DHCP

  1. BOOTP
  2. DHCP
    1. Options
      1. Option 82 on switch
      2. Option 82 on server
  3. DHCPv6
    1. DHCP Prefix Delegation (DHCP-PD)

BOOTP

  • RFC 951
  • UDP
  • replies with mask, DNS, default gateway, IP boot server
  • requires RARP server

DHCP

  • messages:
    • Discover:
      • bcast
      • UDP 67
    • Offer:
      • bcast/unicast (depends on flag in Discover)
      • UDP 68
    • Request:
      • bcast
      • DHCP server MAC
    • Ack:
      • bcast/unicast (depends on flag in Discover)
    • Nak:
      • bcast/unicast (depends on flag in Discover)
    • Decline:
      • bcast
    • Release:
      • unicast
    • Inform:
      • bcast (if no DHCP server IP is known) or unicast
      • from client, to request IP parameters (e.g., access server)
  • Cisco verifies, whether address is available, before allocating it to client via ping; useful if ARP cache it out of date or server is in the other L2 segment
  • Client ID: 01XX.XXXX.XXXX.XX, where X…X – MAC address
  • User-Agent field:
    • usually identifies OS
    • can be used freely (e.g., to identify corporate asset)
; N=0 ≡ disable, 2 default
(config)# ip dhcp ping packets <N>

; 500 ms default
(config)# ip dhcp ping timeout <ms>

(config)# service dhcp

(config)# ip dhcp database <URL>

; on default
(config)# ip dhcp conflict logging
; used INTF MAC for client ID
(config-if)# ip address dhcp client-id <INTF>

; set BROADCAST flag in messages from client
(config-if)# ip dhcp client broadcast-flag set|clear

; DHCP relay
(config-if)# ip helper-address <IP>
# release dhcp <INTF>

Options

  • 43: vendor-encapsulated
  • 66: TFTP server
  • 69: SMTP server
  • 70: POP3 server
  • 78: SLP directory agent
  • 79: SLP service scope
  • 82:
    • circuit ID (VLAN, port number) + remote ID (switch MAC)
    • inserted by first-hop switch: relay IP = 0.0.0.0
    • switch checks that option is present in DHCP replies from server
  • 83: iSNS server
  • 128: TFTP server for IP phone
  • 150: TFTP server, Cisco
; include option, can be in any message
(dhcp-config)# option <N> ascii <STR> | hex <HEX> | ip <IPv4>

Option 82 on switch

(config)# ip dhcp snooping
(config)# ip dhcp snooping vlan <N>

; add option 82 into DHCP message, L2 traffic
(config)# ip dhcp snooping information option

; add option 82 into DHCP message, L3 traffic on DHCP relay
(config)# ip dhcp relay information option

Option 82 on server

(config)# ip dhcp class <CLASS>
(config-dhcp-class)# relay agent information

; option in binary, HEX – regex (* and bitmask)
(config-dhcp-class-relayinfo)# relay-information hex <HEX>
(config)# ip dhcp pool <POOL>
(dhcp-config)# class <CLASS>
(config-dhcp-pool-class)# address range <START> <STOP>
(config)# ip dhcp snooping

; permit Option 82 from untrusted ports
(config)# ip dhcp snooping information option allow-untrusted

; TFTP is better than Flash
(config)# ip dhcp snooping database <PATH>

; permit Option 82 on all interfaces, inserted by switch (relay IP = 0.0.0.0)
(config)# ip dhcp relay information trust-all

; on default, check that Option 82 is present in DHCP responses, if absent/invalid – drop
(config)# ip dhcp relay information check
; permit Option 82 on this interface, inserted by switch (relay IP = 0.0.0.0)
(config-if)# ip dhcp relay information trust-all

(config-if)# ip dhcp relay information check-reply

DHCPv6

  • messages:
    1. solicit
      • when RA contains M/O flags
      • when RA is not received at all
    2. advertise
    3. request: stateful DHCP
    4. reply
      • response or acknowledge to a message (release, decline)
    5. confirm
      • check if the parameters are valid
      • sent to all servers
    6. renew
      • sent to server which provided the parameters
    7. rebind
      • same as renew
      • after renew is not responded to
      • sent to all DHCP servers
    8. release
      • sent to server which provided the parameters
    9. decline
      • sent to server which provided the parameters
    10. reconfigure
      • server → client when new info is available
      • triggers renew or information-request
    11. information-request: stateless DHCP
    12. relay-forward
    13. relay-reply
  • rapid-commit
    • 2 messages in lieu of 4
    • option in solicit
    • allocated addresses may be lost if there are several DHCP servers
  • DUID: DHCP unique ID – device ID, one per device
  • IAID: interface association ID – interface ID, one per interface
  • relay uses egress interface IP as source address (IPv4 uses ingress interface)
  • when address is allocated, server does not send pings by default (in contrast to IPv4)
(config)# ipv6 dhcp database <URL>
(config)# ipv6 dhcp pool <NAME>
(config-dhcpv6)# dns-server <IPv6>
(config-dhcpv6)# domain-name <DOMAIN>

; address pool, address mask is fixed at 64 bits
(config-dhcpv6)# address prefix <PREFIX>
(config-if)# ipv6 dhcp server <NAME> [rapid-commit]
(config-if)# ipv6 dhcp relay destination <IPv6> [<intf>]
# show ipv6 dhcp# show ipv6 dhcp interface <INTF>

DHCP Prefix Delegation (DHCP-PD)

  • on delegation static route for the prefix is added
    • client: Null0
    • server: egress interface, link-local next-hop
  • DHCP solicit from requesting router (RR) asks for PD
  • DHCP reply from delegating router (DR) contains requested prefix
(config)# ipv6 dhcp pool <NAME>
(config-dhcpv6)# prefix-delegation pool <PD_POOL>

; PD_PREFIX - pool, split into subnets of length n
(config)# ipv6 local pool <PD_POOL> <PD_PREFIX> <n>
; on RR towards DR
(config-if)# ipv6 dhcp client pd <GPREFIX>

; on RR towards clients, GPREFIX takes MSB bits of prefix
; default – install ::/0 via DR
(config-if)# ipv6 address <GPREFIX> <prefix> [default]