All about DHCP in a Gist

DHCP in a Gist

• Coming to the history of host auto configuration protocols, there were many protocols before DHCP that were meant to configure clients with minimal user intervention such as Reverse-ARP, BOOTP, etc…

• DHCP is actually a extension of BOOTP mechanism which allows backward compatibility with BOOTP devices.

• There are some differences between DHCP and BOOTP such as DHCP has mechanism to assign leases for a finite amount of time, thus, saving IP addresses.
• Also, there is some terminology differences b/w them such as the dhcp options were called as vendor-extensions in DHCP.
• Another major improvement in DHCP compared to BOOTP was that BOOTP uses 2-phase mechanism and requires additional servers for providing other details like it requires another TFTP server for performing file transfer of boot images, whereas DHCP uses 1-phase boot config and the client negotiates with a DHCP server to determine its IP address and obtain any other initial configuration details it needs for network operation.

DHCP MESSAGES

• The simplistic format of DHCP message looks like this:

• \1. message-type
• \2. hops (client sets as zero, relays increment it)
• \3. transaction-id
• \4. flags —> contains a bit called broadcast bit which helps clients that cannot unicast before getting a IP address get a DHCP exchange successfully
• \5. client-ip addr---> used only after client has already got an IP address during Renew/Rebind message exchange
• \6. si-addr—> server-id, filled by server
• \7. gi-addr —> relay agent IP address is put here if relay is used. If server is in same subnet as client, it will be 0x0 .ie. no relay has sent this message
• \8. cl-id: client mac is put here usually, but, not necessarily since it is considered as opaque field by server….This field is used by server to assign leases and thus, the client also should use the same identifier so that server can recognize it
• \9. file: TFTP server location
• \10. options
• Others are also there like server-hostname, your-Ip address (used by server in advertising Offers) etc…

DHCP PROCESS:

• DHCP Client-server exchange process:

• Client sends a broadcast DHCP Discover message with S-IP: 0 and D-Ip: 255.255.255.255. S-mac: client-mac and D-Mac: ffff:ffff:ffff
• Now, servers present in same broadcast domain will send offers and put the IP address in your-ip-address field of DHCP. This message will be sent as unicast message to client with D-IP as the one which it plans on offering and the D-Mac as the client’s Mac. This behavior depends on the server actually and both unicast and broadcast dest-IP address will work.
• Then, client chooses one of the servers and sends request. This is always sent as a broadcast message so that other servers which were not chosen knows that those Offers were implicitly declined
• Then, the DHCP server first pings for the IP which it plans on assigning so as to confirm that that Ip was not manually assigned to any host. If it passes, it sends a ACK to the client with the configuration parameters as UNICAST. If ping fails, it sends a NAK to client as broadcast

• Other messages in DHCP include:

• DHCP Decline: After server sends a ACK, the client does a G-ARP for the IP. If it fails, client sends a DHCP Decline to server
• DHCP Release: Graceful shutdown- Informing the server of cancelling the lease by the client
• DHCPInform: used by client to only request parameters and not IP addresses.

• There is no explicit DHCP Renew message in v4 and same Request messages are used even for Renew with the fields being set with IP addresses and this will be unicast directly to server-ip

• Now, if the B bit is set in the DHCP DISCOVER of the client, all the above exchange will be using the destination-Ip as broadcast always

• 

• Another thing to note is that DHCP covers variety of scenarios such as different servers offering IPs in different subnets as well as two servers offering IP in same subnet. In the above exchange, the transaction-id set by the client will be the same and even if two messages are received by client from different servers, it will just ignore the later one (ACK- in case of same pools, NAK in case of different pools)

RELAY SCENARIO:

• RELAY SCENARIO:

• Since for DHCP servers to work, we need them in same subnet as the client but this approach is scalable and costly
• So, usually DHCP/BOOTP relays are used to unicast the client’s DHCP messages to the server
• In case relays are used, the giaddr field in the DHCP message will contain the relay agent’s interface on which the client is connected to.
• All replies from server will be sent to this address

• Lease allotment:

• Permanent allotment: Server assigns a lease to client permanently. Done by putting the seconds field as ffff-ffff
• Fixed time allotment: Here client is given a lease time with minimum of 300 sec and the client must periodically renew the lease
• Manual assignment using DHCP- used for getting finer control wherein we configure a IP for each client’s Mac on the server

• DHCP options

• Several DHCP options can be there
• In case the client needs particular parameters from the server, it uses the Parameter Request Option. The client uses this to request for subnet mask, gateway router, renewal time and rebinding time. (The server gives all these info in separate respective options )

• Now, there is another very important Option in DHCP which is the DHCP Option82. Also known as Relay agent Information Option

• This option82 enables a DHCP relay agent to insert information about a client's identity into a DHCP client request being sent to a DHCP server. This option can be used to assist DHCP servers to implement dynamic address policy.
• It is used only between the relay and the server and is deleted before forwarding to the client

DHCP SNOOPING:

• DHCP snooping is a security feature to prevent dhcp-based violations by identifying trusted and untrusted ports and marking only the known server’s port as trusted port and all clients will be untrusted. If any dhcp message that is supposed to be sent only by server comes on untrusted port, those packets are not forwarded. In order for DHCP snooping to work, we need the relay agent to use Option82 and this is done automatically.

