DHCP Functionality


As more Cisco devices are used in SOHO environments, it becomes more important that they support features such as Dynamic Host Configuration Protocol (DHCP). Hosts use DHCP to dynamically obtain their Internet configuration instead of being configured with a static IP address and other parameters. The operation is very simple: Upon connection, a client sends a UDP broadcast, and if receives a specific reply, it configures itself correspondingly. Of course, this works only on the directly connected LAN segment or on the segments that are connected through bridges or routers, which forward broadcasts. This method can be used, for example, to simplify workstation management; all reconfigurations will be carried on only on the DHCP server, which will provide the new configuration to the workstations.

The Cisco PIX firewall can act both as a DHCP server and a client. In the first case, it will probably be a gateway for a small network of workstations and provide them all the information they need in order to connect to the Internet. In its client role, it may be a gateway for a network connected through a dial-up line, acquiring its outside interface address from the ISP's DHCP server.

Although DHCP functionality on the PIX firewall is available on all models of hardware, it was specifically designed for PIX 501, 506, and 506E, which are used primarily in SOHO environments. This is why the DHCP features the PIX firewall offers have some limitations. For example, the DHCP server can only support a maximum of 256 clients (or even fewer, depending on the firewall model, version, and license). There is also no BOOTP support and no failover support; the current state of DHCP server or client is not replicated over failover link.

DHCP Clients

When configured as a DHCP client, the PIX firewall can obtain the configuration of its outside interface from a designated DHCP server—for example, a server located at an ISP. This configuration includes the IP address, the subnet mask, and optionally, the default route.

Note

The DHCP client feature can only be configured on the "outside" interface of the PIX firewall.

This address can be used, for example, as a PAT address for all outgoing communications. This is configured in the following way (assuming that the DHCP client is already configured):

nat (inside) 1 0 0 global (outside) 1 interface

This configuration will work with any IP address assigned to the outside interface by DHCP. The configuration of the DHCP client is rather simple, and all you need to use is the following command:

ip address outside dhcp [setroute] [retry <retry_cnt>]

You do this instead of specifying a fixed IP address for an outside interface. The optional setroute keyword forces the PIX firewall to pick up not only the IP address and the subnet mask but the default route as well. Do not configure a static default route on the firewall if you use the setroute option. The retry option tells the PIX firewall to try to contact a DHCP server a specified number of times before giving up. If this keyword is not specified, no retries are attempted. If this keyword is specified but no retry count is given, the default number of retries is four. For example, the following command configures a DHCP client on the outside interface to obtain an IP address, subnet mask, and default route from the DHCP server, and only one attempt will be made:

PIX1(config)# ip address outside dhcp setroute 

The following command configures the DHCP client to obtain an IP address and subnet mask only and tries at least five times before giving up if no DHCP servers are available:

PIX1(config)# ip address outside dhcp retry 5 

There are no special commands for renewing and releasing DHCP lease; simply issue the same command again and the lease will be renewed. The address obtained can be viewed using:

PIX1# show ip address outside dhcp 

This produces output similar to the following:

Temp IP Addr:123.1.2.3 for peer on interface:outside Temp sub net mask:255.255.255.0 DHCP Lease server:123.1.2.31, state:3 Bound DHCP Transaction id:0x4567 Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs Temp default-gateway addr:123.1.2.1 Next timer fires after:100432 secs Retry count:0, Client-ID:cisco-0000.0000.0000-outside

This output means that PIX has obtained an IP address of 123.1.2.3 and a subnet mask of 255.255.255.0 from the DHCP server 123.1.2.31. This DHCP lease is granted for 259200 seconds with renewal time of 129600 seconds. Time left until the next renewal is 100432 seconds, and there were no retries in contacting the server.

In case there are any issues with the DHCP client, you can troubleshoot using debug commands, including debug dhpc packet, debug dhcpc detail, debug dhcpc error. The commands are self-explanatory. debug dhcpc packet displays all DHCP traffic between the PIX client and a remote server, the detail option shows details of negotiation, and the error option displays all errors in this communication.

DHCP Servers

The server part of PIX DHCP support is more complicated. Let's look at the server's abilities and limitations. The most important issue is the number of DHCP clients the server can support and the specific protocol options supported. The number of clients supported on the various versions of PIX firewalls is shown in Table 10.2.

Table 10.2: Number of Clients Supported by the PIX DHCP Server

PIX Firewall Version

PIX Firewall Platform

Client Addresses (Active Hosts)

v5.2 and before

All platforms

10

v5.3 to v6.0

PIX 506/506E

32

All other platforms

256

v6.1 and after

PIX 501 with 10-user license

32

PIX 501 with 50-user license

128

All other platforms

256

Note that the numbers quoted in Table 10.2 are for active hosts. A host is active if it has passed any traffic through the PIX, established a connection through the firewall, established a NAT or PAT translation entry, or authenticated itself to the firewall during the last 30 seconds.

Note

The DHCP server can be configured only on the inside interface of the PIX firewall and supports only clients on a network directly connected to this interface.

A minimal configuration of the DHCP server requires only two commands: one for specifying a range of IP addresses that can be provided to clients and another for actually turning the feature on. For example:

PIX1(config)# dhcpd address 192.168.2.1-192.168.2.127 inside PIX1(config)# dhcpd enable inside 

The only parameter that can be changed here is the address pool. Although currently the interface is always inside, it is possible that future releases of the PIX will have the ability to run a DHCP server on other interfaces. However, at the time of this writing (v6.2), it does not. It is possible to configure only one pool. Now when a client sends a DHCP request, the PIX provides it with the next IP address available in the pool of 192.168.2.1–192.168.2.127, the same subnet mask that is set for the inside interface of the firewall, and a default route pointing to PIX itself.

