Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco ASA Series CLI Configuration Guide, 9.0

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco ASA Series CLI Configuration Guide, 9.0

Chapter Title

Configuring DHCP

Results

Updated:
September 25, 2018

Chapter: Configuring DHCP

Configuring DHCP

This chapter describes how to configure the DHCP server and includes the following sections:

Information About DHCP

The DHCP Relay Agent sends Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and servers on different IP networks. DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server or DHCP relay service to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. The DHCP relay service sends DHCP requests received on one interface to an external DHCP server located on a different interface.

A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which indicates that the client and server should be attached to the same link. However, in some cases where ease of management, economy, or scalability is the concern, we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link. The DHCP relay agent, which may reside on the client network, can relay messages between the client and server. The relay agent operation is transparent to the client.

DHCP for IPv6 (DHCPv6) specified in RFC 3315 enables IPv6 DHCP servers to send configuration parameters such as network addresses or prefixes and DNS server addresses to IPv6 nodes (that is, DHCP clients). DHCPv6 uses the following multicast addresses:

  • All_DHCP_Relay_Agents_and_Servers (FF02::1:2) is a link-scoped multicast address used by a client to communicate with neighboring (that is, on-link) relay agents and servers. All DHCPv6 servers and relay agents are members of this multicast group.
  • The DHCPv6 relay service and server listen for messages on UDP port 547. The ASA DHCPv6 relay agent listens on both UDP port 547 and the All_DHCP_Relay_Agents_and_Servers multicast address.

Licensing Requirements for DHCP

Table 1-1 shows the licensing requirements for DHCP.

Table 1-1 Licensing Requirements

 

Model
License Requirement

All models

Base License.

For the ASA 5505, the maximum number of DHCP client addresses varies depending on the license:

  • If the limit is 10 hosts, the maximum available DHCP pool is 32 addresses.
  • If the limit is 50 hosts, the maximum available DHCP pool is 128 addresses.
  • If the number of hosts is unlimited, the maximum available DHCP pool is 256 addresses.

Note The ASA 5505 ships with a 10-user license.

Guidelines and Limitations

Use the following guidelines to configure the DHCP server:

  • You can configure only one DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
  • You cannot configure a DHCP client or DHCP relay service on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled.
  • The ASA does not support QIP DHCP servers for use with the DHCP proxy service.
  • The relay agent cannot be enabled if the DHCP server is also enabled.
  • The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay service on an interface that is used by more than one context.
  • When it receives a DHCP request, the ASA sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) that was configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, the server sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message.

For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the ASA.

Use the following guidelines to configure the DHCP relay service:

  • DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router.
  • For multiple context mode, you cannot enable DHCP relay service on an interface that is used by more than one context.
  • The DHCP relay service is not available in transparent firewall mode. An ASA in transparent firewall mode only allows ARP traffic through; all other traffic requires an access list. To allow DHCP requests and replies through the ASA in transparent firewall mode, you must configure two access lists: one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.
  • When the DHCP relay service is enabled and more than one DHCP relay server is defined, the ASA forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the ASA receives any of the following DHCP messages: ACK, NACK, or decline.
  • You cannot enable DHCP relay service on an interface running as a DHCP proxy service. You must remove the VPN DHCP configuration first or an error message appears. This error occurs if both DHCP relay and DHCP proxy services are enabled. Make sure that either the DHCP relay or DHCP proxy service is enabled, but not both.

Firewall Mode Guidelines

Supported in routed firewall mode.

Not supported in transparent firewall mode.

Context Mode Guidelines

Supported in single and multiple context mode.

Failover Guidelines

Supports Active/Active and Active/Standby failover.

IPv6 Guidelines

Supports IPv6.

Configuring a DHCP Server

This section describes how to configure a DHCP server provided by the ASA and includes the following topics:

Enabling the DHCP Server

To enable the DHCP server on an ASA interface, perform the following steps:

 

Command
Purpose

Step 1
dhcpd address ip_address - ip_address interface_name
 

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside

Creates a DHCP address pool. The ASA assigns a client one of the addresses from this pool to use for a given period of time. These addresses are the local, untranslated addresses for the directly connected network.

The address pool must be on the same subnet as the ASA interface.

Step 2
dhcpd dns dns1 [ dns2 ]
 

hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129

(Optional) Specifies the IP address(es) of the DNS server(s).

Step 3
dhcpd wins wins1 [ wins2 ]
 

hostname(config)# dhcpd wins 209.165.201.5

(Optional) Specifies the IP address(es) of the WINS server(s). You can specify up to two WINS servers.

