BOOTP/DHCP Server – Port 67
BOOTP/DHCP Client – Port 68
Configure router to pass DHCP requests from local clients to a centralized DHCP server
The traditional role of routers in DHCP has been simply to act as a proxy device, forwarding information between the client and server. Since IOS level 12.0(1)T, Cisco routers also have DHCP server and client features. But the DHCP proxy function is still the most common for routers.
Because the initial DHCP request comes from a client that typically doesn’t have an IP address, it must find the server using a Layer 2 broadcast. So, if the router was not able to function as a proxy for these broadcasts, it would be necessary to put a DHCP server on every network segment.
IP Helper Configuration Example:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#interface Ethernet0 Router1(config-if)#ip helper-address 172.25.1.1 Router1(config-if)#ip helper-address 172.25.10.7 Router1(config-if)#exit Router1(config)#end Router1#
Note: 172.25.1.1 and 172.25.10.7 is DHCP server IP Address
The DHCP server needs two critical pieces of information before it can allocate an IP address to the client. It must know the subnet that the client is connected to, and it needs the client device’s MAC address. The subnet information is needed to ensure that the address that the server allocates will actually work on client’s network segment. And the MAC address is necessary so that the server can find any information that is unique to this workstation. This is particularly true if you need to ensure that the end device always gets the same IP address every time it connects to the network.
So the DHCP proxy, which is the router itself, must convert the local broadcast from the client to a unicast packet and forward it to the server. This is what the ip helper-address command does.
When the DHCP client sends the DHCP request packet, it doesn’t have an IP address. So it uses the all-zeroes address, 0.0.0.0, as the IP source address. And it doesn’t know how to reach the DHCP server, so it uses a general broadcast address, 255.255.255.255, for the destination.
So the router must replace the source address with its own IP address, for the interface that received the request. And it replaces the destination address with the address specified in the ip helper-address command. The client device’s MAC address is included in the payload of the original DHCP request packet, so the router doesn’t need to do anything to ensure that the server receives this information.
The DHCP server now has enough information to assign an address from the correct address pool, since it now knows what the originating subnet was for the DHCP request. The server then sends a unicast response back to the proxy router, which in turn sends the request back to the correct MAC address.
The example shows two ip helper-address commands. You should include one of these commands for each of your DHCP servers. The router will forward the DHCP broadcasts to all of these addresses. Most organizations use at least two DHCP servers because although the utilization is light, the functionality is critical. In the very likely event that the client device receives several responses to a DHCP request, it will usually just select the one it received first.
It is important to note that the ip helper-address command does not just forward DHCP requests. In fact, although you can configure it to forward any UDP broadcast you want, by default it will forward UDP broadcast packets for several different UDP ports to the specified address. In some cases, this unwanted traffic can cause problems on the network or DHCP server.
The show ip interface command includes information about the helper addresses configured on an interface:
Router1#show ip interface Ethernet0 Ethernet0 is up, line protocol is up Internet address is 192.168.30.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper addresses are 172.25.1.3 172.25.1.1 Directed broadcast forwarding is disabled [removed for brevity] Router1#
Limiting the Impact of IP Helper Addresses
The ip helper-address command implicitly enables forwarding several different kinds of UDP broadcasts. You can prevent the router from forwarding the unwanted types of broadcasts with the no ip forward-protocol udp configuration command:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#no ip forward-protocol udp tftp Router1(config)#no ip forward-protocol udp nameserver Router1(config)#no ip forward-protocol udp domain Router1(config)#no ip forward-protocol udp time Router1(config)#no ip forward-protocol udp netbios-ns Router1(config)#no ip forward-protocol udp netbios-dgm Router1(config)#no ip forward-protocol udp tacacs Router1(config)#end Router1#
*********************************************************************************************************************
No comments:
Post a Comment