Dynamic Host Configuration Protocol (DHCP)

Each device in an IP network requires a valid IP configuration. If the network size is small,
an administrator can manually provide an IP configuration to each device. But if the
network size is large, assigning and managing the IP configuration on each device can be a
challenging task.

DHCP gives us a much easier way to manage the network by automatically providing IP
configuration to hosts than to configure IP configuration on each host manually.

No matter whether you have a tiny network or a huge network, DHCP works well in all
sizes of networks. You can use DHCP in your home network or can use it in your office or
business network.

What is DHCP?

The Dynamic Host Configuration Protocol (DHCP) is a service. It allows devices to acquire
their IP configuration dynamically. It is defined in RFC 2131 and 2939. It works in the
server/client model. The server offers and delivers IP configurations. Clients request and
acquire their IP configurations.

DHCP Address Allocation Methods

To provide an IP configuration, a DHCP server can use three mechanisms. These
mechanisms are the following.

Static allocation
In this method, the administrator configures an allocation table on the DHCP server. In this
table, the administrator fills the MAC addresses of all clients and assigns an IP
configuration to each client.

The DHCP server uses the allocation table to provide IP configurations. When a client
requests an IP configuration, the DHCP server checks the table and finds a match. If the
DHCP server finds a match, the DHCP server offers the IP configuration that is associated
with the MAC address of the client in the match.

Dynamic allocation

In this method, the administrator configures a range of IP addresses on the DHCP server.
The DHCP server assigns an IP configuration from the configured range to each client that
requests an IP configuration.

In this method, the DHCP offers the IP configuration only for a specific time. This specific
time is known as the lease. The IP configuration remains valid until the lease duration is
over. Once the lease duration is over, the client is required to obtain a new IP
configuration from the server.

Automatic allocation

Same as the dynamic method, in this method, the administrator also configures a range of
IP addresses on the DHCP server and the DHCP server assigns an IP configuration from the
configured range to each client that requests an IP configuration.

Unlike the dynamic method, in this method, the DHCP server assigns the IP configuration
permanently. To assigns an IP configuration permanently, the DHCP server sets the lease
duration to infinite. As a result, once the DHCP server chooses an IP configuration from the
pool and assigns the IP configuration to a client, the IP configuration remains with that
same client indefinitely.

How DHCP works Explained with Examples

This tutorial explains how DHCP works in detail through an example. Learn how DHCP
clients obtain an IP configuration from a DHCP server through four DHCP communication
steps.

When a host (DHCP client) needs an IP configuration, it connects to a DHCP server and
requests for an IP configuration. A DHCP server contains several pre-configured IP
configurations. When it receives a DHCP request from a DHCP client, it provides an IP
configuration to the client from all available IP configurations.

This entire process goes through the four steps: Discover, Offer, Request, and
Acknowledgment. In this tutorial, we will understand these four steps in detail.
The following image shows all four steps of DHCP communication.

Let's understand these steps in detail.

DHCP discovery

When we start a device, it checks whether a valid IP configuration is available or not. If the
valid IP configuration is not available, the device generates a special message known as
the DHCPDISCOVER message and broadcasts this message on the local LAN segment.

To broadcast DHCPDISCOVER messages, the device uses

the 0.0.0.0 and 255.255.255.255 as the source address and destination address,
respectively.

The 0.0.0.0 and 255.255.255.255 are two special addresses. Any device, whether it has a
valid IP configuration or not, can use these addresses to send local broadcast messages.

From these addresses, the 0.0.0.0 is used as the source address. If a device does not
have the source address, it can use this address to send broadcast
messages. 255.255.255.255 is the local broadcast address. Any message sent on this
address is received by all hosts of the local network.

DHCP offer

Since the client sends the DHCPDISCOVER message to the local broadcast address, if a
DHCP server is configured on the local network, it will also receive the message. If
multiple DHCP servers are configured on the local network, they all will receive
the DHCPDISCOVER message.
If multiple DHCP servers are available, based on their configuration, one of them or all of
them can reply to the DHCPDISCOVER message. In reply to
the DHCPDISCOVER message, a DHCP server sends a DHCPOFFER message to the client.

