WEBVTT 0:00:02.820000 --> 0:00:07.940000 Hello and welcome to this video titled, Configuring Cisco iOS as a DHCP 0:00:07.940000 --> 0:00:10.920000 server or relay agent. 0:00:10.920000 --> 0:00:16.080000 In this video, I'm going to quickly talk about DHCP broadcast handling 0:00:16.080000 --> 0:00:20.120000 and what routers would normally do with DHCP packets. 0:00:20.120000 --> 0:00:24.460000 We'll talk about something about DHCP relay agents and how you can configure 0:00:24.460000 --> 0:00:32.300000 a Cisco iOS device like a router or switch as a DHCP server. 0:00:32.300000 --> 0:00:35.920000 So let's talk about DHCP broadcast handling for just a moment. 0:00:35.920000 --> 0:00:39.200000 So we know that the messages sent from the client and here we're specifically 0:00:39.200000 --> 0:00:43.460000 focusing on IP version 4 DHCP. 0:00:43.460000 --> 0:00:48.220000 We know that your typical client messages are the discover and the request. 0:00:48.220000 --> 0:00:51.880000 And we know that both of those go out with a destination address at both 0:00:51.880000 --> 0:00:55.420000 layer 2 and layer 3 as a broadcast address. 0:00:55.420000 --> 0:01:00.260000 Well, that's all well and good if your DHCP server is capable of receiving 0:01:00.260000 --> 0:01:04.760000 that broadcast. In other words, if they sit on the same broadcast domain 0:01:04.760000 --> 0:01:09.160000 or subnet that you do, but what if they don't? 0:01:09.160000 --> 0:01:11.540000 Well, broadcasts are not routable. 0:01:11.540000 --> 0:01:16.440000 So if the DHCP server is only reachable via three or four hops away, you 0:01:16.440000 --> 0:01:23.280000 have to go through some routers to get to it, routers do not forward broadcasts. 0:01:23.280000 --> 0:01:28.440000 So when a router or layer 3 switch receives a DHCP broadcast, there's 0:01:28.440000 --> 0:01:31.000000 one of three ways it could react. 0:01:31.000000 --> 0:01:34.160000 The default behavior is to inspect it. 0:01:34.160000 --> 0:01:38.180000 So whenever a broadcast comes in, a router switch will first inspect it 0:01:38.180000 --> 0:01:40.700000 and say, okay, is this broadcast for me? 0:01:40.700000 --> 0:01:44.980000 Maybe somebody is trying to arp for me or if I'm running RIP version 1, 0:01:44.980000 --> 0:01:47.280000 maybe someone's sending a RIP update or something. 0:01:47.280000 --> 0:01:51.540000 Well, in this case, the router switch would say, oh, well, when I look 0:01:51.540000 --> 0:01:56.300000 at the IP header here, the IP header says it's UDP. 0:01:56.300000 --> 0:02:01.080000 I'm not running any UDP based applications that do broadcast. 0:02:01.080000 --> 0:02:03.940000 So the router switch at that point would drop the broadcast. 0:02:03.940000 --> 0:02:06.260000 It would discard it saying not for me. 0:02:06.260000 --> 0:02:10.360000 Now, alternatively, we can configure that router switch to do one of two 0:02:10.360000 --> 0:02:15.120000 other things. We could configure it to take that DHCP broadcast and relay 0:02:15.120000 --> 0:02:20.640000 it or convey it onto the actual DHCP server itself. 0:02:20.640000 --> 0:02:23.960000 And we're going to talk in just a moment about how to do that. 0:02:23.960000 --> 0:02:29.840000 Or we could actually configure the router switch itself as a DHCP server. 0:02:29.840000 --> 0:02:32.820000 Now, that's fine if you've got a really small network where like maybe 0:02:32.820000 --> 0:02:37.340000 everybody in your building is just in one VLAN, one broadcast domain. 0:02:37.340000 --> 0:02:40.840000 Then that case, sure, you could have a router switch in that same broadcast 0:02:40.840000 --> 0:02:43.600000 domain and configure it as a DHCP server. 0:02:43.600000 --> 0:02:47.560000 But if you've got any more than about three or four broadcast domains, 0:02:47.560000 --> 0:02:50.220000 that's not a really scalable situation. 0:02:50.220000 --> 0:02:56.300000 So let's talk about the second option here, DHCP relay agents. 0:02:56.300000 --> 0:03:04.500000 So the idea behind this feature is that let's just focus on routers primarily. 