Some other configuration parameters are concerned with so-called "DHCP options"—optional information that can be provided to the client by its request. RFC2132, "DHCP Options and BOOTP Vendor Extensions," describes about 100 of these options and provides a mechanism for vendors to specify their own options. Very few of these options are really needed, especially in a SOHO environment, so the PIX supports only a few of them; nevertheless, this does not make it unable to operate as a full-strength server. The options that can be configured are the default domain name, the DNS server, the WINS server, and two TFTP-related options (number 66 and 150). The domain name provided to a client is configured with the following command syntax:

dhcpd domain <domain_name>

For example:

PIX1(config)# dhcpd domain syngress.com 

The DNS servers that a client should use are configured with the command syntax:

dhcpd dns <dns1> [<dns2>]

Up to two DNS servers can be configured, using IP addresses:

PIX1(config)# dhcpd dns 1.2.3.4 1.2.4.10 

WINS servers are configured using the following command, with the same restrictions as DNS servers up to two servers, configured using IP addresses:

dhcpd wins <wins1> [<wins2>] 

Options 66 and 150 are used mostly by Cisco IP Phones and are considered later in this chapter. Other DHCP-related commands allow specifying some internal parameters for the server. It is possible to change the default lease time (the amount of time for which an IP address is provided to the client):

dhcpd lease <lease_time>

This command specifies the time in seconds. The default value is 3600, and possible values are from 300 seconds to 2,147,483,647 seconds. The following command syntax sets a maximum ping timeout in milliseconds (1/1000th of a second):

dhcpd ping_timeout <ping_time>

The PIX uses ping to ensure that another host on the network does not already have the IP address it is about to grant. If no host with this IP replies during this timeout, the IP is considered free. The ping timeout specifies how long the PIX will wait for a ping response to ensure that a host with the same IP address does not already exist on the network.

Finally, the following command allows the DHCP server to automatically obtain DNS, WINS, and domain parameters from a DHCP client configured on the outside interface:

PIX1(config)# dhcpd auto_config outside 

An example of a SOHO configuration follows. It includes a DHCP client on the outside interface and a DHCP server on the inside interface, and it passes parameters from the client to the server:

ip address outside dhcp setroute PIX1(config)# ip address inside 192.168.2.1 255.255.255.0 PIX1(config)# dhcpd address 192.168.2.201-192.168.2.210 PIX1(config)# dhcpd lease 3000 PIX1(config)# dhcpd auth_config outside PIX1(config)# dhcpd enable PIX1(config)# nat (inside) 1 0 0 PIX1(config)# global (outside) 1 interface 

Without auto configuration, the example may look like this:

PIX1(config)# ip address outside dhcp setroute PIX1(config)# ip address inside 192.168.2.1 255.255.255.0 PIX1(config)# dhcpd address 192.168.2.201-192.168.2.210 PIX1(config)# dhcpd lease 3000 PIX1(config)# dhcpd dns 1.2.3.4 1.2.3.31 PIX1(config)# dhcpd wins 192.168.2.20 PIX1(config)# dhcpd domain example.com PIX1(config)# dhcpd enable PIX1(config)# nat (inside) 1 0 0 PIX1(config)# global (outside) 1 interface 

Commands are available for checking the state of the server. For example:

PIX1(config)# show dhcpd dhcpd address 192.168.2.201-192.168.2.210 inside dhcpd lease 3000 dhcpd ping_timeout 750 dhcpd dns 1.2.3.4 1.2.3.31 dhcpd enable inside

Other commands show the current state of IP bindings (which client has been assigned which IP address) and general server statistics:

PIX1(config)# show dhcpd binding IP Address Hardware Address Lease Expiration Type 192.168.2.210 0100.a0c9.777e 84985 seconds automatic

Here, a client with MAC address 0100.a0c9.777e has obtained IP address 192.168.2.210, and this lease will expire in 84,985 seconds:

PIX1(config)# show dhcpd statistics Address Pools 1 Automatic Bindings 1 Expired Bindings 1 Malformed messages 0 Message Received BOOTREQUEST 0 DHCPDISCOVER 1 DHCPREQUEST 2 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 0 Message Sent BOOTREPLY 0 DHCPOFFER 1 DHCPACK 1 DHCPNAK 1

These statistics show the number of IP address pools configured, the number of active leases (bindings), expired bindings, messages received with errors, and a detailed breakdown on message type for correctly received and sent messages.

Cisco IP Phone-Related Options

As described in the "Skinny Client Control Protocol" section, Cisco IP Phones use a TFTP server for obtaining most of their configuration. This address can be configured statically, but it is also possible to use special DHCP options in order to provide phones with the location of the TFTP server. Clients can send to DHCP servers messages with options of two types: number 66, which causes the server to send a name of one TFTP server, and option 150, which results in a list of IP addresses of one or two TFTP servers. These options are supported starting from v6.2 of PIX software and are configured with the following commands:

dhcpd option 66 ascii <server_name> dhcpd option 150 ip <server1_ip> [<server2_ip>]

For example:

PIX1(config)# dhcpd option 66 ascii tftp.example.com PIX1(config)# dhcpd option 150 ip 1.2.3.4 2.3.4.5 

Because the server runs only on the inside interface, IP Phones should be placed on the network directly connected to this interface.




The Best Damn Firewall Book Period
The Best Damn Firewall Book Period
ISBN: 1931836906
EAN: 2147483647
Year: 2003
Pages: 240

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net