Configuring DHCP
This chapter describes how to configure the DHCP server and includes the following sections:
Information About DHCP
The DHCP Relay Agent sends Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and servers on different IP networks. DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server or DHCP relay service to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. The DHCP relay service sends DHCP requests received on one interface to an external DHCP server located on a different interface.
A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which indicates that the client and server should be attached to the same link. However, in some cases where ease of management, economy, or scalability is the concern, we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link. The DHCP relay agent, which may reside on the client network, can relay messages between the client and server. The relay agent operation is transparent to the client.
DHCP for IPv6 (DHCPv6) specified in RFC 3315 enables IPv6 DHCP servers to send configuration parameters such as network addresses or prefixes and DNS server addresses to IPv6 nodes (that is, DHCP clients). DHCPv6 uses the following multicast addresses:
- All_DHCP_Relay_Agents_and_Servers (FF02::1:2) is a link-scoped multicast address used by a client to communicate with neighboring (that is, on-link) relay agents and servers. All DHCPv6 servers and relay agents are members of this multicast group.
- The DHCPv6 relay service and server listen for messages on UDP port 547. The ASA DHCPv6 relay agent listens on both UDP port 547 and the All_DHCP_Relay_Agents_and_Servers multicast address.
Licensing Requirements for DHCP
Table 1-1 shows the licensing requirements for DHCP.
Table 1-1 Licensing Requirements
For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license:
- If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.
- If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses.
- If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.
Note
The ASA 5505 ships with a 10-user license.
Guidelines and Limitations
Use the following guidelines to configure the DHCP server:
- You can configure only one DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
- You cannot configure a DHCP client or DHCP relay service on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled.
- The ASA does not support QIP DHCP servers for use with the DHCP proxy service.
- The relay agent cannot be enabled if the DHCP server is also enabled.
- The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay service on an interface that is used by more than one context.
- When it receives a DHCP request, the ASA sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) that was configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, the server sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message.
For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the ASA.
Use the following guidelines to configure the DHCP relay service:
- DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router.
- For multiple context mode, you cannot enable DHCP relay service on an interface that is used by more than one context.
- The DHCP relay service is not available in transparent firewall mode. An ASA in transparent firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP requests and replies through the ASA in transparent firewall mode, you must configure two access lists: one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.
- When the DHCP relay service is enabled and more than one DHCP relay server is defined, the ASA forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the ASA receives any of the following DHCP messages: ACK, NACK, or decline.
- You cannot enable DHCP relay service on an interface running as a DHCP proxy service. You must remove the VPN DHCP configuration first or an error message appears. This error occurs if both DHCP relay and DHCP proxy services are enabled. Make sure that either the DHCP relay or DHCP proxy service is enabled, but not both.
Firewall Mode Guidelines
Supported in routed firewall mode.
Not supported in transparent firewall mode.
Context Mode Guidelines
Supported in single and multiple context mode.
Failover Guidelines
Supports Active/Active and Active/Standby failover.
IPv6 Guidelines
Supports IPv6.
Configuring a DHCP Server
This section describes how to configure a DHCP server provided by the ASA and includes the following topics:
Enabling the DHCP Server
To enable the DHCP server on an ASA interface, perform the following steps:
|
|
|
Step 1 |
dhcpd
address
ip_address
-
ip_address
interface_name
hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside |
Creates a DHCP address pool. The ASA assigns a client one of the addresses from this pool to use for a given period of time. These addresses are the local, untranslated addresses for the directly connected network. The address pool must be on the same subnet as the ASA interface. |
Step 2 |
hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129 |
(Optional) Specifies the IP address(es) of the DNS server(s). |
Step 3 |
dhcpd wins
wins1 [
wins2 ]
hostname(config)# dhcpd wins 209.165.201.5 |
(Optional) Specifies the IP address(es) of the WINS server(s). You can specify up to two WINS servers. |
Step 4 |
hostname(config)# dhcpd lease 3000 |
(Optional) Changes the lease length to be granted to the client. The lease length equals the amount of time in seconds that the client can use its allocated IP address before the lease expires. Enter a value from 0 to 1,048,575. The default value is 3600 seconds. |
Step 5 |
hostname(config)# dhcpd domain example.com |
(Optional) Configures the domain name. |
Step 6 |
dhcpd ping_timeout
milliseconds
hostname(config)# dhcpd ping timeout 20 |
(Optional) Configures the DHCP ping timeout value for ICMP packets. To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client. |
Step 7 |
dhcpd option 3 ip
gateway_ip
hostname(config)# dhcpd option 3 ip 10.10.1.1 |
Defines a default gateway that is sent to DHCP clients. If you do not use the dhcpd option 3 command to define the default gateway, DHCP clients use the IP address of the management interface. As a result, the DHCP ACK does not include this option. The management interface does not route traffic. |
Step 8 |
dhcpd enable
interface_name
hostname(config)# dhcpd enable outside |
Enables the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface. |
Configuring DHCP Options
The ASA supports the DHCP options listed in RFC 2132 to send information.