0:03:04.500000 --> 0:03:09.320000 So when a router receives a DHCP discover or a DHCP request, which is 0:03:09.320000 --> 0:03:11.900000 a broadcast, normally just drops it. 0:03:11.900000 --> 0:03:16.300000 Now with the relay agent functionality, we can actually tell that router 0:03:16.300000 --> 0:03:22.920000 to take that broadcast and encapsulate it or change it into a unicast 0:03:22.920000 --> 0:03:27.900000 packet. And then unicast it directly to the DHCP server. 0:03:27.900000 --> 0:03:31.200000 This is what is meant by the term relay agent. 0:03:31.200000 --> 0:03:35.400000 So the relay agent, when he does this, he's going to create a new packet 0:03:35.400000 --> 0:03:40.520000 header. So the new IP header will have a source IP address of the relay 0:03:40.520000 --> 0:03:46.140000 agent himself and a destination IP address not of a broadcast, but of 0:03:46.140000 --> 0:03:47.980000 the actual DHCP server. 0:03:47.980000 --> 0:03:50.640000 So we can see this right here. 0:03:50.640000 --> 0:03:52.920000 So right there, there's the message coming in from the client. 0:03:52.920000 --> 0:03:59.580000 So here's our original DHCP discover or possibly our DHCP request. 0:03:59.580000 --> 0:04:02.740000 By default, source address is all zeros. 0:04:02.740000 --> 0:04:04.280000 Destination address is broadcast. 0:04:04.280000 --> 0:04:08.300000 Well, if we just left it that way, it wouldn't get beyond that line. 0:04:08.300000 --> 0:04:09.880000 The router would drop it. 0:04:09.880000 --> 0:04:14.860000 But by configuring the router as a relay agent, he can take that and repackage 0:04:14.860000 --> 0:04:17.300000 it as a unicast packet. 0:04:17.300000 --> 0:04:22.320000 So now when that packet is leaving his interface, it'll have the source 0:04:22.320000 --> 0:04:26.880000 IP address of whatever interface received it. 0:04:26.880000 --> 0:04:31.320000 Destination IP address of the DHCP server itself. 0:04:31.320000 --> 0:04:33.060000 Now you say, well, how does he know? 0:04:33.060000 --> 0:04:36.640000 How does the router know what the IP address is of the DHCP server? 0:04:36.640000 --> 0:04:39.340000 You have to configure it. 0:04:39.340000 --> 0:04:41.160000 And it's just one command. 0:04:41.160000 --> 0:04:45.100000 Basically, you have to ask yourself, okay, what interfaces on this router 0:04:45.100000 --> 0:04:51.040000 could I expect to receive DHCP broadcasts like this? 0:04:51.040000 --> 0:04:53.960000 Oh, well, I can expect them on gigabit zero slash zero. 0:04:53.960000 --> 0:04:59.220000 Okay, so on that interface, you just go to it and type one command. 0:04:59.220000 --> 0:05:02.780000 It's the IP helper dash address command. 0:05:02.780000 --> 0:05:08.040000 And then you put in the actual IP address of the DHCP server. 0:05:08.040000 --> 0:05:13.440000 Now, if you have more than one DHCP server, you could replicate this command 0:05:13.440000 --> 0:05:16.680000 two or three or four times, however many times you need with different 0:05:16.680000 --> 0:05:21.520000 IP addresses. And then he'll take that one discover packet in, replicate 0:05:21.520000 --> 0:05:26.340000 it, you know, n number of times, and then unicast it out to the different 0:05:26.340000 --> 0:05:31.280000 DHCP servers. Now, there's one thing in here I also want to talk about 0:05:31.280000 --> 0:05:33.960000 which I kind of skipped over, which was this. 0:05:33.960000 --> 0:05:39.120000 You see, this DHCP server, he's probably got several pools, like he might 0:05:39.120000 --> 0:05:42.780000 have a pool called human resources. 0:05:42.780000 --> 0:05:45.180000 And that's where he's going to allocate addresses for people in the human 0:05:45.180000 --> 0:05:46.520000 resources department. 0:05:46.520000 --> 0:05:52.800000 You might have another pool of addresses called marketing. 0:05:52.800000 --> 0:05:57.440000 And another pool of something else, maybe payroll. 0:05:57.440000 --> 0:06:04.580000 So when relay agents out there are forwarding these DHCP packets to the 0:06:04.580000 --> 0:06:11.180000 server, the server has to know which pool do I pick from to pick an address 0:06:11.180000 --> 0:06:14.080000 and send it back to the original client. 