Since the client does not have an IP address, the DHCP server cannot send
the DHCPOFFER message directly to the client. Because of this, the server sets the
destination address to 255.255.255.255. In other words, the server also broadcasts
the DHCPOFFER message to the local network.

The DHCPOFFER message contains protocol specific information and an IP configuration.

An IP configuration typically includes the following important information: the IP address
for the client, the subnet mask of the proposed IP address, the IP address of the default
gateway, the DNS domain name, the DNS server address or addresses, and the TFTP
server address or addresses.

Apart from these, the DHCPOFFER message also contains other protocol-specific
information such as the lease duration and client ID. This information is required by the
core functions of DHCP.

DHCP request

All hosts in the local network receive the DHCPOFFER message. The host that sent
the DHCPDISCOVER message accepts the DHCPOFFER message. Except the original
host, all other hosts ignore the DHCPOFFER.

How does a host know whether the broadcasted DHCPOFFER message is for it or not?

The DHCPDISCOVER message contains the host's MAC address. When a DHCP server
broadcasts a DHCPOFFER message, it also includes the host's MAC address in a
parameter known as the client ID. When hosts receive the DHCPOFFER message, they
check the client ID field in the message. If a host sees its MAC address in the client ID field,
the host knows that the message is meant for it. If a host sees the MAC address of another
host in the client ID field, the host knows that the message is not intended for it.

Depending on the number of DHCP servers, a host may receive

multiple DHCPOFFER messages. If a host receives multiple DHCPOFFER messages, it
accepts only one message and tells the corresponding server with
a DHCPREQUEST message that it wants to use the offered IP configuration.

If only one DHCP server is available and the provided IP configuration conflicts with the
client’s configuration, the client can respond with a DHCPDECLINE message. In this
situation, the DHCP server offers another IP configuration.

When DHCP servers receive the DHCPREQUEST message, besides the server whose
offer has been accepted, all other servers withdraw any offers that they might have made
to the client and return the offered address to the pool of available addresses.
The DHCPREQUEST message contains a Transaction ID field. Just like hosts use the client
ID field of the DHCPOFFER message to know whether the message is intended for them
or not, DHCP servers use the Transaction ID field of the DHCPREQUEST message to
know whether their offer has been accepted or not.

DHCP acknowledgment

When the DHCP server receives a DHCPREQUEST message from the client, the
configuration process enters its final stage. In this stage, the server sends
a DHCPACK message to the client.

The DHCPACK message is an acknowledgment to the client indicating that the DHCP
server has received the DHCPREQUEST message of the client, and the client can use the
offered IP configuration.

In some cases, the server may also respond with a DHCPNACK message.
The DHCPNACK message tells the client that the offer is no longer valid and the client
needs to request an IP configuration again. Typically, this occurs when the client takes
too long to respond with a DHCPREQUEST message after receiving
a DHCOFFER message from the server. In such a case, the client can make a new
request for another IP configuration.

The following image shows the above steps.

The following table summarizes messages that are used in each stage.

Discover The DHCP client broadcasts this message to find a DHCP server.
Offer The DHCP server broadcasts this message to lease an IP configuration
to the DHCP client.
Request The DHCP client uses this message to notify the DHCP server
whether it accepts the proposed IP configuration or not.
Acknowledgmen The DHCP server uses this message to confirm the DHCP client that
t it can use the offered IP configuration.
DHCP Configuration Parameters and Settings
Explained
This tutorial explains the Cisco specific DHCP configuration parameters and settings in
detail. Learn the configuration parameters and settings that you need to configure a Cisco
device (router or switch) to act as the DHCP server.

To configure a Cisco router or switch as a DHCP server, we have to create and configure a
DHCP pool on it. A DHCP pool is a collection of IP configurations that we want to assign to
DHCP clients. Each IP configuration contains a unique IP address and a few common
network settings and addresses such as the default gateway IP, DNS servers' IP addresses,
and TFTP server's IP addresses.

Let's understand these settings and addresses in detail.

