Section 3-3. DHCP Server Functions

team bbl


3-3. DHCP Server Functions

A firewall can act as a DHCP server, assigning IP addresses dynamically to requesting clients. A firewall DHCP server returns its own interface address as the client's default gateway. The interface subnet mask is returned for the client to use as well.

Cisco firewalls support up to 256 active clients at any one time. (The Cisco PIX 501 supports either 32, 128, or 256 clients, depending on the user license.)

No provisions are available for configuring static address assignments. A firewall can manage only dynamic address assignments from a pool of contiguous IP addresses.

A firewall can also act as a DHCP relay, forwarding DHCP requests received on one interface to DHCP servers found on another interface. DHCP relay is similar to the ip helper-address command on routers and switches running Cisco IOS Software.

The DHCP relay service accepts DHCP request broadcast packets and converts them to DHCP request unicast packets. The unicasts are forwarded to the DHCP servers. After DHCP replies are received, they are relayed back to the requesting client.

Using the Firewall as a DHCP Server

Follow these steps to configure the DHCP server feature:

1.

Define an address pool for host assignments:

 Firewall(config)# dhcpd address ip1[-ip2] if_name 

The pool of available client addresses on the firewall interface named if_name (inside, for example) goes from a lower-limit address ip1 to an upper-limit address ip2. These two addresses must be separated by a hyphen and must belong to the same subnet. In addition, the pool of addresses must reside in the same IP subnet assigned to the firewall interface. In releases before PIX 6.3, only nonoutside interfaces were supported. After 6.3, the outside interface can be used, too.

2.

Supply clients with domain information.

a. (Optional) Hand out dynamic information obtained by the firewall:

 Firewall(config)# dhcpd auto_config [outside] 

You can use this command if your firewall is configured to obtain IP address information for its interface from an independent DHCP server. After the DNS and WINS server addresses and the domain name are learned from the DHCP server, the firewall can push those same values out to its own DHCP clients. In this scenario, the firewall usually acts as a DHCP client on its outside interface and as a DHCP server on its inside interface.

or

b. (Optional) Hand out DNS server addresses:

 Firewall(config)# dhcpd dns dns1 [dns2] 

You can configure up to two DNS server addresses to hand out to DHCP clients. The server IP addresses are given as dns1 and dns2.

c. (Optional) Hand out WINS server addresses:

 Firewall(config)# dhcpd wins wins1 [wins2] 

WINS servers are used to resolve Microsoft NetBIOS names into IP addresses. You can configure up to two WINS server addresses to hand out to DHCP clients. The WINS IP addresses are given as wins1 and wins2.

d. (Optional) Hand out the domain name:

 Firewall(config)# dhcpd domain domain_name 

You can configure the domain name that the client will learn and use as domain_name (the fully qualified domain name, such as myexample.com).

3.

Define the client lease time:

 Firewall(config)# dhcpd lease lease_length 

By default, the firewall supplies DHCP replies with lease times of 3600 seconds (1 hour). You can adjust the lease time to be lease_length seconds (300 to 2,147,483,647 seconds).

TIP

If your clients must compete for addresses in a relatively small pool, a shorter lease time is better. After a client is turned off, its lease runs out soon, and another client can be assigned that address.

If most of your clients are stable and stay in use most of the day, you can lengthen the lease time. A longer lease time reserves an address for a client, even if that client turns off and returns later.

Lease times also affect your ability to correlate workstations and their address assignments with Syslog entries from the firewall. Sometimes, you might need to track down which workstation was using a specific address on a certain day and time. The firewall logs only DHCP assignments, so if the lease times are long, the DHCP log entries are sparse and more difficult to find.

4.

(Optional) Hand out options for Cisco IP Phones.

Cisco IP Phones must receive additional information about their environment through DHCP. This information is sent as DHCP options.

a. Identify the IP phone TFTP server:

 Firewall(config)# dhcpd option 66 {ascii server_name | ip server_ip} Firewall(config)# dhcpd option 150 ip server_ip1 [server_ip2] 

A Cisco IP Phone must find the TFTP server where it can download its configuration. This information is provided as either DHCP option 66 (a single TFTP server) or option 150 (up to two TFTP servers). You can define one or both of these options; the IP phone accepts and tries them both.

If you use option 66, you can use the ascii keyword to define the TFTP server's host name as server_name (a text string). Otherwise, you can use the ip keyword to define the server's IP address as server_ip.

If you use option 150, you can define one or two TFTP server addresses.

b. (Optional) Identify the IP phone default routers:

 Firewall(config)# dhcpd option 3 ip router_ip1 [router_ip2] 

By default, the firewall sends its own interface address as the client's default gateway. In some cases, there might be two potential gateways or routers for Cisco IP Phones to use. You can define these in DHCP option 3 as router_ip1 and router_ip2.

c. (Optional) Provide a generic DHCP option:

 Firewall(config)# dhcpd option code {ascii string | ip ip_address   | hex hex_string} 

If you need to provide an arbitrary DHCP option to clients, you can specify the option number as code (0 to 255). The option value can be an ASCII character string, an IP address, or a string of hexadecimal characters (pairs of hex digits with no white space and no leading 0x).

5.

(Optional) Adjust the preassignment ping timer:

 Firewall(config)# dhcpd ping_timeout timeout 

When the firewall receives a DHCP request from a potential client, it looks up the next available IP address in the pool. Before a DHCP reply is returned, the firewall tests to make sure that the IP address is not already in use by some other host. (This could occur if another host had its IP address statically configured without the firewall's knowledge.)