Step 4
dhcpd lease lease_length
 

hostname(config)# dhcpd lease 3000

(Optional) Changes the lease length to be granted to the client. The lease length equals the amount of time in seconds that the client can use its allocated IP address before the lease expires. Enter a value from 0 to 1,048,575. The default value is 3600 seconds.

Step 5
dhcpd domain domain_name
 

hostname(config)# dhcpd domain example.com

(Optional) Configures the domain name.

Step 6
dhcpd ping_timeout milliseconds
 

hostname(config)# dhcpd ping timeout 20

(Optional) Configures the DHCP ping timeout value for ICMP packets. To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client.

Step 7
dhcpd option 3 ip gateway_ip
 

hostname(config)# dhcpd option 3 ip 10.10.1.1

Defines a default gateway that is sent to DHCP clients. If you do not use the dhcpd option 3 command to define the default gateway, DHCP clients use the IP address of the management interface. As a result, the DHCP ACK does not include this option. The management interface does not route traffic.

Step 8
dhcpd enable interface_name
 

hostname(config)# dhcpd enable outside

Enables the DHCP daemon within the ASA to listen for DHCP client requests on the enabled interface.

Configuring DHCP Options

The ASA supports the DHCP options listed in RFC 2132 to send information.

This section includes the following topics:

To configure a DHCP option, enter one of the following commands:

Options that Return an IP Address

 

Command
Purpose
dhcpd option code ip addr_1 [ addr_2 ]
 

hostname(config)# dhcpd option 2 ip 10.10.1.1 10.10.1.2

Configures a DHCP option that returns one or two IP addresses.

Options that Return a Text String

 

Command
Purpose
dhcpd option code ascii text
 

hostname(config)# dhcpd option 2 ascii examplestring

Configures a DHCP option that returns a text string.

Options that Return a Hexadecimal Value

 

Command
Purpose
dhcpd option code hex value
 

hostname(config)# dhcpd option 2 hex 22.0011.01.FF1111.00FF.0000.AAAA.1111.1111.1111.11

Configures a DHCP option that returns a hexadecimal value.

Note The ASA does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii hello command, and the ASA accepts the configuration, although option 46 is defined in RFC 2132 to expect a single-digit, hexadecimal value. For more information about option codes and their associated types and expected values, see RFC 2132.

Table 1-2 shows the DHCP options that are not supported by the dhcpd option command.

 

Table 1-2 Unsupported DHCP Options
Option Code
Description

0

DHCPOPT_PAD

1

HCPOPT_SUBNET_MASK

12

DHCPOPT_HOST_NAME

50

DHCPOPT_REQUESTED_ADDRESS

51

DHCPOPT_LEASE_TIME

52

DHCPOPT_OPTION_OVERLOAD

53

DHCPOPT_MESSAGE_TYPE

54

DHCPOPT_SERVER_IDENTIFIER

58

DHCPOPT_RENEWAL_TIME

59

DHCPOPT_REBINDING_TIME

61

DHCPOPT_CLIENT_IDENTIFIER

67

DHCPOPT_BOOT_FILE_NAME

82

DHCPOPT_RELAY_INFORMATION

255

DHCPOPT_END

DHCP options 3, 66, and 150 are used to configure Cisco IP phones. For more information about configuring these options, see the “Using Cisco IP Phones with a DHCP Server” section.

Using Cisco IP Phones with a DHCP Server

Cisco IP phones download their configuration from a TFTP server. When a Cisco IP phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.

  • DHCP option 150 provides the IP addresses of a list of TFTP servers.
  • DHCP option 66 gives the IP address or the hostname of a single TFTP server.

Note Cisco IP phones can also include DHCP option 3 in their requests, which sets the default route.

A single request might include both options 150 and 66. In this case, the ASA DHCP server provides values for both options in the response if they are already configured on the ASA.

To send information to use for any option number, enter the following command:

 

Command
Purpose
dhcpd option number value
 

hostname(config)# dhcpd option 2

Provides information for DHCP requests that include an option number as specified in RFC 2132.

To send information to use for option 66, enter the following command:

 

Command
Purpose
dhcpd option 66 ascii server_name
 

hostname(config)# dhcpd option 66 ascii exampleserver

Provides the IP address or name of a TFTP server for option 66.

To send information to use for option 150, enter the following command:

 

Command
Purpose
dhcpd option 150 ip server_ip1 [ server_ip2 ]
 

hostname(config)# dhcpd option 150 ip 10.10.1.1

Provides the IP address or names of one or two TFTP servers for option 150. The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be identified using option 150.

