The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the DHCP server or DHCP relay and includes the following sections:
DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.
A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which indicates that the client and server should be attached to the same link. However, in some cases where ease of management, economy, or scalability is the concern, we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link. The DHCP relay agent, which may reside on the client network, can relay messages between the client and server. The relay agent operation is transparent to the client.
An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68; the DHCP server listens for messages on UDP port 67.
DHCP for IPv6 (DHCPv6) specified in RFC 3315 enables IPv6 DHCP servers to send configuration parameters such as network addresses or prefixes and DNS server addresses to IPv6 nodes (that is, DHCP clients). DHCPv6 uses the following multicast addresses:
You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the ASA because it does not forward broadcast traffic.
You can remedy this situation by configuring the interface of your ASA that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.
|
|
---|---|
For all ASA models, the maximum number of DHCP client addresses varies depending on the license:
Supported in routed firewall mode.
Not supported in transparent firewall mode. see DHCP Relay Guidelines for more information.
Supported in single and multiple context mode.
Supports Active/Active and Active/Standby failover.
Supports IPv6, except for interface-specific DHCP relay servers.
For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the ASA.
The dhcp-network-scope command setting applies only to VPN users.
This section describes how to configure a DHCP server provided by the ASA and includes the following topics:
To enable the DHCP server on an ASA interface, perform the following steps.
Step 1 Choose Configuration > Device Management > DHCP > DHCP Server.
Step 2 Select an interface, and click Edit.
a. To enable the DHCP server on the selected interface, check the Enable DHCP Server check box.
b. In the DHCP Address Pool field, enter the range of IP addresses from lowest to highest that is used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.
c. In the Optional Parameters area, set the following:
– The DNS servers (1 and 2) configured for the interface.
– The WINS servers (primary and secondary) configured for the interface.
– The domain name of the interface.
– The time in milliseconds that the ASA will wait for an ICMP ping response on the interface.
– The duration of time that the DHCP server configured on the interface allows DHCP clients to use an assigned IP address.
– The interface on a DHCP client that provides DNS, WINS, and domain name information for automatic configuration if the ASA is acting as a DHCP client on a specified interface (usually outside).
– To configure more DHCP options, click Advanced to display the Advanced DHCP Options dialog box. For more information, see Configuring Advanced DHCP Options.
d. In the Dynamic Settings for DHCP Server area, check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:
– To specify that the DHCP server should update both the A and PTR RRs, check the Update Both Records check box.
– To specify that DHCP server actions should override any update actions requested by the DHCP client, check the Override Client Settings check box
e. Click OK to close the Edit DHCP Server dialog box.
Step 3 In the Global DHCP Options area below the DHCP Server table, check the Enable Auto-configuration from interface check box to enable DHCP auto configuration only if the ASA is acting as a DHCP client on a specified interface (usually outside).
DHCP auto configuration enables the DHCP Server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If information obtained through auto configuration is also specified manually in the Global DHCP Options area, the manually specified information takes precedence over the discovered information.
Step 4 Choose the interface from the drop-down list.
Step 5 To override the interface DHCP or PPPoE client WINS parameter with the VPN client parameter, check the Allow VPN override check box.
Step 6 In the DNS Server 1 field, enter the IP address of the primary DNS server for a DHCP client.
Step 7 In the DNS Server 2 field, enter the IP address of the alternate DNS server for a DHCP client.
Step 8 In the Domain Name field, enter the DNS domain name for DHCP clients (for example, example.com).
Step 9 In the Lease Length field, enter the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Step 10 In the Primary WINS Server field, enter the IP address of the primary WINS server for a DHCP client.
Step 11 In the Secondary WINS Server field, enter the IP address of the alternate WINS server for a DHCP client.
Step 12 To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client. In the Ping Timeout field, enter the amount of time, in milliseconds, that the ASA waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
Step 13 To specify additional DHCP options and their parameters, click Advanced to display the Configuring Advanced DHCP Options dialog box. For more information, see Configuring Advanced DHCP Options.