This section includes the following topics:
To configure a DHCP option, enter one of the following commands:
Options that Return an IP Address
|
|
dhcpd option
code
ip
addr_1 [
addr_2 ]
hostname(config)# dhcpd option 2 ip 10.10.1.1 10.10.1.2 |
Configures a DHCP option that returns one or two IP addresses. |
Options that Return a Text String
|
|
dhcpd option
code
ascii
text
hostname(config)# dhcpd option 2 ascii examplestring |
Configures a DHCP option that returns a text string. |
Options that Return a Hexadecimal Value
|
|
dhcpd option
code
hex
value
hostname(config)# dhcpd option 2 hex 22.0011.01.FF1111.00FF.0000.AAAA.1111.1111.1111.11 |
Configures a DHCP option that returns a hexadecimal value. |
Note
The ASA does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii hello command, and the ASA accepts the configuration, although option 46 is defined in RFC 2132 to expect a single-digit, hexadecimal value. For more information about option codes and their associated types and expected values, see RFC 2132.
Table 1-2 shows the DHCP options that are not supported by the dhcpd option command.
Table 1-2 Unsupported DHCP Options
|
|
0 |
DHCPOPT_PAD |
1 |
HCPOPT_SUBNET_MASK |
12 |
DHCPOPT_HOST_NAME |
50 |
DHCPOPT_REQUESTED_ADDRESS |
51 |
DHCPOPT_LEASE_TIME |
52 |
DHCPOPT_OPTION_OVERLOAD |
53 |
DHCPOPT_MESSAGE_TYPE |
54 |
DHCPOPT_SERVER_IDENTIFIER |
58 |
DHCPOPT_RENEWAL_TIME |
59 |
DHCPOPT_REBINDING_TIME |
61 |
DHCPOPT_CLIENT_IDENTIFIER |
67 |
DHCPOPT_BOOT_FILE_NAME |
82 |
DHCPOPT_RELAY_INFORMATION |
255 |
DHCPOPT_END |
DHCP options 3, 66, and 150 are used to configure Cisco IP phones. For more information about configuring these options, see the “Using Cisco IP Phones with a DHCP Server” section.
Using Cisco IP Phones with a DHCP Server
Cisco IP phones download their configuration from a TFTP server. When a Cisco IP phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.
- DHCP option 150 provides the IP addresses of a list of TFTP servers.
- DHCP option 66 gives the IP address or the hostname of a single TFTP server.
Note
Cisco IP phones can also include DHCP option 3 in their requests, which sets the default route.
A single request might include both options 150 and 66. In this case, the ASA DHCP server provides values for both options in the response if they are already configured on the ASA.
