DHCP Server high availability for Cisco IOS XE Catalyst SD-WAN devices

DHCP Server High Availability on Cisco IOS XE Catalyst SD-WAN devices is a feature that configures redundant DHCP servers on a pair of Cisco IOS XE Catalyst SD-WAN device devices. It synchronizes DHCP lease information between an Active and Standby device, ensuring continuous IP address assignment, seamless client transitions, and prevention of duplicate IP addresses during device failover.

Feature history for DHCP high availability for Cisco IOS XE Catalyst SD-WAN devices

This table describes the developments of the DHCP high availability feature, by release.

Table 1. Feature history

Feature Name

Release Information

Description

DHCP high availability for Cisco IOS XE Catalyst SD-WAN devices

Cisco IOS XE Catalyst SD-WAN Release 17.18.2

Cisco Catalyst SD-WAN Manager Release 20.18.2

 This feature introduces DHCP high availability for Cisco IOS XE Catalyst SD-WAN devices, to ensure continuous DHCP server operation on the LAN side. It utilizes an Active/Standby deployment model where two Cisco IOS XE Catalyst SD-WAN devices synchronize DHCP bindings (IP address records). This synchronization ensures that if the Active device fails, the Standby device seamlessly assumes the Active role, preserving IP address records and maintaining uninterrupted network service.

DHCP Server high availability for Cisco IOS XE Catalyst SD-WAN devices

DHCP server high availability is a feature on Cisco IOS XE Catalyst SD-WAN devices that

  • configures a DHCP server on two identical Cisco IOS XE Catalyst SD-WAN devices on the LAN side, designating one device as Active and the other as Standby (these Active and Standby roles are equivalent to the redundancy group states for both devices in the high availability setup.)

  • ensures IP addresses of DHCP clients are synchronized on both the Active and Standby Cisco IOS XE Catalyst SD-WAN devices, preventing overlapping of IP addresses, and

  • enables the Standby device to take over DHCP server operation if the Active device fails, ensuring a seamless transition and uninterrupted network service.

DHCP server high availability

DHCP server high availability is a feature on Cisco IOS XE Catalyst SD-WAN devices that configures a DHCP server on two Cisco IOS XE Catalyst SD-WAN devices in the same site, with one device designated as Active and the other as Standby. This feature synchronizes DHCP client IP addresses to prevent conflicts and ensures a seamless, uninterrupted failover in the event of an Active device failure.

DHCP server binding synchronization

DHCP server binding synchronization is the process of maintaining consistent DHCP lease information (IP address information) across both Cisco IOS XE Catalyst SD-WAN devices operating in Active and Standby redundancy group states within a high availability setup. This ensures that the Standby device is always aware of the IP addresses leased by the Active device.

Binding synchronization includes:

  • Bulk synchronization: When a Standby Cisco IOS XE Catalyst SD-WAN device comes online or after a failover, it receives a complete copy of all existing DHCP bindings from the Active Cisco IOS XE Catalyst SD-WAN device.

  • Incremental synchronization: Any new DHCP lease, renewal, release, or expiry on the Active Cisco IOS XE Catalyst SD-WAN device is immediately communicated to and updated on the Standby Cisco IOS XE Catalyst SD-WAN device.

This synchronization prevents IP address conflicts and allows clients to seamlessly renew or rebind their existing IP addresses without requiring a fresh DHCP discovery during a failover event.

Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) provides network redundancy by allowing two or more Cisco IOS XE Catalyst SD-WAN devices to share a single virtual IP address and MAC address. In a DHCP Server high availability deployment, VRRP is used to achieve Active-Standby redundancy between the two Cisco IOS XE Catalyst SD-WAN devices.

  • The VRRP Active Cisco IOS XE Catalyst SD-WAN device handles all traffic for the virtual IP address.

  • In case of a redundancy group failover, the VRRP Standby Cisco IOS XE Catalyst SD-WAN device transitions to Active. VRRP follows the redundancy group state.

  • By default, the redundancy group state does not automatically follow the VRRP state during a LAN-side failover. To ensure co-ordinated failover, apply the track command under the VRRP-configured LAN interface and associate that tracker to the corresponding redundacy group ID. See Configure DHCP server high availability using CLI template.

Redundancy groups

Redundancy groups are a foundational infrastructure that provides stateful high availability for applications like DHCP. Redundancy groups logically group resources and manage their state (Active or Standby) across redundant devices. For more information about redundancy groups, see Redundancy Groups.

Redundancy group Active-Standby configuration

In a redundancy group Active-Standby configuration:

  • One Cisco IOS XE Catalyst SD-WAN device is designated as the Active device for a specific redundancy group. This device actively processes DHCP requests and manages IP address leases for the DHCP pools associated with that redundancy group.