The firewall sends an ICMP echo (ping) request and waits timeout milliseconds (100 to 10000 ms; the default is 750) for a reply. If no reply occurs in that time frame, it assumes that the IP address is indeed available and assigns it to the client. If an ICMP reply is received from that address, the firewall knows that the address is already taken.

6.

Enable the DHCP server:

 Firewall(config)# dhcpd enable if_name 

The DHCP server starts listening for requests on the firewall interface named if_name (inside, for example). You can define and enable DHCP servers on more than one interface by repeating the sequence of DHCP configuration commands.

TIP

You can display the current DHCP server parameters with the show dhcpd EXEC command. To see the current DHCP client-address bindings, use the show dhcpd bindings EXEC command. To see the number of different DHCP message types received, use the show dhcpd statistics EXEC command.

You can also see information about DHCP activity by using the debug dhcpd event command. This can be useful if you think a client is requesting an address but is never receiving a reply.


DHCP Server Example

A PIX Firewall is configured as a DHCP server for clients on its inside interface. Clients are assigned an address from the pool 192.168.200.10 through 192.168.200.200. They also receive DNS addresses 192.168.100.5 and 192.168.100.6, WINS addresses 192.168.100.15 and 192.168.100.16, and a domain name of mywhatastrangeexample.com.

PIX 6.x or FWSM 2.x

PIX 7.x

 Firewall(config)# ip address inside   192.168.200.1 255.255.255.0 Firewall(config)# dhcpd address   192.168.200.10-192.168.200.200 inside Firewall(config)# dhcpd dns 192.168.100.5   192.168.100.6 Firewall(config)# dhcpd wins   192.168.100.15 192.168.100.16 Firewall(config)# dhcpd domain   mywhatastrangeexample.com Firewall(config)# dhcpd enable inside 

 Firewall(config)# interface   gigabitethernet1 Firewall(config-if)# description inside Firewall(config-if)# ip address   192.168.200.1 255.255.255.0 Firewall(config-if)# exit Firewall(config)# dhcpd address   192.168.200.10-192.168.200.200 inside Firewall(config)# dhcpd dns 192.168.100.5   192.168.100.6 Firewall(config)# dhcpd wins   192.168.100.15 192.168.100.16 Firewall(config)# dhcpd domain   mywhatastrangeexample.com Firewall(config)# dhcpd enable inside 


Relaying DHCP Requests to a DHCP Server

Follow these steps to configure a firewall to act as a DHCP relay:

1.

Define a real DHCP server:

 Firewall(config)# dhcprelay server dhcp_server_ip server_ifc 

A real DHCP server can be found at IP address dhcp_server_ip on the firewall interface named server_ifc (inside, for example). You can repeat this command to define up to four real DHCP servers.

When DHCP requests (broadcasts) are received on one firewall interface, they are converted to UDP port 67 unicasts destined for the real DHCP servers on another interface. If multiple servers are defined, DHCP requests are relayed to all of them simultaneously.

2.

(Optional) Adjust the DHCP reply timeout:

 Firewall(config)# dhcprelay timeout seconds 

By default, the firewall waits 60 seconds to receive a reply from a real DHCP server. If a reply is returned within that time, it is relayed back toward the client. If a reply is not returned within that time, nothing is relayed back to the client, and any overdue server reply is simply dropped. You can adjust the timeout to seconds (1 to 3600 seconds).

3.

(Optional) Inject the firewall interface as the default gateway:

 Firewall(config)# dhcprelay setroute client_ifc 

When DHCP replies are returned by a real DHCP server, a default gateway could be specified in the reply packet. By default, this information is passed on through the firewall so that the client receives it.

You can configure the firewall to replace any default gateway information with its own interface address. This causes the DHCP reply packet to list the firewall interface closest to the client, the interface named client_ifc, as the default gateway.

4.

Enable the DHCP relay service:

 Firewall(config)# dhcprelay enable client_ifc 

The DHCP relay service is started only on the firewall interface named client_ifc (inside, for example). This is the interface where DHCP clients are located.

DHCP Relay Example

A DHCP relay is configured to accept DHCP requests from clients on the inside interface and relay them to the DHCP server at 192.168.1.1 on the DMZ interface. The firewall waits 120 seconds for a reply from the DHCP server. The firewall's inside interface address is given to the clients as a default gateway. You can use the following commands to accomplish this:

 Firewall(config)# dhcprelay server 192.168.1.1 dmz Firewall(config)# dhcprelay timeout 120 Firewall(config)# dhcprelay setroute inside Firewall(config)# dhcprelay enable inside 

TIP

You can monitor DHCP relay activity by looking at the output from the show dhcprelay statistics EXEC command. The output shows the counters of the various DHCP operations relayed to and from the real DHCP server, as in the following example:

 Firewall# show dhcprelay statistics Packets Relayed BOOTREQUEST 0 DHCPDISCOVER 7 DHCPREQUEST 3 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 BOOTREPLY 0 DHCPOFFER 7 DHCPACK 3 DHCPNAK 0 


    team bbl



    Cisco ASA and PIX Firewall Handbook
    CCNP BCMSN Exam Certification Guide (3rd Edition)
    ISBN: 1587051583
    EAN: 2147483647
    Year: 2003
    Pages: 120
    Authors: David Hucaby

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net