DHCP Server Configuration
DHCP server, or dynamic address allocation, is a service that is part of most modern Catalyst switches (or more precisely, today's versions of IOS) and also routers. By default, this service is enabled but has no parameters set, so it does not allocate addresses.
SWITCH(config)#service dhcp // enables DHCP server (enabled by default)
Address Pool Configuration
To allocate addresses, we need to create a DHCP Pool and set the desired parameters. We can create several of these Pools, typically one for each VLAN in which we want to allocate addresses.
SWITCH(config)#ip dhcp pool net1 // creates a pool named net1
By creating a named Pool, we enter the DHCP configuration mode and set its parameters.
SWITCH(dhcp-config)#network 192.168.190.0 255.255.255.0 // sets the address range, we can specify it using a mask or CIDR (e.g., /24) SWITCH(dhcp-config)#default-router 192.168.190.1 // gateway address SWITCH(dhcp-config)#domain-name mydomain.tld // sets the DNS domain name to mydomain.tld SWITCH(dhcp-config)#dns-server 192.168.190.9 192.168.190.8 // DNS server addresses (we can specify 1 to 8 addresses) SWITCH(dhcp-config)#netbios-name-server 192.168.190.9 // WINS server addresses (again, we can specify up to 8) SWITCH(dhcp-config)#netbios-node-type h-node // Netbios type, for MS clients we must specify Hybrid SWITCH(dhcp-config)#lease 30 // address lease for 30 days, if we want to specify a shorter time, the format is day hour minute (e.g., 0 0 10 = 10 minutes) SWITCH(dhcp-config)#option 150 ip 192.168.190.20 // we can also define any special properties that the DHCP server can allocate to the client, here an example of a TFTP server address for Cisco IP telephony
Address Exclusion
Usually, we do not want to allocate addresses from the entire subnet range, so we can set excluded (non-allocated) addresses.
SWITCH(config)#ip dhcp excluded-address 192.168.190.0 192.168.190.10 // excludes addresses 0 to 10 from allocation
Address Reservation
Another common feature of the DHCP server is the ability to reserve an address for a specific computer based on its MAC address. When it requests an IP address, it always gets this reserved one. On Cisco, a separate Pool must be created for each reservation.
SWITCH(config)#ip dhcp pool client1 // creates a pool named client1 SWITCH(dhcp-config)#client-name wbouskap // optional client name without domain SWITCH(dhcp-config)#host 192.168.190.9 255.255.255.0 // address for the client along with the subnet (mask or CIDR) SWITCH(dhcp-config)#hardware-address 0012.1759.b073 ieee802 // MAC address and protocol type, used for BOOTP requests // or client identifier for Microsoft clients (DHCP) SWITCH(dhcp-config)#client-identifier 0100.1217.59b0.73 // MAC address preceded by media type, 01 is for Ethernet and the dot shifts
Note: Because information is inherited, we do not need to specify all parameters when reserving, but they are automatically supplemented from the appropriate pool.
How to Assign a Pool to a VLAN
Someone might wonder, if I have several DHCP Pools, how addresses are assigned to different requests. A simple and common method is used (similar to MS DHCP server).
The server looks at the interface address from which the request came and finds the corresponding Pool, from which it then allocates the address. If such a pool does not exist, the request is ignored. This implies an important property. Each VLAN in which we want to allocate addresses must have its own IP address set (on the switch where the DHCP service runs).
Information from the DHCP Server
When an IP address is allocated to a computer, a record is created, known as a DHCP Binding, which contains the IP address and MAC address (and other parameters).
SWITCH#show ip dhcp bindings // list of allocated addresses SWITCH#clear ip dhcp bindings // clears the list SWITCH#show ip dhcp conflicts // list of conflicts SWITCH#clear ip dhcp conflicts // clears the list of conflicts SWITCH#show ip dhcp pool // pool information SWITCH#show ip dhcp server statistics // server statistics
In case of problems, we can debug communication by enabling debugging.