To send information to use for option 3, enter the following command:

 

Command
Purpose
dhcpd option 3 ip router_ip1
 

hostname(config)# dhcpd option 3 ip 10.10.1.1

Sets the default route.

Configuring the DHCP Relay Service

To configure the DHCP relay service, perform the following steps:

 

Command
Purpose

Step 1
dhcprelay server ip_address if_name
 

hostname(config)# dhcprelay server 201.168.200.4 outside

Specifies the IP address of a DHCP server on a different interface from the DHCP client.

You can use this command up to ten times to identify up to ten servers.

Step 2
dhcprelay enable interface
 

hostname(config)# dhcprelay enable inside

Enables DHCP relay service on the interface connected to the clients.

Step 3
dhcprelay timeout seconds
 

hostname(config)# dhcprelay timeout 25

(Optional) Set the number of seconds allowed for relay address handling.

Step 4
dhcprelay setroute interface_name
 

hostname(config)# dhcprelay setroute inside

(Optional) Change the first default router address in the packet sent from the DHCP server to the address of the ASA interface.

This action allows the client to set its default route to point to the ASA even if the DHCP server specifies a different router.

If there is no default router option in the packet, the ASA adds one containing the interface address.

To configure the DHCPv6 relay service, perform the following steps:

 

Command
Purpose

Step 1
ipv6 dhcprelay server ipv6_address [interface]
 

hostname(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701

Specifies the IPv6 DHCP server destination address to which client messages are forwarded.

The ipv6-address argument can be a link-scoped unicast, multicast, site-scoped unicast, or global IPv6 address. Unspecified, loopback, and node-local multicast addresses are not allowed as the relay destination. The optional interface argument specifies the output interface for a destination. Client messages are forwarded to the destination address through the link to which the output interface is connected. If the specified address is a link-scoped address, then you must specify the interface.

You can configure up to ten servers per context.

Step 2
ipv6 dhcprelay enable interface
 

hostname(config)# ipv6 dhcprelay enable inside

Enables DHCPv6 relay service on an interface. When the service is enabled, the incoming DHCPv6 message from a client on the interface that may have been relayed by another relay agent will be forwarded to all configured relay destinations through all configured outgoing links. For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context (that is, a shared interface).

Step 3
ipv6 dhcprelay timeout seconds
 

hostname(config)# ipv6 dhcprelay timeout 25

(Optional) Specifies the amount of time in seconds that is allowed for responses from the DHCPv6 server to pass to the DHCPv6 client through the relay binding for relay address handling.

Valid values for the seconds argument range from 1 to 3600. The default is 60 seconds.

Additional References

For additional information related to implementing DHCPv6, see the following section:

RFCs

 

RFC
Title

2132

DHCP Options and BOOTP Vendor Extensions

2462

IPv6 Stateless Address Autoconfiguration

5510

DHCP for IPv6

DHCP Monitoring Commands

To monitor DHCP, enter one or more of the following commands:

 

Command
Purpose

show running-config dhcpd

 

Shows the current DHCP configuration.

show running-config dhcprelay

 

Shows the current DHCP relay service status.

show ipv6 dhcprelay binding

 

Shows the relay binding entries that were created by the relay agent.

show ipv6 dhcprelay statistics

 

Shows DHCP relay agent statistics for IPv6.

clear config ipv6 dhcprelay

 

Clears the IPv6 DHCP relay configuration.

Feature History for DHCP

Table 1-3 each feature change and the platform release in which it was implemented.

 

Table 1-3 Feature History for DHCP
Feature Name
Releases
Description

DHCP

7.0(1)

The ASA can provide a DHCP server or DHCP relay services to DHCP clients attached to ASA interfaces.

We introduced the following commands: dhcp client update dns, dhcpd address, dhcpd domain, dhcpd enable, dhcpd lease, dhcpd option, dhcpd ping timeout, dhcpd update dns, dhcpd wins, dhcp-network-scope, dhcprelay enable, dhcprelay server, dhcprelay setroute, dhcprelay trusted, dhcp-server. show running-config dhcpd, and show running-config dhcprelay.

DHCP for IPv6 (DHCPv6)

9.0(1)

Support for IPv6 was added.

We introduced the following commands: ipv6 dhcprelay server, ipv6 dhcprelay enable, ipv6 dhcprelay timeout, clear config ipv6 dhcprelay, ipv6 nd managed-config-flag, ipv6 nd other-config-flag, debug ipv6 dhcp, debug ipv6 dhcprelay, show ipv6 dhcprelay binding, clear ipv6 dhcprelay binding, show ipv6 dhcprelay statistics, and clear ipv6 dhcprelay statistics.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us