• Option82 can contain several sub options. In case of DHCP snooping, the sub options used to identify the client are:

• Circuit-id ——> identifies the link on the relay
• remote-id ——> identifies the relay-agent. We use the relay agent’s mac address as remote-id

DHCP Snooping

• DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
  

•Validates DHCP messages received from untrusted sources and filters out invalid messages.

•Rate-limits DHCP traffic from trusted and untrusted sources.

•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

•Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

• DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
  

• Packet Validation:
  
• The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
  
• The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
  
• The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
  
• The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
  
• The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
  

• The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
  

More info:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Configuring DHCP Server on Arista EOS

We know that Arista's EOS operating system runs on top of Linux. So, in order to configure DHCP Server on Arista's EOS, the way is to install the DHCP package on linux. The steps are shown below:

Configuring DHCP Server and Relay:

Switch1 (server) (et30)-----(et30) DHCPRelay (int vlan 1, switchport access-vlan 1)------Client

On Switch 1 (DHCP Server)

• #int et 30  \\we use et30 because both the switches are connected via et30 on both sides
  

#no switchport

#ip address 10.0.0.1/30

• #ip route 192.168.1.0/24 10.0.0.2  \\giving a static route to the destination n/w (192.X.X.X) and also we specify the next hop which is the Relay (10.0.0.2)
  

• #show version ||to check the fedora version. Eg) fc14 or fc18. If FC18, downgrade to FC14 using #Dir \\check for the image of older version and then #bootfrom <image> • Download the correct RPM from the following URL: http://dl.fedoraproject.org/pub/archive/fedora/linux/updates/, choose i386 architecture and send the file to switch using #copy scp:admin@macbook-pro/Users/Desktop/dhcp.rpm extension: • #extension dhcp.i686.rpm \\To install the dhcp extension • #bash • $sudo vi /etc/dhcp/dhcpd.conf • # DHCP Server Configuration file. #   see /usr/share/doc/dhcp*/dhcpd.conf.sample #   see dhcpd.conf(5) man page ddns-update-style interim; subnet 192.168.1.0 netmask 255.255.255.0 {         option routers                  192.168.1.254;         option subnet-mask              255.255.255.0;         option domain-search              "example.com";         option domain-name-servers       192.168.1.1;         option time-offset              -18000;     # Eastern Standard Time         range 192.168.1.10 192.168.3.99; } subnet 10.0.0.0 netmask 255.255.255.252 { range 10.0.0.1 10.0.0.2; }  (OR) subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.254; //the IP address of SVI is the default gateway option subnet-mask 255.255.255.0; range 192.168.1.20 192.168.1.30; } subnet 10.0.0.0 netmask 255.255.255.252 { range 10.0.0.1 10.0.0.2; } • $service dhcpd start \\to start the dhcp service • $service dhcpd status \\to check whether the dhcp service is running • $sudo dhcpd et 30 • $sudo dhcpd vlan1 \\to assign DHCP IP address to devices on vlan1

On Switch 2 (relay),

• Configuring the interface connected to client side:

#conf

#int vlan1

#ip address 192.168.1.254/24 //Making a router and network for the hosts since hosts are connected to relay router

#ip helper 10.0.0.1 \\Configuring this router to act as relay, so use the IP address of the switch 1 interface. It should be assigned for the vlan network

• Configuring the interface connected to server:

(conf)#int et 30  \\connecting it to switch 1

#no switchport

#ip address 10.0.0.2/30 

FOR TROUBLESHOOTING:

#show ip dhcp relay counters

DHCP/ BOOTP

Given in RFC2131

First when device connects to a network, it sends Discover message. It is sent as a Broadcast. It uses Bootstrap Protocol which uses UDP. The ports are always fixed to 68 and 67 respectively for client and server.

SRC: 0.0.0.0 DST: 255.255.255.255

The DHCP servers on the n/w replies with Offers. It is also a broadcast since device doesn’t have IP address. Whichever server replies first, then, other servers will not reply (race condition).

After this, it sends a Request to one DHCP server and it is sent as a broadcast even though it knows the destination IP so that other DHCP servers can know that it chose a different DHCP server and thus, can free the IP.

Now, the server first pings the IP address that it is going to allocate so that it can be sure that the IP has not been assigned statically.If address is used, server sends NAC and the client should DORA again. If no ping reply, only then, it sends an Acknowledgement with an IP address for the client. Thus, client gets its own IP address.

Note that now even other DHCP servers will send an ACK to our IP to tell that we are okay to use it. It will be unicast since we got our IP address.

After getting the IP address, the host sends an ARP for the assigned IP (it is gratuitous ARP since it does ARP for its own IP address. Here, it uses the source IP as 0.0.0.0). If it gets a reply, then, it sends a DHCP Declined to the server since another device already has the same IP address. (It is not done by the DHCP server since the DHCP server can be on different subnet also, hence it is done by the client.)

Note: that both the client and server will use the same Transaction ID.


After the lease time is expired, client sends a DHCP Renew message to DHCP server. The server sends back a ACK and client can keep the IP address for another 90 days.


The DHCP ACK will have details like Lease Time, DNS Server IP address, Subnet Mask, etc…


DHCP RELAY:

We know that DHCP request is sent as broadcast, but it cannot cross routers and vlans. Here, we have to place a dhcp server for each subnet and vlan which is not scalable. Thus, we use DHCP relay.