Step 14 In the Dynamic DNS Settings for DHCP Server area, you configure the DDNS update settings for the DHCP server. Check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:
Step 15 Click Apply to save your changes.
You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients. You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:
1. Manually configured settings.
2. Advanced DHCP options settings.
3. DHCP automatic configuration settings.
For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.
Step 1 Choose Configuration > Device Management > DHCP > DHCP Server, and click Advanced.
Step 2 Choose the option code from the drop-down list. All DHCP options (options 1 through 255) are supported except 1, 12, 50–54, 58–59, 61, 67, and 82.
Step 3 Choose the options that you want to configure. Some options are standard. For standard options, the option name is shown in parentheses after the option number and the option parameters are limited to those supported by the option. For all other options, only the option number is shown and you must choose the appropriate parameters to supply with the option. For example, if you choose DHCP Option 2 (Time Offset), you can only enter a hexadecimal value for the option. For all other DHCP options, all of the option value types are available and you must choose the appropriate options value type.
Step 4 In the Option Data area, specify the type of information that the option returns to the DHCP client. For standard DHCP options, only the supported option value type is available. For all other DHCP options, all of the option value types are available. Click Add to add the option to the DHCP option list. Click Delete to remove the option from the DHCP option list.
Note The name of the associated IP address fields can change based on the DHCP option that you chose. For example, if you choose DHCP Option 3 (Router), the fields names change to Router 1 and Router 2.
Note The name of the associated Data field can change based on the DHCP option that you chose. For example, if you choose DHCP Option 14 (Merit Dump File), the associated Data field names change to File Name.
Note The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 2 (Time Offset), the associated Data field becomes the Offset field.
Step 5 Click OK to close the Advanced DHCP Options dialog box.
Step 6 Click Apply to save your changes.
When a DHCP request enters an interface, the DHCP servers to which the ASA relays the request depends on your configuration. You can configure the following types of servers:
Step 1 Choose Configuration > Device Management > DHCP > DHCP Relay.
Step 2 In the DHCP Relay Agent area, check the check boxes for the services you want for each interface:
Step 3 In the Global DHCP Relay Servers area, add one or more DHCP servers to which DHCP requests are relayed:
a. Click Add. The Add Global DHCP Relay Server dialog box appears.
b. In the DHCP Server field, enter the IPv4 or IPv6 address of the DHCP server.
c. From the Interface drop-down list, choose the interface to which the specified DHCP server is attached.
The newly added global DHCP relay server appears in the Global DHCP Relay Servers list.
Step 4 (Optional) In the IPv4 Timeout field, enter the amount of time, in seconds, allowed for DHCP address handling. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
Step 5 (Optional) In the IPv6 Timeout field, enter the amount of time, in seconds, allowed for DHCP address handling. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
Step 6 In the DHCP Relay Interface Servers area, add one or more interface-specific DHCP servers to which DHCP requests on a given interface are relayed:
a. Click Add. The Add DHCP Relay Server dialog box appears.
b. From the Interface drop-down list, choose the interface connected to the DHCP clients. Note that you do not specify the egress interface for the requests, as for a Global DHCP Server; instead, the ASA uses the routing table to determine the egress interface.
c. In the Server to... field, enter the IPv4 address of the DHCP server, and click Add>>. The server is added to the right-hand list. Add up to 4 servers, if available out of the overall maximum. IPv6 is not supported for interface-specific servers.
The newly added interface DHCP relay server(s) appear in the DHCP Relay Interface Servers list.
Step 7 To configure all interfaces as trusted interfaces, check the Set dhcp relay information as trusted on all interfaces check box.You can alternatively trust individual interfaces (see Step 2).
Step 8 Click Apply to save your settings.
For additional information related to implementing DHCPv6, see the following section:
|
|
---|---|
To monitor DHCP, perform one or more of the following steps:
Table 19-1 each feature change and the platform release in which it was implemented. ASDM is backward-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.