SWITCH#debug ip dhcp server packets SWITCH#debug ip dhcp server events
The sequence of sent packets is:
- client DHCPDISCOVER
- server DHCPOFFER
- client DHCPREQUEST
- server DHCPACK
Switch Address from DHCP
A bit off-topic but related to DHCP, is the possibility for the switch to request an address from the DHCP server. However, in practice, I would recommend setting the address statically.
SWITCH(config-if)#ip address dhcp // interface gets an address from DHCP
DHCP Relay Agent
Request for an address from DHCP is made using a broadcast, which means that the DHCP server must be on the same subnet as the client. This is often inconvenient in practice (for example, we want to have only one central DHCP server). Therefore, we can use a DHCP Relay Agent, which typically runs on a router (which is usually a switch in the local network). It receives the DHCP request and sends it as a unicast to the designated DHCP server. Conversely, it processes the response.
Note: For the DHCP Relay Agent to work, the DHCP server must be running, which is enabled by default.
So, the Relay Agent is running, but to make it actually work, we need to set the address of the DHCP server to which it should forward requests. This address is called a helper address on Cisco. Since we can have several DHCP servers or run a server on a switch for some subnets, we do not set this address globally but for the interface, which is most often a VLAN. An important requirement is that this interface (VLAN) must have an IP address set.
SWITCH(config-if)#ip helper-address 192.168.10.10 // address of the server to which DHCP queries or network address will be forwarded
Helper address is used to forward UDP broadcasts received on the interface. It can work for any UDP port, by default for BOOTP (includes DHCP 67, 68), DNS (53), time service (37), TFTP (69), TACAS (49), NetBIOS (137, 138), IEN-116 name (42).
DHCP Snooping
DHCP Snooping is part of newer versions of IOS. It is a security feature that filters untrusted DHCP messages.
The idea is that when enabled, all ports are considered untrusted, and we set some as trusted. We must set the port connected to the DHCP server as trusted, as well as the ports connecting the switches (trunks). If, for example, an address allocation (or any packet from the DHCP server) comes from an untrusted port, the packet is discarded.
At the same time, a DHCP Snooping Binding Database can be created, containing information about all allocated IP addresses along with MAC, VLAN, lease time, and interface information. When communication arrives on an untrusted interface, it is checked against this database and discarded if it does not match.
First, we need to enable the DHCP Snooping feature on the switch
SWITCH(config)#ip dhcp snooping
Then we specify which VLANs the feature will be enabled on
SWITCH(config)#ip dhcp snooping vlan 1 - 999 // we can define one VLAN, a comma-separated list, or a range
Next (probably before enabling the feature), we need to specify the trusted ports, which we do directly on the given port.
SWITCH(config-if)#ip dhcp snooping trust
If we want to use the DHCP Snooping Binding Database, we need to enable this feature and specify where it will be stored.
SWITCH(config)#ip dhcp snooping database flash:/dhcpbind.txt // specifies the location of the DB, here to a file in flash memory, it can also be FTP, TFTP, web, RCP
To subsequently block unauthorized IP (and possibly MAC) addresses on ports, we use the IP Source Guard feature, which is configured on the switched port.
SWITCH(config-if)#ip verify source // filters source IP addresses SWITCH(config-if)#ip verify source port-security // filters source IP and MAC addresses
Note: There are many other commands for configuring DHCP Snooping.
Displaying information
SWITCH#show ip dhcp snooping SWITCH#show ip verify source
Interesting Links
More information can be found in the following articles.
Zajímalo by mě jak jste to myslel s tím DHCP Relay? Na switchi přece není potřeba povolovat nějaké broadcasty,ty zastavují jen L3 zařízení, nebo máte na mysl L3 switch?