  • The other Cisco IOS XE Catalyst SD-WAN device acts as the Standby for the same redundancy group. The DHCP server on the Standby device does not process any DHCP packets. Any DHCP packets received by a Standby redundancy group are dropped to prevent duplicate IP assignments.

Redundancy group dual active (Active-Active) configuration allows for load balancing of DHCP services contained in different Service VPNs across multiple Cisco IOS XE Catalyst SD-WAN devices.

  • Administrators can configure different redundancy groups to be Active on different Cisco IOS XE Catalyst SD-WAN devices on a per-VPN or group-of-VPN basis. For example, RG 1 may be Active on device 1 for VPN1, and RG 2 could be Active on device 2 for VPN 2.

  • DHCP pools must be split by configuring a pool level redundancy indicating which redundancy group a specific DHCP pool belongs to, ensuring that DHCP packets for that pool are processed only when its associated VPNs and redundancy group is Active on the device.

DHCP pool configuration

For DHCP server to function correctly, the same DHCP pool configuration must be present on both Cisco IOS XE Catalyst SD-WAN devices operating in Active and Standby redundancy group states.

  • The ip dhcp pool command is used to configure the DHCP pool.

  • It is a requirement that the identical pool definition (e.g., address range, default router, DNS servers) is configured on both sides.

  • Cisco SD-WAN Manager provides warning messages if it detects that the DHCP pool configuration is not similar on both Cisco IOS XE Catalyst SD-WAN devices.

Benefits of DHCP server high availability on Cisco IOS XE Catalyst SD-WAN devices

This feature provides significant advantages for network administrators and end-users by enhancing the reliability and efficiency of DHCP services.

The DHCP server high availability feature delivers these key benefits:

  • Continuous service: Ensures continuous IP address assignment and renewal for LAN-side clients, even during a device failure, by seamlessly transferring DHCP server operations to the standby device.

  • Seamless failover: Prevents service disruptions for end-users, as clients do not need to perform a fresh DHCP discovery or acquire new IP addresses during a failover, maintaining their existing network connections.

  • No IP duplication: Actively synchronizes DHCP lease information between active and standby devices, preventing the standby device from inadvertently assigning IP addresses already in use, thus avoiding network conflicts.

  • Efficient IP address utilization: Allows the use of a single, shared DHCP pool across redundant devices, maximizing the efficient use of available IP addresses without the need to split pools or reserve addresses for failover scenarios.

Prerequisites for DHCP server high availability for Cisco IOS XE Catalyst SD-WAN devices

To ensure the successful deployment and operation of DHCP Server high availability, you must adhere to the following conditions:

  • Use two Cisco IOS XE Catalyst SD-WAN devices. This feature requires a redundant pair of Cisco IOS XE Catalyst SD-WAN devices. Ensure the two Cisco IOS XE Catalyst SD-WAN devices are of the identical family. For proper functionality and compatibility, both devices must belong to the same product family. For example: Cisco Catalyst 8300 Series Edge Platforms (C8300-2N2S-4T2X and C8300-1N1S-4T).

  • Configure both the Cisco IOS XE Catalyst SD-WAN devices to be in the controller mode.

  • Configure Firewall high availability on both Cisco IOS XE Catalyst SD-WAN devices. For more information, see Cisco Catalyst SD-WAN Firewall High Availability.

  • Configure VRRP for Active-Standby redundancy. VRRP is essential for managing the LAN-side active and standby roles between the two Cisco IOS XE Catalyst SD-WAN devices.

  • Apply identical DHCP pool server configurations on both Cisco IOS XE Catalyst SD-WAN devices. All relevant DHCP server configurations, including DHCP pool definitions, must be manually configured identically on both the active and standby Cisco IOS XE Catalyst SD-WAN devices.

Restrictions for DHCP server high availability for Cisco IOS XE Catalyst SD-WAN devices

To ensure correct operation and avoid unexpected behavior with DHCP server high availability, observe the following restrictions:

DHCP server high availability supports only DHCPv4 deployments in Cisco IOS XE Catalyst SD-WAN devices; DHCPv6 is not supported.

  • Configure DHCP pools identically on both Cisco IOS XE Catalyst SD-WAN devices. Differences between the active and standby DHCP pool definitions can lead to service disruption or incorrect IP assignment. This identical configuration requirement does not apply to standalone DHCP pools (those configured without a redundancy group ID), which need not resemble on both devices.