0:06:14.080000 --> 0:06:19.380000 Well, the way they know that is because when the relay agent took this 0:06:19.380000 --> 0:06:25.160000 broadcast and converted it into a unicast in the first place, inside the 0:06:25.160000 --> 0:06:31.500000 DHCP packet, there's a field known as the gateway IP address field. 0:06:31.500000 --> 0:06:35.000000 Now, in some documents or papers you read, that might also be called the 0:06:35.000000 --> 0:06:37.600000 relay agent IP address. 0:06:37.600000 --> 0:06:40.780000 So it just depends on the documentation. 0:06:40.780000 --> 0:06:49.500000 Now, when a client is creating a discover packet and he sends it out, 0:06:49.500000 --> 0:06:51.980000 it has not gone through a gateway yet. 0:06:51.980000 --> 0:06:53.800000 It hasn't touched a gateway. 0:06:53.800000 --> 0:06:59.000000 So the gateway IP address field would be all zeros. 0:06:59.000000 --> 0:07:02.800000 This is the field that's changed. 0:07:02.800000 --> 0:07:07.400000 So as router one here is my relay agent gets it, not only is he going 0:07:07.400000 --> 0:07:11.480000 to put his own IP address as the source IP address in the IP packet header 0:07:11.480000 --> 0:07:21.080000 itself, he'll put his IP address into that gateway address field. 0:07:21.080000 --> 0:07:26.360000 So the DHCP server, he's not really looking at the source address to figure 0:07:26.360000 --> 0:07:29.160000 out which pool to use. 0:07:29.160000 --> 0:07:32.640000 He's looking at the gateway IP address field. 0:07:32.640000 --> 0:07:37.060000 And so he'll say, oh, I've got a pool here named human resources. 0:07:37.060000 --> 0:07:40.960000 It's got a various range of addresses and in that pool, I've configured 0:07:40.960000 --> 0:07:46.760000 a default router or a default gateway of 1.1.1.1.1.1. 0:07:46.760000 --> 0:07:52.280000 And lo and behold, that's the exact same IP address that's in the gateway 0:07:52.280000 --> 0:07:54.800000 IP address field of this DHCP packet. 0:07:54.800000 --> 0:08:00.720000 So I guess I should pull an available address from this pool. 0:08:00.720000 --> 0:08:03.960000 And I just want to show you here on the next slide. 0:08:03.960000 --> 0:08:07.100000 We're not going to go into the gory details of this, but this is the DHCP 0:08:07.100000 --> 0:08:09.060000 IP packet format. 0:08:09.060000 --> 0:08:11.660000 And the main thing I want to call your attention to is that field we were 0:08:11.660000 --> 0:08:12.840000 just talking about. 0:08:12.840000 --> 0:08:17.480000 Right there. That is our gateway IP address field. 0:08:17.480000 --> 0:08:23.880000 Normally it's all zeros when the client is creating his discover or request. 0:08:23.880000 --> 0:08:28.220000 But when it goes through a relay agent, the relay agent puts his own IP 0:08:28.220000 --> 0:08:30.900000 address in that field. 0:08:30.900000 --> 0:08:37.880000 So that's very, very common, configuring a router as a relay agent. 0:08:37.880000 --> 0:08:42.220000 You can also do that on a switch. 0:08:42.220000 --> 0:08:49.600000 So for example, if I had something like this, here's my switch. 0:08:49.600000 --> 0:08:54.980000 Here's my various switch ports leading out to my hosts. 0:08:54.980000 --> 0:08:58.440000 Let's put little H's here from my laptops and PCs. 0:08:58.440000 --> 0:09:05.800000 And let's say that all of these ports here were in a VLAN, like VLAN 2. 0:09:05.800000 --> 0:09:11.880000 And then here is another interface which maybe leads to a router, which 0:09:11.880000 --> 0:09:14.320000 eventually leads off to my DHCP server. 0:09:14.320000 --> 0:09:16.780000 Let's give him the exact same address as before. 0:09:16.780000 --> 0:09:28.540000 7777. Okay. And between these two guys right here, this is maybe 1.1.1 0:09:28.540000 --> 0:09:31.860000 .1 and this is 1.1.1.2. 0:09:31.860000 --> 0:09:36.480000 So on this particular interface, we've done the No Switch port command. 0:09:36.480000 --> 0:09:40.780000 In other words, we have turned it into a routed interface. 