You would think DHCP is easy, well it can be but it also can be quite tricky and sometimes it's a security risk you as the network administrator need to take care of.
I will start with a very small network to get the concepts straight and then I will do more complicated network and also add in the security layer.
Let's start with a small network, one switch with everything in same VLAN, a firewall, couple of servers and some clients (picture not showing all connected devices to the switch).
When client is connected to network (and is configured to get an DHCP assigned address) it will broadcast doing a DHCP Discover of a DHCP server. This discover will contain several parameters that client want to have offered to them, IP address is obvious but others such as default gateway, DNS servers etc..
DHCP server will answer with a broadcast, DHCP Offer containing IP address and possibly other parameters.
If there are multiple DHCP servers answering the Discover client will pick one of them but usually the first Offer that it receives.
Client will then answer back with a broadcast DHCP Request to notify the second DHCP server that it will not take his offer but rather the first DHCP servers Offer, info about which offer to use is in the DHCP Requst packet even though its a broadcast.
The second DHCP server will see this DHCP request and see its not for him so he simply set the offered IP address as free in its DHCP database.
The first DHCP server will see the DHCP Request and write the offer into its DHCP database as assigned to client and also respond back to client with DHCP Ack.
A simple thing to memorize the process is to remember DORA, Discovery, Offer, Request, Ack.
Packets towards DHCP server is from UDP port 68 to port 67 and packets from server to client is the reverse, UDP from port 67 to port 68.
Here we see wireshark trace of the DHCP communication.
We see the Discover, Offer, Request and finally the ACK.
In the DHCP packets we can see all kinds of information, "Client Identifier (61)" is most of often the MAC address of clients interface configured with DHCP address, "Option (50)" is an option for clients to request a specific IP address, most likely what they had previously, "Option (55)" contains all kinds of additional parameters that client want the DHCP server to tell it to use.
In the Offer back to client we see the IP address, subnet mask, default gateway (Router), DNS server and some timer options.
Lease time is how long client can use this address, this example is one hour which in real life is very short, its often set to days.
Renewal time is set by this DHCP server (a windows server 2019) to half of the lease time. This tells the client when half of the lease time has passed they can try to renew the lease. When this happens client will send a unicast DHCP Request directly to DHCP server asking if they can still use the same IP address. DHCP server will answer back with a unicast DHCP Ack together with all the other parameters should use. By just changing DHCP options on the server , clients will eventually get them and change settings on client side. If DHCP Request fails clients will have a slightly different behavior depending on implementation but it's common for clients to still send the unicast DHCP Request at a more frequent time until the Rebinding time kicks in and then change to broadcast.
Rebinding time is default set to 7/8 of the lease time.
What about when there is no DHCP server on the same segment that client is connected to?
DHCP client is broadcasting and therefore the DHCP discover packets cannot reach the DHCP server, so we need help somehow.
The help is in form of a DHCP relay function on the router or in this case a Layer3 switch with routing functionality. The DHCP relay function will see the DHCP Discover packet and it will translate the broadcast to a unicast and send it to the configured address (10.10.10.2) with source of the interface facing clients (10.10.101.1). This is often called IP-Helper and is configured on the interface towards clients.
DHCP server will see the Discover and if there is a DHCP scope for the 10.10.101.0/24 network it will reply back to 10.10.101.1 with an Offer.
Cisco IOS command is
Switch(config-if)#ip helper-address 10.10.10.2
In this wireshark capture created on the DHCP server segment we can see that there is no broadcast but only unicast between DHCP server and the DHCP relay agent IP address. Other than this the traffic is the same as when DHCP server and client are located on the same segment.
When the Renewal time comes up client will send a unicast directly to the DHCP server in the say it did before asking for new options and IP address.
Next post I will do a larger topology and add in some other options into the mix.
No comments:
Post a Comment