IP range (subnet or scope)

This is a range of IP addresses that we want to assign to clients. In each range, the first
address and the last address have special meanings. The first address is known as
the network ID (or address). The last address is known as the local broadcast ID (or
address).

DHCP clients use the network address and broadcast address to request an IP
configuration from DHCP servers, while the DHCP servers use the same addresses to offer
the IP configuration to the DHCP clients. To learn how this process work in detail, please
check the second part of this article.

To define a range, we use the network ID and the subnet mask. For example, to define a
range of IP addresses from 192.168.1.0 to 192.168.1.255, we would set the network ID to
192.168.1.0 and the subnet mask to 255.255.255.0.

The network ID 192.168.1.0 and the subnet mask 255.255.255.0 represent a range of IP
addresses from 192.168.1.0 to 192.168.1.255. In this range, the network
address is 192.168.1.0 and the local broadcast address is 192.168.1.255.

DHCP servers do not lease the network ID and broadcast ID. Except the network ID and
broadcast ID, all addresses of the defined IP range can be leased to clients.

Reserved/excluded addresses

If you don't want to assign a few addresses from the range, you can configure them
as excluded addresses. DHCP servers do not assign the excluded addresses. This feature
allows us to configure static IP addresses on critical network resources such as servers,
printers, and routers.
The default gateway IP address

If a local host wants to send a data packet to a host that is not available in the local
network, it sends the data packet to the default gateway. This option allows us to set a
default gateway IP address for hosts. Typically, this is the IP address of the router's
interface that is directly connected to the local network.

DNS server IP addresses

DNS servers allow hosts to access network resources by using their names instead of their
IP addresses. If a DNS server is configured, you can set its IP address in this option. If you
have more than one DNS server, you can configure all of them on hosts through this
option.

TFTP server IP address

A TFTP server allows hosts to download or store files. If a TFTP server is available in the
network, you can use this option to provide the IP address of the TFTP server to all hosts.

Lease duration

The lease duration defines the validity of the IP configuration. A DHCP client can use the
assigned IP configuration until its validity expires. Once the validity period is expired, the
client needs to obtain a new IP configuration from the server. By default, an IP
configuration remains valid for 24 hours. Depending on your requirement, you can
increase or decrease it.

The following image shows how multiple IP configurations are stored in a DHCP pool.
DHCP pool configuration mode
Cisco routers and switches include a special configuration mode known as DHCP pool
configuration mode. DHCP pool configuration mode allows us to create and configure
DHCP pools. Except the command that defines the list of excluded or reserved addresses,
all commands that are required to configure the DHCP server run in DHCP pool
configuration mode.

DHCP configuration steps

To configure a DHCP server on a Cisco router or switch, use the following configuration
steps.

● Create a list of addresses that you want to exclude or reserve. For this, use the
command 'ip dhcp excluded-address [first-address last-address]' in global
configuration mode.
● Create your DHCP pool using a unique name. To create a DHCP pool and to navigate to
DHCP pool configuration mode, use the command 'ip dhcp pool [name]' in global
configuration mode.
● Define the range of IP addresses that the DHCP server should provide to clients. Use
the 'network [subnet-ID mask] or network [subnet-ID prefix-length]' command in
DHCP pool configuration mode to define the range of IP addresses.
 ● Add the default gateway IP address. Use the 'default-router [ip-address]' command in
DHCP pool configuration mode to define the default gateway IP address.
● Provide the DNS server addresses. Use the dns-server [address1
address2...] command in DHCP pool configuration mode to define the list of DNS server
IP addresses used by clients in this pool.
● If you don’t want to use the default lease duration of 24 hours, set the lease duration. Use
the lease [days hours minutes] command in DHCP pool configuration mode to define
the length of the lease, in days, hours, and minutes.
● If you have a TFTP server in your network, set the IP address of it. Use the next-server
[ip-address] command in DHCP pool configuration mode to define the TFTP server IP
address.

That's all for this part. In the next part of this tutorial, we will take a packet tracer example
to understand how to use or execute the above-explained commands to configure a Cisco
switch to act as a DHCP server. If you like this tutorial, please don't forget to share it with
friends through your favorite social channel.