0:09:40.780000 --> 0:09:45.540000 And then what we have for VLAN 2 is we've got a switched virtual interface. 0:09:45.540000 --> 0:09:54.800000 We have interface VLAN 2, IP address 2.2.2.2. 0:09:54.800000 --> 0:10:00.460000 Well, this is where we would put our IP helper address. 0:10:00.460000 --> 0:10:05.980000 IP helper-address 7777. 0:10:05.980000 --> 0:10:12.160000 So that command would go here underneath your switched virtual interface. 0:10:12.160000 --> 0:10:27.780000 And then the same logic would hold true as if it were a router. 0:10:27.780000 --> 0:10:33.220000 Okay, lastly, what I want to talk about is configuring a router or a switch 0:10:33.220000 --> 0:10:36.240000 as a DHCP server. 0:10:36.240000 --> 0:10:40.560000 Like I mentioned earlier, this is perfectly fine for smaller environments. 0:10:40.560000 --> 0:10:42.440000 There's a couple downsides though. 0:10:42.440000 --> 0:10:48.060000 You see, the DHCP protocol has a ton of optional things you could do to 0:10:48.060000 --> 0:10:52.880000 it. And not all of those options are available when you're configuring 0:10:52.880000 --> 0:10:55.520000 a router or a switch as a DHCP server. 0:10:55.520000 --> 0:11:00.500000 So if you want all the full set of features that DHCP can do, you probably 0:11:00.500000 --> 0:11:04.200000 want to do that unlike a Linux server or a Windows server or something 0:11:04.200000 --> 0:11:09.240000 like that. But just to get basic DHCP working, absolutely you could do 0:11:09.240000 --> 0:11:11.200000 this on a router or a switch. 0:11:11.200000 --> 0:11:13.240000 So here are the commands to do that. 0:11:13.240000 --> 0:11:17.780000 Number one, at the global level, we'll want to type service DHCP. 0:11:17.780000 --> 0:11:20.340000 I believe this is already on by default. 0:11:20.340000 --> 0:11:23.480000 I've configured this in the lab environment before and I have purposely 0:11:23.480000 --> 0:11:28.820000 not configured the command service DHCP and it still worked. 0:11:28.820000 --> 0:11:31.180000 But just be aware that command works, that command. 0:11:31.180000 --> 0:11:35.780000 If you go through your running config and you actually see no service 0:11:35.780000 --> 0:11:40.120000 DHCP, well then there's no way this guy is going to be a DHCP server at 0:11:40.120000 --> 0:11:42.720000 all. Now let's actually create the pool. 0:11:42.720000 --> 0:11:47.540000 So at the global level, we say IP DHCP pool and they give it a name. 0:11:47.540000 --> 0:11:51.480000 Whatever name you want, it's a descriptive name, it could be payroll. 0:11:51.480000 --> 0:11:57.200000 Later on maybe we'll create a pool called HR, another pool called marketing. 0:11:57.200000 --> 0:12:02.060000 And then within each pool, we're going to configure our basic bare bones 0:12:02.060000 --> 0:12:05.180000 requirements of what our hosts need. 0:12:05.180000 --> 0:12:07.440000 So we're going to configure network. 0:12:07.440000 --> 0:12:13.080000 So for example, here, let's get rid of that. 0:12:13.080000 --> 0:12:16.280000 Let's say we did this. 0:12:16.280000 --> 0:12:27.340000 So I could configure my pool as IP DHCP pool INE. 0:12:27.340000 --> 0:12:29.920000 So that pool is done. 0:12:29.920000 --> 0:12:44.380000 Now within there, I could say network 20.110 slash IP. 0:12:44.380000 --> 0:12:48.600000 Now notice this is one of those very few places where you can actually 0:12:48.600000 --> 0:12:53.900000 type in a subnet mask as a slash notation, like slash 24 slash 29. 0:12:53.900000 --> 0:12:57.740000 Now if you're used to typing it in as dotted decimal, you can do that 0:12:57.740000 --> 0:13:03.600000 too. I could have typed network 21.110 255.255.255.0. 0:13:03.600000 --> 0:13:08.180000 So now it knows the range of possible addresses to pull from. 0:13:08.180000 --> 0:13:14.220000 The very first address will clearly be 20.1.1.1 and the last usable host 0:13:14.220000 --> 0:13:19.860000 address will be 20.1.2.54 from that available pool. 0:13:19.860000 --> 0:13:21.520000 And then we keep going. 0:13:21.520000 --> 0:13:25.180000 These people are going to need a default gateway so we can configure that 0:13:25.180000 --> 0:13:33.340000 as well. So like in my case, default dash router, maybe 20.1.1. 