  • Different redundancy groups cannot share the same VPN. If a VPN contains multiple VRRP groups, all VRRP groups must belong to the same redundancy group and maintain the same VRRP state in coordination with the redundancy group state.

    For example: If device1 is Active and device2 is Standby for VPNs 10 and 30 as part of redundancy group 1, and device2 is Active and device1 is Standby for VPNs 20 and 40 as part of redundancy group 2, then all VRRP groups in VPNs 10 and 30 should be master on device1, and all VRRP groups in VPNs 20 and 40 should be master on device2.

  • DHCP pools configured without a redundancy group ID are not considered for high availability; they will act as DHCP standalone pools. These pools may issue IP addresses independently from a standby device, potentially causing duplicate IP addresses. In a DHCP server high availability setup, DHCP server processes requests for pools with a defined redundancy group ID when the device is active and its peer is not active.

  • DHCP functionality is unavailable if the redundancy group is down or in a split-brain state.

  • If the Cisco IOS XE Catalyst SD-WAN devices recover from an active-active split-brain scenario, perform a graceful reboot on both devices before leasing any new IP addresses from DHCP pools. This ensures a clean state and prevents potential issues after recovery.

Configure DHCP server high availability

This topic aims to guide network administrators in selecting and utilizing the appropriate method for configuring DHCP server high availability on Cisco IOS XE Catalyst SD-WAN devices.

Configuration Methods

You can configure DHCP Server high availability using one of the following methods:

Configure DHCP server high availability using Cisco SD-WAN Manager

Use this procedure to set up DHCP server high availability on two Cisco IOS XE Catalyst SD-WAN devices, ensuring continuous IP address assignment and seamless failover.

This task outlines the necessary steps to configure a redundant DHCP server setup where one Cisco IOS XE Catalyst SD-WAN device acts as the Active DHCP server and the other as the Standby.

Before you begin

Before you begin, ensure you have completed the following:

  • The two Cisco IOS XE Catalyst SD-WAN devices are physically connected, are of the same product family and reachable by Cisco SD-WAN Manager.

Complete these steps to configure DHCP server high availability:

Procedure

Step 1

Create a Configuration Group for DHCP server high availability.

To create an configuration group, see Create Configuration Group for High Availability

Step 2

Create an Interconnect interface for high availability.

The interconnect interface is essential for state synchronization of high-availability services, including DHCP server, firewall, and NAT, across the two Cisco IOS XE Catalyst SD-WAN devices. It supports configuration as either a physical interface or a port channel. To create an Interconnect interface, see Create an Interconnect Interface for High Availability.

Step 3

Define a Service Profile in the configuration group for high availability.

Within the Service Profile, configure the Service VPN(s) where your DHCP clients reside. This ensures that the DHCP clients are part of a defined network segment that can receive IP addresses from the HA DHCP server. For more information about creating VPNs in the Service Profile, see Service VPN.

Step 4

Configure Dual Router high availability to create redundancy groups.

For information about configuring Dual Router high availability, see Configure High Availability.

Step 5

Configure a DHCP server for the active Cisco IOS XE Catalyst SD-WAN device.

Define the DHCP pool. This associates the DHCP pool with the high availability redundancy group. Without this, the pool will not participate in high availability, and will simply act as a standalone DHCP pool.

The DHCP HA for dual home edges option activates the DHCP server high availability feature for a pair of redundant Cisco IOS XE Catalyst SD-WAN devices. This ensures DHCP server state synchronization between the active and standby devices, providing uninterrupted IP address assignment and preventing IP conflicts during failover.

For information about creating a new DHCP server, see DHCP Server.

Step 6

Define identical DHCP server configuration for standby Cisco IOS XE Catalyst SD-WAN device.

Choose the same DHCP pool, the same as configured for the active device in the previous step.

It is critical that the DHCP pool configuration, including the redundancy group ID, is identical on both devices to prevent configuration mismatches and ensure seamless failover.

Step 7

Configure VRRP on the LAN interfaces of both Cisco IOS XE Catalyst SD-WAN devices within the Service VPN where DHCP clients are present.

VRRP provides the virtual IP address that DHCP clients will use as their default gateway and destination for DHCP requests. For information about configuring VRRP for high availability, see Configure VRRP for Cisco Catalyst SD-WAN High Availability.

Step 8

Configure the redundacy groups to follow VRRP. This configuration is applied using the track command using the CLI-add on template.