To send information to use for any option number, enter the following command:
|
|
dhcpd option
number
value
hostname(config)# dhcpd option 2 |
Provides information for DHCP requests that include an option number as specified in RFC 2132. |
To send information to use for option 66, enter the following command:
|
|
dhcpd option 66
ascii
server_name
hostname(config)# dhcpd option 66 ascii exampleserver |
Provides the IP address or name of a TFTP server for option 66. |
To send information to use for option 150, enter the following command:
|
|
dhcpd option 150
ip
server_ip1 [
server_ip2 ]
hostname(config)# dhcpd option 150 ip 10.10.1.1 |
Provides the IP address or names of one or two TFTP servers for option 150. The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be identified using option 150. |
To send information to use for option 3, enter the following command:
|
|
dhcpd option 3
ip
router_ip1
hostname(config)# dhcpd option 3 ip 10.10.1.1 |
Sets the default route. |
Configuring the DHCP Relay Service
To configure the DHCP relay service, perform the following steps:
|
|
|
Step 1 |
dhcprelay server ip_address if_name
hostname(config)# dhcprelay server 201.168.200.4 outside |
Specifies the IP address of a DHCP server on a different interface from the DHCP client. You can use this command up to ten times to identify up to ten servers. |
Step 2 |
dhcprelay enable interface
hostname(config)# dhcprelay enable inside |
Enables DHCP relay service on the interface connected to the clients. |
Step 3 |
dhcprelay timeout seconds
hostname(config)# dhcprelay timeout 25 |
(Optional) Set the number of seconds allowed for relay address handling. |
Step 4 |
dhcprelay setroute
interface_name
hostname(config)# dhcprelay setroute inside |
(Optional) Change the first default router address in the packet sent from the DHCP server to the address of the ASA interface. This action allows the client to set its default route to point to the ASA even if the DHCP server specifies a different router. If there is no default router option in the packet, the ASA adds one containing the interface address. |
To configure the DHCPv6 relay service, perform the following steps:
|
|
|
Step 1 |
ipv6 dhcprelay server ipv6_address [interface]
hostname(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 |
Specifies the IPv6 DHCP server destination address to which client messages are forwarded. The ipv6-address argument can be a link-scoped unicast, multicast, site-scoped unicast, or global IPv6 address. Unspecified, loopback, and node-local multicast addresses are not allowed as the relay destination. The optional interface argument specifies the output interface for a destination. Client messages are forwarded to the destination address through the link to which the output interface is connected. If the specified address is a link-scoped address, then you must specify the interface. You can configure up to ten servers per context. |
Step 2 |
ipv6 dhcprelay enable interface
hostname(config)# ipv6 dhcprelay enable inside |
Enables DHCPv6 relay service on an interface. When the service is enabled, the incoming DHCPv6 message from a client on the interface that may have been relayed by another relay agent will be forwarded to all configured relay destinations through all configured outgoing links. For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context (that is, a shared interface). |
Step 3 |
ipv6 dhcprelay timeout seconds
hostname(config)# ipv6 dhcprelay timeout 25 |
(Optional) Specifies the amount of time in seconds that is allowed for responses from the DHCPv6 server to pass to the DHCPv6 client through the relay binding for relay address handling. Valid values for the seconds argument range from 1 to 3600. The default is 60 seconds. |
Additional References
For additional information related to implementing DHCPv6, see the following section:
RFCs
|
|
2132 |
DHCP Options and BOOTP Vendor Extensions |
2462 |
IPv6 Stateless Address Autoconfiguration |
5510 |
DHCP for IPv6 |
DHCP Monitoring Commands
To monitor DHCP, enter one or more of the following commands:
|
|
show running-config dhcpd |
Shows the current DHCP configuration. |
show running-config dhcprelay |
Shows the current DHCP relay service status. |
show ipv6 dhcprelay binding |
Shows the relay binding entries that were created by the relay agent. |
show ipv6 dhcprelay statistics |
Shows DHCP relay agent statistics for IPv6. |
clear config ipv6 dhcprelay |
Clears the IPv6 DHCP relay configuration. |
Feature History for DHCP
Table 1-3 each feature change and the platform release in which it was implemented.
Table 1-3 Feature History for DHCP
|
|
|
DHCP |
7.0(1) |
The ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces. We introduced the following commands: dhcp client update dns, dhcpd address, dhcpd domain, dhcpd enable, dhcpd lease, dhcpd option, dhcpd ping timeout, dhcpd update dns, dhcpd wins, dhcp-network-scope, dhcprelay enable, dhcprelay server, dhcprelay setroute, dhcprelay trusted, dhcp-server. show running-config dhcpd, and show running-config dhcprelay. |
DHCP for IPv6 (DHCPv6) |
9.0(1) |
Support for IPv6 was added. We introduced the following commands: ipv6 dhcprelay server, ipv6 dhcprelay enable, ipv6 dhcprelay timeout, clear config ipv6 dhcprelay, ipv6 nd managed-config-flag, ipv6 nd other-config-flag, debug ipv6 dhcp, debug ipv6 dhcprelay, show ipv6 dhcprelay binding, clear ipv6 dhcprelay binding, show ipv6 dhcprelay statistics, and clear ipv6 dhcprelay statistics. |