DHCP Services
This chapter describes how to configure the DHCP server or DHCP relay and includes the following sections:
Information About DHCP Services
Information About the DHCP Server
DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The ASA can provide a DHCP server to DHCP clients attached to ASA interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.
A client locates a DHCP server to request the assignment of configuration information using a reserved, link-scoped multicast address, which indicates that the client and server should be attached to the same link. However, in some cases where ease of management, economy, or scalability is the concern, we recommend that you allow a DHCP client to send a message to a server that is not connected to the same link. The DHCP relay agent, which may reside on the client network, can relay messages between the client and server. The relay agent operation is transparent to the client.
An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68; the DHCP server listens for messages on UDP port 67.
DHCP for IPv6 (DHCPv6) specified in RFC 3315 enables IPv6 DHCP servers to send configuration parameters such as network addresses or prefixes and DNS server addresses to IPv6 nodes (that is, DHCP clients). DHCPv6 uses the following multicast addresses:
- All_DHCP_Relay_Agents_and_Servers (FF02::1:2) is a link-scoped multicast address used by a client to communicate with neighboring (that is, on-link) relay agents and servers. All DHCPv6 servers and relay agents are members of this multicast group.
- The DHCPv6 relay service and server listen for messages on UDP port 547. The ASA DHCPv6 relay agent listens on both UDP port 547 and the All_DHCP_Relay_Agents_and_Servers multicast address.
Information About the DHCP Relay Agent
You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the ASA because it does not forward broadcast traffic.
You can remedy this situation by configuring the interface of your ASA that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.
Licensing Requirements for DHCP
|
|
|
|---|---|
For all ASA models, the maximum number of DHCP client addresses varies depending on the license:
Guidelines and Limitations
Supported in routed firewall mode.
Not supported in transparent firewall mode. see DHCP Relay Guidelines for more information.
Supported in single and multiple context mode.
Supports Active/Active and Active/Standby failover.
Supports IPv6, except for interface-specific DHCP relay servers.
- The maximum available DHCP pool is 256 addresses.
- You can configure only one DHCP server on each interface of the ASA. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
- You cannot configure a DHCP client or DHCP relay service on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled.
- The ASA does not support QIP DHCP servers for use with the DHCP proxy service.
- The relay agent cannot be enabled if the DHCP server is also enabled.
- The ASA DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay service on an interface that is used by more than one context.
- When it receives a DHCP request, the ASA sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) that was configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, the server sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message.
- When a client connects, the ASA sends a discovery message to all the servers in the server list. This message includes the IP address (within a subnetwork) that was configured with the dhcp-network-scope command in the group policy. The ASA selects the first offer received and drops the other offers. If the server has an address pool that falls within that subnetwork, the server sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message. When the address needs to be renewed, it attempts to renew it with the lease server (the server from which the address was acquired). If the DHCP renew fails after a specified number of retries ( four attempts), the ASA moves to the DHCP rebind phase after a predefined time period. During the rebind phase, the ASA simultaneously sends requests to all servers in the group. In a high availability environment, lease information is shared, so the other servers can acknowledge the lease and ASA will return to the bound state. During the rebind phase, if there is no response from any of the servers in the server list (after three retries), then the ASA will purge the entries.
For example, if the server has a pool in the range of 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the ASA.
The dhcp-network-scope command setting applies only to VPN users.
- You can configure a maximum of 10 DHCPv4 relay servers in single mode and per context, global and interface-specific servers combined, with a maximum of 4 servers per interface.
- You can configure a maximum of 10 DHCPv6 relay servers in single mode and per context. Interface-specific servers for IPv6 are not supported.
- The relay agent cannot be enabled if the DHCP server feature is also enabled.
- When the DHCP relay service is enabled and more than one DHCP relay server is defined, the ASA forwards client requests to each defined DHCP relay server. Replies from the servers are also forwarded to the client until the client DHCP relay binding is removed. The binding is removed when the ASA receives any of the following DHCP messages: ACK, NACK, ICMP unreachable, or decline.
- You cannot enable DHCP relay service on an interface running as a DHCP proxy service. You must remove the VPN DHCP configuration first or an error message appears. This error occurs if both DHCP relay and DHCP proxy services are enabled. Make sure that either the DHCP relay or DHCP proxy service is enabled, but not both.