The DHCP service allows hosts to automatically obtain their IP configuration from the
DHCP server. The DHCP service is available on Cisco switches. This means, if you have a
Cisco switch in your network, you can also use it as a DHCP server.

The following table lists the commands that are required to configure a switch to act as a
DHCP server.

Command Description (command used for)

Switch>enable To enable the switch and to enter privileged-exec
mode.
Switch#configure terminal To enter global configuration mode.
Switch(config)#ip dhcp excluded-address To create a range of excluded IP addresses.
[starting address] [ending address]
Switch(config)#ip dhcp pool [pool name] To create a DHCP pool and enter DHCP pool
configuration mode.
Switch(dhcp-config)#network [network ID] To define the range of IP addresses that the
[subnet mask] DHCP server should offer to clients.
Switch(dhcp-config)#default-router [IP To set the IP address of the default gateway.
address of default gateway]
Switch(dhcp-config)#dns-server [IP address To set the IP address of the DNS server.
of DNS server]
Switch(dhcp-config)#exit To exit DHCP pool configuration mode.
Switch(config)#interface vlan 1 To enter VLAN configuration mode of the VLAN
1.
Switch(config-if)#ip address [any available To set an IP address on the VLAN1.
IP address from the pool] [subnet mask]
Switch(config-if)#no shutdown To enable the VLAN.
 Switch(config-if)#exit To exit VLAN configuration mode.
Switch(config)#exit To exit global configuration mode.
Switch#copy running-config startup-config To copy running configuration to startup
configuration.
Before we take a packet tracer example to understand how to use the above commands
in detail, I assume that you are familiar with DHCP terminology and configuration. To know
what DHCP is and how it works, please check the previous parts of this tutorial.

DHCP configuration on Cisco switches (Packet Tracer example)

Either download the following pre-created practice lab or create a packet tracer lab to
replicate the network explained below.

Download link of the pre-created practice lab

In a small network, a Cisco switch and a generic wireless access point are used to provide
connectivity between hosts. Wired hosts are directly connected to the switch. Wireless
hosts are connected to the access point and the access point is connected to the switch.

The following image shows this network.

Objective
Configure the switch to act as the DHCP server.

Configuring DHCP service on the switch

Access the command prompt of the switch and run the following commands.
Switch>enable
Switch#configure terminal
Switch(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
Switch(config)#ip dhcp pool test
Switch(dhcp-config)#network 192.168.1.0 255.255.255.0
Switch(dhcp-config)#default-router 192.168.1.1
Switch(dhcp-config)#dns-server 4.4.4.4
Switch(dhcp-config)#exit
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.5 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#exit
Switch#
The following image shows how to execute the above commands on the switch.

Let's understand the above configuration.

First, we created a range of reserved IP addresses (192.168.1.1 - 192.168.1.10). We use

reserved addresses for the resources that need a static IP configuration such as routers,
servers, and printers, etc.

After this, we created the pool named test and defined a range of all available IP
addresses (192.168.1.0 255.255.255.0). This IP range also includes the reserved IP
addresses that we excluded in the first step.

When the DHCP server provides IP addresses, it automatically excludes the reserved IP
addresses from all available IP addresses.
Then, we set the default gateway and DNS server IP addresses.

Finally, we assigned an IP address from the reserved IP address to the Vlan 1 and enabled
the Vlan 1.

DHCP uses the source IP address to determine the pool from which it should offer the IP
address. Since a DHCP client does not have an IP address, DHCP uses the client's Vlan IP
address to determine the IP pool for it.

The client's Vlan is the Vlan that is configured on the switch port that is connected to the
client. For example, if a client is connected to the port F0/5 and Vlan 10 is configured on
the port F0/5, then the client's vlan will be Vlan 10.

By default, all switch ports belong to VLAN 1. This means, unless you create or configure
additional VLANs, DHCP will use VLAN1's IP address to determine the pool.

Since we assigned an IP address to VLAN 1 from our configured pool and did not create
any additional VLAN, DHCP will use our pool to assign IP addresses to all clients.