(cituji "Proto je možno využít DHCP Relay Agenta, který běží typicky na routeru (což je v lokální síti většinou switch).") ??????
shortty@seznam.cz
respond to [1]shortty: No myslím, že je to v článku popsáno dost jasně a vy si v dotazu i sám odpovídáte.
Pokud používám switch pro routování (což je dnes mnohem běžnější než použití routeru, který je příliš pomalý), tak na něm využiji DHCP Relay Agent. A ano myslím L3 switch (pokud použijeme takovéto označení).
A co kdyz mam sit, rozsahlou, bezdratovou, kde switche jsou mezi sebou propojeny PtP spoji, ale jsou na stejnem subnetu. Na te siti je cca 500 useru, a obcas se stane ze nejaky nouma "obrati" routr do vnitrni site a tim pusti dhcp server do me site. Pomuze tomu nejak dhcpd agent ? aby bylo pravidlo ze duveryhodny je jen TEN SERVER a vse co jde jinam zahod ...?
respond to [3]georgo23: No nevím, jestli tomu dobře rozumím. Ale podle popisu se na to krásně hodí DHCP Snooping, ten zabrání fungování DHCP serveru na portu, na kterém jej nechci.
Jak zapnout DHCP kdyz ho mam vyplej?nvm kde se zapina :( :-(
respond to [5]pedro: Je to napsáno hned na začátku článku. Ale pokud není vytvořený patřičný pool do dané VLANy, tak se adresy přidělovat nebudou.
Nastal mi problem. Potrebuji bootovat Macbook s OS X pres sit. Je nejaka moznost, jak nastavit DHCP pool aby vedel o serveru, ktery je v jinem subnetu a poskytuje image? Mohlo by to jit pres option ale nejak jsem zatim nikde nezjistil jak to provest.
respond to [7]Joe: Jestli jsem správně pochopil dotaz, pak odpověď je ano.
DHCP server přiděluje IP adresy a zároveň předává informace o různých důležitých serverech (adresách). Standardně se jedná o DNS (option 6), gateway (option 3), WINS (option 44) a další. Různá čísla Option jsou přiřazena různému použití, takže jde o to, aby tuto funkci aplikace podporovala a četla určitou Option.
Například Cisco IPT používá Option 150, kde se předává adresa TFTP serveru CallManageru.
PS: Jeste bych pripsal, ze u ciloveho zarizeni se nastavi: "ip address dhcp" ;-)
Není mi jasné za jakých podmínek se DHCP Snooping Binding Database vytvoří. Přesto že jsem ji na switchi zapnul (a to na switchi kde je připojen i DHCP server, tak se žádný soubor ve flash: nevytvořil. Ani když to pošlu na TFTP server.
Co se tyka dhcp snooping db, tak doporucuju nejdriv si vytvorit prazdny soubor na tom tftp umisteni (nekdy se stane, ze ho ten tftp proces neumi vytvorit, ale prepsat ano).
Do flash nezapisovat, protoze si ji zbytecne likvidujete.
Ja osobne pouzivam ftp server, pro zalohu databaze.
V konfiguraci je nastaveno:
ip dhcp snooping vlan 1-999
ip dhcp snooping database tftp://172.24.44.89/dhcpbind.txt
ip dhcp snooping database write-delay 100
ip dhcp snooping database timeout 100
ip dhcp snooping
Trusted porty jsou nadefinovány
TFTP server je funkční, soubor dhcpbind.txt je vytvořen a je prázdný.
Přesto se do souboru ni nezapíše.
debug:
DHCP Snooping packet debugging is on
DHCP Snooping event debugging is on
DHCP Snooping database agent debugging is on
A kromě DHCP komunikace se vypisuje hlášení:
switch#
.Mar 13 14:36:32: Safe write timer expired.
.Mar 13 14:36:32: Trying to open url in safe write mode..
.Mar 13 14:36:32: Restarting safe write timer.
switch#
Na Ciscu jsem nic podobného nenašel.