0:13:33.340000 --> 0:13:36.920000 Maybe the very first router, the very first address on that subnet is 0:13:36.920000 --> 0:13:39.520000 reserved for the router. 0:13:39.520000 --> 0:13:44.840000 You can give a DNS server like, you know, 8.8.8.8. 0:13:44.840000 --> 0:13:47.580000 That's a very popular one for Google. 0:13:47.580000 --> 0:13:50.960000 And then you can give it a lease. 0:13:50.960000 --> 0:13:55.900000 Now as far as the lease is concerned, if you leave the lease off, it does 0:13:55.900000 --> 0:13:57.340000 have a default time. 0:13:57.340000 --> 0:14:02.560000 So by default, the lease is going to be one day, 86,400 seconds. 0:14:02.560000 --> 0:14:05.560000 But you can change that to anything you want by using this command right 0:14:05.560000 --> 0:14:08.320000 here. And then that's it. 0:14:08.320000 --> 0:14:10.180000 You've now created your pool. 0:14:10.180000 --> 0:14:13.920000 Now one other thing. 0:14:13.920000 --> 0:14:19.520000 There's a possibility that on this network, whatever this network is for 0:14:19.520000 --> 0:14:24.600000 payroll, for example, there might already be some devices on that network 0:14:24.600000 --> 0:14:28.520000 that have static pre-configured IP addresses. 0:14:28.520000 --> 0:14:32.260000 For example, well, if we got a couple of servers on that exact same network 0:14:32.260000 --> 0:14:35.560000 that payroll is going to use for, you know, that's where the payroll databases 0:14:35.560000 --> 0:14:37.140000 are and things of that nature. 0:14:37.140000 --> 0:14:41.220000 And those servers are going to be in the same range as your network command 0:14:41.220000 --> 0:14:46.940000 right here. Well, we don't want DHCP to accidentally give a client the 0:14:46.940000 --> 0:14:51.300000 exact same IP address that's currently configured on a static device. 0:14:51.300000 --> 0:14:53.180000 We want to exclude that. 0:14:53.180000 --> 0:14:57.020000 So that's what this is referring to right here. 0:14:57.020000 --> 0:15:00.820000 Devices with static IP addresses, we need to exclude that from the pool 0:15:00.820000 --> 0:15:05.060000 that's not done within the pool itself. 0:15:05.060000 --> 0:15:07.460000 That's done at the global configuration level. 0:15:07.460000 --> 0:15:12.260000 You can see that's the IP DTCP excluded dash address command. 0:15:12.260000 --> 0:15:15.620000 If it's just one address, just type in that one address. 0:15:15.620000 --> 0:15:19.800000 If you've got four or five devices in that network with static IPs, you 0:15:19.800000 --> 0:15:23.940000 can do a range here with a starting and an ending IP address. 0:15:23.940000 --> 0:15:26.540000 Now, how do we verify this actually worked? 0:15:26.540000 --> 0:15:30.620000 Well, clearly, if it doesn't work, our clients are going to be very unhappy. 0:15:30.620000 --> 0:15:32.820000 People are going to be calling us up saying, hey, I can't get on the network 0:15:32.820000 --> 0:15:33.700000 what's going on. 0:15:33.700000 --> 0:15:37.440000 And when you get on that client, you'll see, oh, it doesn't have an IP 0:15:37.440000 --> 0:15:40.920000 address. So that would be your first clue that didn't work. 0:15:40.920000 --> 0:15:44.900000 But on the actual router or switch itself, where you've configured all 0:15:44.900000 --> 0:15:48.580000 these commands, there's two basic commands you can type in really one 0:15:48.580000 --> 0:15:54.660000 command you can type in for verification, which is the show IP DTCP binding 0:15:54.660000 --> 0:15:59.240000 command. So you can see right here, this clearly shows us that we've got 0:15:59.240000 --> 0:16:06.540000 a couple of clients that have been allocated IP addresses, 10113 and 10111. 0:16:06.540000 --> 0:16:12.540000 And we also see the client ID right there, which is unique per client. 0:16:12.540000 --> 0:16:18.900000 And we can see when these addresses will expire, the least expiration. 0:16:18.900000 --> 0:16:23.600000 So that concludes this video. 0:16:23.600000 --> 0:16:24.500000 Thank you for watching.