- DHCP relay services are not available in transparent firewall mode. You can, however, allow DHCP traffic through using an access list. To allow DHCP requests and replies through the ASA in transparent mode, you need to configure two access lists, one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.
- For IPv4, clients must be directly-connected to the ASA and cannot send requests through another relay agent or a router. For IPv6, the ASA supports packets from another relay server.
- For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context.
- The DHCP clients must be on different interfaces from the DHCP servers to which the ASA relays requests.
Configuring DHCP Services
Configuring the DHCP Server
This section describes how to configure a DHCP server provided by the ASA and includes the following topics:
Enabling the DHCP Server
To enable the DHCP server on an ASA interface, perform the following steps.
Detailed Steps
Step 1
Choose Configuration > Device Management > DHCP > DHCP Server.
Step 2 Select an interface, and click Edit.
a. To enable the DHCP server on the selected interface, check the Enable DHCP Server check box.
b. In the DHCP Address Pool field, enter the range of IP addresses from lowest to highest that is used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.
c. In the Optional Parameters area, set the following:
– The DNS servers (1 and 2) configured for the interface.
– The WINS servers (primary and secondary) configured for the interface.
– The domain name of the interface.
– The time in milliseconds that the ASA will wait for an ICMP ping response on the interface.
– The duration of time that the DHCP server configured on the interface allows DHCP clients to use an assigned IP address.
– The interface on a DHCP client that provides DNS, WINS, and domain name information for automatic configuration if the ASA is acting as a DHCP client on a specified interface (usually outside).
– To configure more DHCP options, click Advanced to display the Advanced DHCP Options dialog box. For more information, see Configuring Advanced DHCP Options.
d. In the Dynamic Settings for DHCP Server area, check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:
– To specify that the DHCP server should update both the A and PTR RRs, check the Update Both Records check box.
– To specify that DHCP server actions should override any update actions requested by the DHCP client, check the Override Client Settings check box
e. Click OK to close the Edit DHCP Server dialog box.
Step 3 In the Global DHCP Options area below the DHCP Server table, check the Enable Auto-configuration from interface check box to enable DHCP auto configuration only if the ASA is acting as a DHCP client on a specified interface (usually outside).
DHCP auto configuration enables the DHCP Server to provide DHCP clients with DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. If information obtained through auto configuration is also specified manually in the Global DHCP Options area, the manually specified information takes precedence over the discovered information.
Step 4 Choose the interface from the drop-down list.
Step 5 To override the interface DHCP or PPPoE client WINS parameter with the VPN client parameter, check the Allow VPN override check box.
Step 6 In the DNS Server 1 field, enter the IP address of the primary DNS server for a DHCP client.
Step 7 In the DNS Server 2 field, enter the IP address of the alternate DNS server for a DHCP client.
Step 8 In the Domain Name field, enter the DNS domain name for DHCP clients (for example, example.com).
Step 9 In the Lease Length field, enter the amount of time, in seconds, that the client can use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).
Step 10 In the Primary WINS Server field, enter the IP address of the primary WINS server for a DHCP client.
Step 11 In the Secondary WINS Server field, enter the IP address of the alternate WINS server for a DHCP client.
Step 12 To avoid address conflicts, the ASA sends two ICMP ping packets to an address before assigning that address to a DHCP client. In the Ping Timeout field, enter the amount of time, in milliseconds, that the ASA waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.
Step 13 To specify additional DHCP options and their parameters, click Advanced to display the Configuring Advanced DHCP Options dialog box. For more information, see Configuring Advanced DHCP Options.
Step 14 In the Dynamic DNS Settings for DHCP Server area, you configure the DDNS update settings for the DHCP server. Check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:
Step 15 Click Apply to save your changes.
Configuring Advanced DHCP Options
You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients. You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:
1. Manually configured settings.
2. Advanced DHCP options settings.
3. DHCP automatic configuration settings.
For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.
Detailed Steps
Step 1 Choose Configuration > Device Management > DHCP > DHCP Server, and click Advanced.
Step 2 Choose the option code from the drop-down list. All DHCP options (options 1 through 255) are supported except 1, 12, 50–54, 58–59, 61, 67, and 82.
