPv6

DHCP Monitoring

To monitor DHCP, perform one or more of the following steps:

 

Path
Purpose

Tools > Command Line Interface

Enter the show running-config dhcpd command, then click Send .

Shows the current DHCP configuration.

Tools > Command Line Interface

Enter the show running-config dhcprelay command, then click Send .

Shows the current DHCP relay service status.

Tools > Command Line Interface

Enter the show ipv6 dhcprelay binding command, then click Send .

Shows the relay binding entries that were created by the relay agent.

Tools > Command Line Interface

Enter the show ipv6 dhcprelay statistics command, then click Send .

Shows DHCP relay agent statistics for IPv6.

Tools > Command Line Interface

Enter the clear config ipv6 dhcprelay command, then click Send .

Clears the IPv6 DHCP relay configuration.

Monitoring > Interfaces > DHCP > DHCP Client Lease Information

Shows configured DHCP client IP addresses.

Monitoring > Interfaces > DHCP > DHCP Server Table

Shows configured dynamic DHCP client IP addreses.

Monitoring > Interfaces > DHCP > DHCP Statistics

Shows DHCP message types, counters, values, directions, messages received, and messages sent.

Feature History for DHCP

Table 1-2 each feature change and the platform release in which it was implemented.

ASDM is backward-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

 

Table 1-2 Feature History for DHCP

Feature Name
Releases
Description

DHCP

7.0(1)

The ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces.

We introduced the following screens:

Configuration > Device Management > DHCP > DHCP Relay.
Configuration > Device Management > DHCP > DHCP Server.

DHCP for IPv6 (DHCPv6)

9.0(1)

Support for IPv6 was added.

We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.