VLAN is a switch management feature. It allows us to manage switch remotely, categorize

connected hosts, and do a lot of extra stuff. To learn more about the VLAN, you can check
the following tutorial.
VLAN Basic Concept Explained with Examples
Configuring DHCP clients

To configure the host as a DHCP client, change the host's IP configuration option to DHCP.
For this, click the device and click the Desktop option and click the IP configuration and
select the DHCP option.

The following image shows this procedure step-by-step on packet tracer.

Configure all hosts as DHCP clients by following the above-explained steps.

Verifying DHCP server

To verify that the switch is properly configured as a DHCP server, you can check the IP
configuration of any connected host.

To view the IP configuration of any host, click the host and click the Desktop option and
click the IP configuration option and check the obtained IP configuration.

The following image shows these steps.

You can also use the 'ipconfig' command to view the IP address. To use
the 'ipconfig' command, select the command prompt of the device and run this
command.

The following image shows how to use this command.

Viewing leased addresses and DHCP statistics

To view IP addresses leased by the DHCP server, use the 'show ip dhcp
binding' command in privileged-execution mode.

The following image shows the output of this command.

To view DHCP pool statistics and information, use the 'show ip dhcp pool [pool-
name]' command. The following image shows the output of this command.
Configured packet tracer lab

The following download link provides the configured packet tracer lab of the example
used in this tutorial.

Configured packet tracer lab of the example

That's all for this part. In the next part of this tutorial, we will understand how to configure
and use multiple DHCP pools to support VLANs. If you like this tutorial, please don’t forget
to share it with friends through your favorite social network.

Configure DHCP Server for multiple VLANs

on the Switch
This tutorial explains how to configure multiple DHCP pools on the DHCP server to
support multiple VLANs. Learn how to configure DHCP on a switch to support multiple
VLANs.

By default, switches forward broadcast messages. To control and limit broadcast

messages, switches use VLANs. A VLAN defines a logical boundary for broadcast
messages. If a VLAN is defined, the switch forwards broadcast messages only inside the
VLAN.

Let's take a simple example to understand how VLAN controls broadcast messages.

A small network is built by using an 8 port switch. Until we configure a VLAN on it, it will
forward an incoming broadcast message from all ports except the port on which the
message came from.

Now, suppose we configure two VLANs on it and add the first four ports to the first VLAN
and the last four ports to the second VLAN. After this configuration, when the switch
receives a broadcast message on a port, it forwards the message only from the ports that
belong to the same VLAN.
For example, if the switch receives a broadcast message on port 2, it will forward that
message from ports 1, 3, and 4 only. Because, port 2 belongs to the first VLAN and other
ports that belong to the first VLAN are 1, 3, and 4. Since ports 5, 6, 7, and 8 don't belong to
the first VLAN, the switch will not forward the incoming broadcast message from these
ports.

VLANs optimize networks by reducing the area of broadcast messages, but they cause
problems for applications that rely on broadcast messages. For example, DHCP uses
broadcast messages to enable communication between DHCP clients and the DHCP
server.

If the DHCP server and clients are configured in different VLANs, clients will not receive IP
configuration from the server. To solve this issue, we have two options. Either configure a
DHCP server in each VLAN or configure multiple DHCP pools on the DHCP server and
assign a DHCP pool to each VLAN.

We have already discussed the first option in the previous part of this article. In this part,
we will learn how to create and configure multiple DHCP pools on the DHCP server and
assign a DHCP pool to each VLAN through a packet tracer example.

Packet tracer lab setup

Either download the following pre-created packet tracer lab or create a packet tracer lab
as described below.

Download link of the pre-created practice lab

Add a switch, a router, and six PCs to the workspace. Connect PCs to the switch and the
switch to the router. The following image shows this lab.
Configure this lab to meet the following objectives.

● Create three VLANs and add 2 PCs to each VLAN.

● Configure the DHCP server on the switch and create three DHCP pools.

● Assign a DHCP pool to each VLAN.

● Configure all PCs as DHCP clients.

● Verify that all PCs receive their IP configuration from the DHCP server.

● Test connectivity between all PCs.

Creating and assigning VLANs

To create a VLAN, run the following command in global configuration mode.