Step 3 Choose the options that you want to configure. Some options are standard. For standard options, the option name is shown in parentheses after the option number and the option parameters are limited to those supported by the option. For all other options, only the option number is shown and you must choose the appropriate parameters to supply with the option. For example, if you choose DHCP Option 2 (Time Offset), you can only enter a hexadecimal value for the option. For all other DHCP options, all of the option value types are available and you must choose the appropriate options value type.
Step 4 In the Option Data area, specify the type of information that the option returns to the DHCP client. For standard DHCP options, only the supported option value type is available. For all other DHCP options, all of the option value types are available. Click Add to add the option to the DHCP option list. Click Delete to remove the option from the DHCP option list.
Note The name of the associated IP address fields can change based on the DHCP option that you chose. For example, if you choose DHCP Option 3 (Router), the fields names change to Router 1 and Router 2.
Note The name of the associated Data field can change based on the DHCP option that you chose. For example, if you choose DHCP Option 14 (Merit Dump File), the associated Data field names change to File Name.
Note The name of the associated Data field can change based on the DHCP option you chose. For example, if you choose DHCP Option 2 (Time Offset), the associated Data field becomes the Offset field.
Step 5 Click OK to close the Advanced DHCP Options dialog box.
Step 6 Click Apply to save your changes.
Configuring the DHCP Relay Agent
When a DHCP request enters an interface, the DHCP servers to which the ASA relays the request depends on your configuration. You can configure the following types of servers:
- Interface-specific DHCP servers—When a DHCP request enters a particular interface, then the ASA relays the request only to the interface-specific servers.
- Global DHCP servers—When a DHCP request enters an interface that does not have interface-specific servers configured, the ASA relays the request to all global servers. If the interface has interface-specific servers, then the global servers are not used.
Detailed Steps
Step 1 Choose Configuration > Device Management > DHCP > DHCP Relay.
Step 2 In the DHCP Relay Agent area, check the check boxes for the services you want for each interface:
- IPv4 > DHCP Relay Enabled.
- IPv4 > Set Route — Changes the default gateway address in the DHCP message from the server to that of the ASA interface that is closest to the DHCP client, which relayed the original DHCP request. This action allows the client to set its default route to point to the ASA even if the DHCP server specifies a different router. If there is no default router option in the packet, the ASA adds one containing the interface address.
- IPv6 > DHCP Relay Enabled.
- Trusted Interface —Specifies a DHCP client interface that you want to trust. You can configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface. You can alternatively trust all interfaces using the Set dhcp relay information as trusted on all interfaces check box (see Step 7).
Step 3 In the Global DHCP Relay Servers area, add one or more DHCP servers to which DHCP requests are relayed:
a. Click Add. The Add Global DHCP Relay Server dialog box appears.
b. In the DHCP Server field, enter the IPv4 or IPv6 address of the DHCP server.
c. From the Interface drop-down list, choose the interface to which the specified DHCP server is attached.
The newly added global DHCP relay server appears in the Global DHCP Relay Servers list.
Step 4 (Optional) In the IPv4 Timeout field, enter the amount of time, in seconds, allowed for DHCP address handling. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
Step 5 (Optional) In the IPv6 Timeout field, enter the amount of time, in seconds, allowed for DHCP address handling. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.
Step 6 In the DHCP Relay Interface Servers area, add one or more interface-specific DHCP servers to which DHCP requests on a given interface are relayed:
a. Click Add. The Add DHCP Relay Server dialog box appears.
b. From the Interface drop-down list, choose the interface connected to the DHCP clients. Note that you do not specify the egress interface for the requests, as for a Global DHCP Server; instead, the ASA uses the routing table to determine the egress interface.
c. In the Server to... field, enter the IPv4 address of the DHCP server, and click Add>>. The server is added to the right-hand list. Add up to 4 servers, if available out of the overall maximum. IPv6 is not supported for interface-specific servers.
The newly added interface DHCP relay server(s) appear in the DHCP Relay Interface Servers list.
Step 7 To configure all interfaces as trusted interfaces, check the Set dhcp relay information as trusted on all interfaces check box.You can alternatively trust individual interfaces (see Step 2).
Step 8 Click Apply to save your settings.
Additional References
For additional information related to implementing DHCPv6, see the following section:
RFCs
|
|
|
|---|---|
Monitoring DHCP Services
To monitor DHCP, perform one or more of the following steps:
Feature History for DHCP Services
Table 19-1 each feature change and the platform release in which it was implemented. ASDM is backward-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Feedback