Add these commands to the CLI-add on template. See Configure DHCP server high availability using CLI template.
track 44 interface GigabitEthernet3 line-protocol
track 55 interface GigabitEthernet5 line-protocol

For redundancy group 1, add this command:

group 1
   track 44 decrement 20
   name dhcp_sync_portchannel
   control TenGigabitEthernet0/0/2 protocol 1
   data TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 1

For redundancy group 2, add this command:

group 2
   track 55 decrement 20
   name dhcp_sync_portchannel
   control TenGigabitEthernet0/0/2 protocol 1
   data TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 1

Step 9

Configure timers , delay and reload for both the redundancy groups.

These commands are essential for preventing service disruption during hardware failover. This configuration is applied using the timers command using the CLI-add on template.

Add these commands using the CLI-add on template. See Configure DHCP server high availability using CLI template.

For redundancy group 1, add this command:

group 1
   track 44 decrement 20
   name dhcp_sync_portchannel
   control TenGigabitEthernet0/0/2 protocol 1
   data TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 1

For redundancy group 2, add this command:

group 2
   track 55 decrement 20
   name dhcp_sync_portchannel
   control TenGigabitEthernet0/0/2 protocol 1
   data TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 1

The DHCP server high availability configuration for your Cisco IOS XE Catalyst SD-WAN devices is now fully defined within Cisco SD-WAN Manager.

What to do next

  • Deploy the configuration group. See Deploy a configuration group.

  • Verify the DHCP server status and redundancy group states on both Cisco IOS XE Catalyst SD-WAN device using relevant show commands (e.g., show ip dhcp server binding, show redundancy application group, show ip interface brief, show vrrp brief). For more information, see Verify high availability.

Configure DHCP server high availability using CLI template

Use this procedure to create a CLI template for configuring DHCP server high availability on Cisco IOS XE Catalyst SD-WAN devices, enabling redundant DHCP services and seamless failover.

This task provides the necessary CLI commands to define DHCP pools, configure network interfaces with VRRP, and set up redundancy groups that enable high availability for DHCP services. This template should be applied to both the active and standby Cisco IOS XE Catalyst SD-WAN devices, with minor adjustments for device-specific IP addresses.

Before you begin

The two Cisco IOS XE Catalyst SD-WAN devices are physically connected, are of the same product family and reachable by Cisco SD-WAN Manager.

Complete these steps to create and apply the CLI template for DHCP server high availability:

Procedure

Step 1

Configure the redundancy groups, a prerequisite, for DHCP synchronization.

Define the redundancy groups that will manage the high availability state for your DHCP services.


track 44 interface GigabitEthernet3 line-protocol
track 44 interface GigabitEthernet3 line-protocol
redundancy
 application redundancy
  group 1
   track 44 decrement 20
   name dhcp_sync_portchannel
   control TenGigabitEthernet0/0/2 protocol 1
   data         TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 1
  !
  group 2
   track 55 decrement 20
   name dhcp_sync_portchannel_2
   control TenGigabitEthernet0/0/2 protocol 1
   data         TenGigabitEthernet0/0/2
   timers delay 10 reload 180
   track-enable 2
  !
 !
!

The control and data interfaces (e.g., TenGigabitEthernet0/0/2) are the dedicated interconnect interfaces for high availability communication. The track-enable command links the redundancy group state to features like VRRP to enable VRRP to follow the redundancy group state.

To ensure redundancy groups follow VRRP on the LAN side, use the track command.

track 44 and track 55 commands define a tracking object. interface GigabitEthernet3 is LAN-facing interface where VRRP is configured.

The track 44 decrement 20 and track 45 decrement 20 commands configured under each redundancy group link the tracking objects to the redundancy groups.

The timers , delay and reload commands are essential for preventing service disruption during hardware failover.

Redundancy groups 1 and 2 are defined for application redundancy.

Step 2

Configure the LAN interfaces with VRRP.

Configure the interfaces connected to your DHCP clients, assigning them an IP address, associating them with a VRF, and setting up VRRP with a virtual IP address. 

interface TenGigabitEthernet0/0/6
 no shutdown
 vrf forwarding 2
 ip address 56.0.1.18 255.0.0.0
 speed 1000
 vrrp 1 address-family ipv4
  address 56.0.1.100 primary
  track 2 decrement 10
  exit-vrrp
exit

 
 interface TenGigabitEthernet0/1/3
 no shutdown
 arp timeout 1200
 vrf forwarding 1
 ip address 10.20.24.18 255.255.0.0
 no ip redirects
 ip mtu    1500
 load-interval 30
 mtu           1500
 speed 1000
 vrrp 2 address-family ipv4
  address 10.20.24.100 secondary
  track 1 decrement 10
  exit-vrrp
exit

  • Adjust the ip address for each interface to match the local device's configuration.

  • VRRP provides a virtual IP address that DHCP clients use for their default gateway, making the active and standby devices appear as one.

