- Device Access Using the CLI
- Basic ASA Configuration
- Basic FWSM Configuration
- Remote Management Access to ASA and FWSM
- IOS Baseline Configuration
- Remote Management Access to IOS Devices
- Clock Synchronization Using NTP
- Obtaining an IP Address Through the PPPoE Client
- DHCP Services
- Summary
- Further Reading
DHCP Services
Having already studied the static and PPPoE methods of addressing, now look at the services provided by the classic DHCP Protocol. Figure 3-11 portrays a sample topology for the study of DHCP Server and Client functionalities. Example 3-33 shows an IOS router configured as DHCP server while ASA acts as a client (on its outside interface). The address assigned to ASA in this case is 172.16.200.41.
Example 3-34 also relates to the topology of Figure 3-11 and teaches how to enable the DHCP server function on ASA. The dhcpd auto_config option enables ASA to forward the parameters it receives on a given interface (as client) to another interface where it works as a server. The show running-config dhcpd command displays the configuration related to the DHCP daemon on ASA. (Notice that the auto_config attributes are shown on the running-config.) This example includes the summary information for DHCP services enabled on ASA and the lease information visible on an IOS client.
Figure 3-11 Reference Topology for DHCP Server and DHCP Client
Example 3-33. IOS as DHCP Server and ASA as DHCP Client
! Router "OUT" acts as DHCP Server for subnet 172.16.200.0/24 interface FastEthernet4.200 encapsulation dot1Q 200 ip address 172.16.200.200 255.255.255.0 ! ip dhcp excluded-address 172.16.200.1 172.16.200.40 ip dhcp excluded-address 172.16.200.50 172.16.200.255 ! ip dhcp pool OUT1 network 172.16.200.0 255.255.255.0 default-router 172.16.200.200 dns-server 172.16.250.250 domain-name outside.net ! ! ASA configured as a DHCP client on interface outside ASA5505(config)# interface vlan 200 ASA5505(config-if)# ip address dhcp setroute %ASA-6-302015: Built outbound UDP connection 46 for outside:255.255.255.255/67 (255.255.255.255/67) to identity:0.0.0.0/68 (0.0.0.0/68) %ASA-6-604101: DHCP client interface outside: Allocated ip = 172.16.200.41, mask = 255.255.255.0, gw = 172.16.200.200 %ASA-6-302016: Teardown UDP connection 46 for outside:255.255.255.255/67 to identity:0.0.0.0/68 duration 0:02:03 bytes 1096 ! ! The DHCP-learned default route becomes visible on ASA's routing table ASA5505# show route outside | begin Gateway Gateway of last resort is 172.16.200.200 to network 0.0.0.0 C 172.16.200.0 255.255.255.0 is directly connected, outside d* 0.0.0.0 0.0.0.0 [1/0] via 172.16.200.200, outside ! ASA5505# show interface ip brief | include DHCP|Method Interface IP-Address OK? Method Status Protocol Vlan200 172.16.200.41 YES DHCP up up ! ! Viewing information about the DCHP Server function OUT# show dhcp server DHCP server: ANY (255.255.255.255) Leases: 2 Offers: 1 Requests: 1 Acks : 1 Naks: 0 Declines: 0 Releases: 3 Query: 0 Bad: 0 DNS0: 172.16.250.250, DNS1: 0.0.0.0 Subnet: 255.255.255.0 DNS Domain: outside.net
Example 3-34. ASA as DHCP Server and IOS as DHCP Client
