Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

DHCP Services

Having already studied the static and PPPoE methods of addressing, now look at the services provided by the classic DHCP Protocol. Figure 3-11 portrays a sample topology for the study of DHCP Server and Client functionalities. Example 3-33 shows an IOS router configured as DHCP server while ASA acts as a client (on its outside interface). The address assigned to ASA in this case is 172.16.200.41.

Example 3-34 also relates to the topology of Figure 3-11 and teaches how to enable the DHCP server function on ASA. The dhcpd auto_config option enables ASA to forward the parameters it receives on a given interface (as client) to another interface where it works as a server. The show running-config dhcpd command displays the configuration related to the DHCP daemon on ASA. (Notice that the auto_config attributes are shown on the running-config.) This example includes the summary information for DHCP services enabled on ASA and the lease information visible on an IOS client.

Figure 3-11

Figure 3-11 Reference Topology for DHCP Server and DHCP Client

Example 3-33. IOS as DHCP Server and ASA as DHCP Client

! Router "OUT" acts as DHCP Server for subnet 172.16.200.0/24
interface FastEthernet4.200
 encapsulation dot1Q 200
 ip address 172.16.200.200 255.255.255.0
!
ip dhcp excluded-address 172.16.200.1 172.16.200.40
ip dhcp excluded-address 172.16.200.50 172.16.200.255
!
ip dhcp pool OUT1
   network 172.16.200.0 255.255.255.0
   default-router 172.16.200.200
   dns-server 172.16.250.250
   domain-name outside.net
!
! ASA configured as a DHCP client on interface outside
ASA5505(config)# interface vlan 200
ASA5505(config-if)# ip address dhcp setroute
%ASA-6-302015: Built outbound UDP connection 46 for outside:255.255.255.255/67 (255.255.255.255/67) to identity:0.0.0.0/68 (0.0.0.0/68)
%ASA-6-604101: DHCP client interface outside: Allocated ip = 172.16.200.41, mask = 255.255.255.0, gw = 172.16.200.200
%ASA-6-302016: Teardown UDP connection 46 for outside:255.255.255.255/67 to identity:0.0.0.0/68 duration 0:02:03 bytes 1096
!
! The DHCP-learned default route becomes visible on ASA's routing table
ASA5505# show route outside | begin Gateway

Gateway of last resort is 172.16.200.200 to network 0.0.0.0
C    172.16.200.0 255.255.255.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 172.16.200.200, outside
!
ASA5505# show interface ip brief | include DHCP|Method
Interface                  IP-Address      OK? Method Status                Protocol
Vlan200                    172.16.200.41   YES DHCP   up                    up
!
! Viewing information about the DCHP Server function
OUT# show dhcp server
   DHCP server: ANY (255.255.255.255)
    Leases:   2
    Offers:   1      Requests: 1     Acks : 1     Naks: 0
    Declines: 0      Releases: 3     Query: 0     Bad: 0
    DNS0:    172.16.250.250,   DNS1:  0.0.0.0
    Subnet: 255.255.255.0   DNS Domain: outside.net

Example 3-34. ASA as DHCP Server and IOS as DHCP Client

! Displaying dhcpd configuration on ASA
ASA5505# show running-config dhcpd


dhcpd auto_config outside

   **auto-config from interface 'outside'

   **auto_config dns 172.16.250.250

   **auto_config domain outside.net
!
dhcpd address 172.16.201.60-172.16.201.69 dmz
dhcpd enable dmz
!
! Summary information about DHCP Services enabled on ASA
ASA5505# show dhcpd state
Context  Configured as DHCP Server
Interface mgmt, Not Configured for DHCP
Interface dmz, Configured for DHCP SERVER

   Interface outside, Configured for DHCP CLIENT
!
! Displaying information about the DHCP lease on the IOS client
DMZ# show dhcp lease

   Temp IP addr: 172.16.201.60  for peer on Interface: FastEthernet4.201
Temp  sub net mask: 255.255.255.0
   DHCP Lease server: 172.16.201.2, state: 5 Bound
   DHCP transaction id: 1E88
   Lease: 3600 secs,  Renewal: 1800 secs,  Rebind: 3150 secs
Temp default-gateway addr: 172.16.201.2
   Next timer fires after: 00:17:52
   Retry count: 0   Client-ID: cisco-0014.f2e3.7df6-Fa4.201
   Client-ID hex dump: 636973636F2D303031342E663265332E
                       376466362D4661342E323031
   Hostname: DMZ
!
! The default route learned through DHCP is visible on the IOS routing table
DMZ# show ip route | begin Gateway

Gateway of last resort is 172.16.201.2 to network 0.0.0.0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.201.0 is directly connected, FastEthernet4.201
S*   0.0.0.0/0 [254/0] via 172.16.201.2

Figure 3-12 represents a sample topology used for the investigation of the DHCP Relay feature. When acting as a DHCP Relay, a Layer 3 device (a router or a network firewall, for instance) converts broadcast packets from clients into unicast packets destined to a DHCP server located on a different subnet. The Relay receives replies from the servers and forwards them back to the originating client.

Figure 3-12

Figure 3-12 Reference Topology for Analysis of DHCP Relay Operation

Example 3-35 refers to the internetwork of Figure 3-12, where ASA relays DHCP packets from clients that reside on interface dmz (subnet 172.16.201.0/24) to the server 172.16.200.200, reachable through the outside interface. It is interesting that there is a pool configured on the server (OUT router) that offers addresses belonging to the 172.16.201.0/24 subnet. (In the example, the DMZ router receives the address 172.16.201.51/24.)

Example 3-35. ASA Acting as a DHCP Relay Between Two IOS Devices

! ASA acts as a DHCP Relay that points to server 172.16.200.200
ASA5505# show running-config dhcprelay
dhcprelay server 172.16.200.200 outside
dhcprelay enable dmz
dhcprelay setroute dmz
dhcprelay timeout 60
!
! Enabling the DHCP Client on IOS
DMZ(config)# interface f4.201
DMZ(config-subif)#ip address dhcp
DHCP: DHCP client process started: 10
RAC: Starting DHCP discover on FastEthernet4.201
DHCP: Try 1 to acquire address for FastEthernet4.201
[ output suppressed]
                B'cast on FastEthernet4.201 interface from 0.0.0.0
DHCP: Received a BOOTREP pkt
DHCP: offer received from 172.16.200.200   

[ output suppressed]
Allocated IP address = 172.16.201.51  255.255.255.0
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4.201 assigned DHCP address 172.16.201.51, mask 255.255.255.0, hostname DMZ
DHCP Client Pooling: ***Allocated IP address: 172.16.201.51
!
! Viewing the IP Addresses obtained through DHCP
DMZ# show ip interface brief | include DHCP|Method
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet4.201          172.16.201.51   YES DHCP   up                    up
!
! DHCP Relay messages on ASA
DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCPD: setting giaddr to 172.16.201.2.
dhcpd_forward_request: request from 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31 forwarded to 172.16.200.200.
DHCPD/RA: Punt 172.16.200.200/17152—> 172.16.201.2/17152 to CP
DHCPD: Relay msg received, fip=ANY, fport=0 on outside interface
DHCPRA: forwarding reply to client 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31.
DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface
DHCPD: setting giaddr to 172.16.201.2.
!
! Summary information about DHCP Relay function on ASA
ASA5505# show dhcprelay state
Context  Configured as DHCP Relay
Interface mgmt, Not Configured for DHCP
Interface dmz, Configured for DHCP RELAY SERVER

Interface outside, Configured for DHCP RELAY
  • + Share This
  • 🔖 Save To Your Account