LAN interfaces are configured with IP addresses, VRFs, and VRRP, ready to serve DHCP clients.

Step 3

Configure the DHCP pools and associate them with redundancy groups.

Define your DHCP pools, specifying the network, VRF, lease time, and the redundancy group ID. 

ip dhcp pool pool1
 network 10.20.0.0 255.255.0.0
 vrf        1
 lease 0 0 6
 redundancy 1
exit
ip dhcp pool pool2
 network 56.0.0.0 255.0.0.0
 vrf        2
 default-router 56.0.1.100
 redundancy 2

The redundancy command within the DHCP pool configuration links the pool to a specific redundancy group, making it aware of high-availability.

DHCP pools are defined and associated with their respective redundancy groups for high availability.

Upon successful completion of this task, the DHCP server high availability configuration template will be applied to your Cisco IOS XE Catalyst SD-WAN device. This configuration enables redundant DHCP services, ensuring continuous IP address assignment and seamless client transitions even in the event of a device failure.

What to do next

  • Apply this identical configuration to the peer Cisco IOS XE Catalyst SD-WAN device. Ensure that device-specific IP addresses (e.g., ip address on interfaces) are defined appropriately for the peer device.

  • Verify the DHCP server status and redundancy group states on both Cisco IOS XE Catalyst SD-WAN device using relevant show commands (e.g., show ip dhcp server binding, show redundancy application group, show ip interface brief, show vrrp brief). For more information, see Verify high availability.

Verify high availability

This section provides commands for verifying the high availability feature.

show ip dhcp binding

This command displays the DHCP bindings (IP address, client MAC address, lease expiration, type) currently known by the DHCP server.

Execute this command on both the active and standby Cisco IOS XE Catalyst SD-WAN devices. The output should show identical IP address assignments and DHCP information on both devices, confirming successful synchronization of DHCP state. 

Device# show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address      Client-ID/ 		Lease expiration 	Type       State      Interface
		Hardware address/
		User name

Bindings from VRF pool 1:
IP address      Client-ID/ 		Lease expiration 	Type       State      Interface
		Hardware address/
		User name
10.20.93.203    0063.6973.636f.2d35.    Sep 04 2025 09:47 AM    Automatic  Active     FortyGigabitEthernet0/2/0
                3235.342e.3030.6661.
                2e38.6161.302d.4769.
                33
10.20.93.236    000c.2900.77a5          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.237    000c.2900.77a6          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.238    000c.2900.77a7          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.239    000c.2900.77a8          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.240    000c.2900.77a9          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.241    000c.2900.77aa          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0
10.20.93.242    000c.2900.77ab          Sep 04 2025 09:46 AM    Automatic  Active     FortyGigabitEthernet0/2/0

show redundancy application group

This command provides the status of the configured redundancy groups, including their ID, local state (active or standby), and the state of the peer device.

The sample output indicates that for this specific device:

  • Redundancy group 1 (named dhcp_sync_portchannel) is currently in the STANDBY state. This means the DHCP pools associated with redundancy 1 for the corresponding associated Service VPN(s) are not actively processing requests on this device.

  • Redundancy group 2 (named dhcp_sync_portchannel_2) is currently in the ACTIVE state. This means the DHCP pools associated with redundancy 2 for the corresponding associated Service VPN(s) are actively processing requests on this device. 

Device# show redundancy application group
Group ID    Group Name                      State
--------    ----------                      -----
1           dhcp_sync_portchannel          STANDBY
2           dhcp_sync_portchannel_2        ACTIVE

show vrrp brief

This command displays a concise summary of the VRRP groups configured on the device, including the interface, group ID, priority, and current state (Master or Backup)..

The sample output displays the VRRP status for this device:

  • Interface Te0/0/12, VRRP Group 2: This device is in the MASTER state for VRRP Group 2. This means it is currently handling traffic for the virtual IP address 10.20.24.100 on this interface. The Master addr shows 10.20.24.16(local), confirming this device is the active VRRP router for this group.

  • Interface Te0/0/15, VRRP Group 1: This device is in the BACKUP state for VRRP Group 1. This means it is ready to take over if the current master fails for the virtual IP address 56.0.1.100 on this interface. The Master addr of 56.0.1.18 indicates that the peer device is currently the VRRP Master for this group. 

Device#show vrrp brief                        
  Interface          Grp  A-F Pri  Time Own Pre State   Master addr/Group addr
  Te0/0/12             2 IPv4 100     0  N   Y  MASTER  10.20.24.16(local) 10.20.24.100
  Te0/0/15             1 IPv4  30  3882  N   Y  BACKUP  56.0.1.18 56.0.1.100