! Displaying dhcpd configuration on ASA ASA5505# show running-config dhcpd dhcpd auto_config outside **auto-config from interface 'outside' **auto_config dns 172.16.250.250 **auto_config domain outside.net ! dhcpd address 172.16.201.60-172.16.201.69 dmz dhcpd enable dmz ! ! Summary information about DHCP Services enabled on ASA ASA5505# show dhcpd state Context Configured as DHCP Server Interface mgmt, Not Configured for DHCP Interface dmz, Configured for DHCP SERVER Interface outside, Configured for DHCP CLIENT ! ! Displaying information about the DHCP lease on the IOS client DMZ# show dhcp lease Temp IP addr: 172.16.201.60 for peer on Interface: FastEthernet4.201 Temp sub net mask: 255.255.255.0 DHCP Lease server: 172.16.201.2, state: 5 Bound DHCP transaction id: 1E88 Lease: 3600 secs, Renewal: 1800 secs, Rebind: 3150 secs Temp default-gateway addr: 172.16.201.2 Next timer fires after: 00:17:52 Retry count: 0 Client-ID: cisco-0014.f2e3.7df6-Fa4.201 Client-ID hex dump: 636973636F2D303031342E663265332E 376466362D4661342E323031 Hostname: DMZ ! ! The default route learned through DHCP is visible on the IOS routing table DMZ# show ip route | begin Gateway Gateway of last resort is 172.16.201.2 to network 0.0.0.0 172.16.0.0/24 is subnetted, 1 subnets C 172.16.201.0 is directly connected, FastEthernet4.201 S* 0.0.0.0/0 [254/0] via 172.16.201.2
Figure 3-12 represents a sample topology used for the investigation of the DHCP Relay feature. When acting as a DHCP Relay, a Layer 3 device (a router or a network firewall, for instance) converts broadcast packets from clients into unicast packets destined to a DHCP server located on a different subnet. The Relay receives replies from the servers and forwards them back to the originating client.
Figure 3-12 Reference Topology for Analysis of DHCP Relay Operation
Example 3-35 refers to the internetwork of Figure 3-12, where ASA relays DHCP packets from clients that reside on interface dmz (subnet 172.16.201.0/24) to the server 172.16.200.200, reachable through the outside interface. It is interesting that there is a pool configured on the server (OUT router) that offers addresses belonging to the 172.16.201.0/24 subnet. (In the example, the DMZ router receives the address 172.16.201.51/24.)
Example 3-35. ASA Acting as a DHCP Relay Between Two IOS Devices
! ASA acts as a DHCP Relay that points to server 172.16.200.200 ASA5505# show running-config dhcprelay dhcprelay server 172.16.200.200 outside dhcprelay enable dmz dhcprelay setroute dmz dhcprelay timeout 60 ! ! Enabling the DHCP Client on IOS DMZ(config)# interface f4.201 DMZ(config-subif)#ip address dhcp DHCP: DHCP client process started: 10 RAC: Starting DHCP discover on FastEthernet4.201 DHCP: Try 1 to acquire address for FastEthernet4.201 [ output suppressed] B'cast on FastEthernet4.201 interface from 0.0.0.0 DHCP: Received a BOOTREP pkt DHCP: offer received from 172.16.200.200 [ output suppressed] Allocated IP address = 172.16.201.51 255.255.255.0 %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet4.201 assigned DHCP address 172.16.201.51, mask 255.255.255.0, hostname DMZ DHCP Client Pooling: ***Allocated IP address: 172.16.201.51 ! ! Viewing the IP Addresses obtained through DHCP DMZ# show ip interface brief | include DHCP|Method Interface IP-Address OK? Method Status Protocol FastEthernet4.201 172.16.201.51 YES DHCP up up ! ! DHCP Relay messages on ASA DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface DHCPD: setting giaddr to 172.16.201.2. dhcpd_forward_request: request from 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31 forwarded to 172.16.200.200. DHCPD/RA: Punt 172.16.200.200/17152—> 172.16.201.2/17152 to CP DHCPD: Relay msg received, fip=ANY, fport=0 on outside interface DHCPRA: forwarding reply to client 0063.6973.636f.2d30.3031.342e.6632.6533.2e37.6466.362d.4661.342e.3230.31. DHCPD: Relay msg received, fip=ANY, fport=0 on dmz interface DHCPD: setting giaddr to 172.16.201.2. ! ! Summary information about DHCP Relay function on ASA ASA5505# show dhcprelay state Context Configured as DHCP Relay Interface mgmt, Not Configured for DHCP Interface dmz, Configured for DHCP RELAY SERVER Interface outside, Configured for DHCP RELAY