Switch(config)#vlan [VLAN number or name]

To assign a VLAN to an interface, use the following command.

Switch(config-if)#switchport access vlan [VLAN number or name]

Create 3 VLANs: VLAN 10, VLAN 20, and VLAN 30 by running the following commands.

Switch>enable
Switch#configure terminal
Switch(config)#vlan 10
Switch(config-vlan)#exit
Switch(config)#vlan 20
Switch(config-vlan)#exit
Switch(config)#vlan 30
Switch(config-vlan)#exit
Switch(config)#
The following image shows how to execute the above commands on the packet tracer.

Assign VLAN 10 to Fa0/1 and Fa0/2, VLAN 20 to Fa0/3 and Fa0/4, and VLAN
30 to Fa0/5 and Fa0/6.

Switch(config)#interface FastEthernet 0/1

Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface FastEthernet 0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#exit
Switch(config)#interface FastEthernet 0/3
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#interface FastEthernet 0/4
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#interface FastEthernet 0/5
Switch(config-if)#switchport access vlan 30
Switch(config-if)#exit
Switch(config)#interface FastEthernet 0/6
Switch(config-if)#switchport access vlan 30
Switch(config-if)#exit
Switch(config)#
The following image shows the above configuration on the packet tracer.

Configuring trunk port

By default, all switch ports operate in access mode. In access mode, a switch port allows
traffic of a single VLAN only. To allow traffic from multiple VLANs, we have to configure
the port as the trunk port.

In our example, only the port that connects the switch and the router carries the traffic of
multiple VLANs. To configure this port as a trunk port, use the 'switchport mode
trunk' command in interface configuration mode.

Switch(config)#interface GigabitEthernet 0/1

Switch(config-if)#switchport mode trunk
Switch(config-if)#exit
Switch(config)#
The following image show this configuration on the packet tracer.

Configuring DHCP server and creating DHCP pools

By default, DHCP service is enabled on all supporting Cisco switches. To use this service,
we have to create and configure a DHCP pool on the switch.

The following table lists the steps that are required to create and configure a DHCP pool.

Configuration step Description (required command)

Define reserved IP Use the 'ip dhcp excluded-address' command to define the range of
addresses reserved IP addresses.

Create the DHCP pool To create a DHCP pool and enter DHCP pool configuration mode, use
the 'ip dhcp pool [pool name]' command.

Define IP range for lease use the 'network [network ID] [subnet mask]' command to define
the range of IP addresses. DHCP uses this range to provide IP
configuration to clients.

Set default gateway IP To set the default gateway IP address, use the 'default-router [IP
address of the default gateway]' command.
Set DNS server IP To set the DNS server IP address, use the 'dns-server [IP address of
the DNS server]' command.
Create three DHCP pools by using the above configuration steps.

Switch(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10

Switch(config)#ip dhcp excluded-address 20.0.0.1 20.0.0.10
Switch(config)#ip dhcp excluded-address 30.0.0.1 30.0.0.10
Switch(config)#ip dhcp pool vPool10
Switch(dhcp-config)#network 10.0.0.0 255.0.0.0
Switch(dhcp-config)#default-router 10.0.0.1
Switch(dhcp-config)#dns-server 4.4.4.4
Switch(dhcp-config)#exit
Switch(config)#ip dhcp pool vPool20
Switch(dhcp-config)#network 20.0.0.0 255.0.0.0
Switch(dhcp-config)# default-router 20.0.0.1
Switch(dhcp-config)# dns-server 8.8.8.8
Switch(dhcp-config)#exit
Switch(config)#ip dhcp pool vPool30
Switch(dhcp-config)#network 30.0.0.0 255.0.0.0
Switch(dhcp-config)#default-router 30.0.0.1
Switch(dhcp-config)#dns-server 30.0.0.2
Switch(dhcp-config)#exit
Switch(config)#
The following image shows the above configuration on the packet tracer.

Assigning IP addresses to VLANs

DHCP uses the IP address of a VLAN to determine the pool from which it should provide
an IP configuration. To assign an IP address to the VLAN, use the following commands.

Switch(config)#interface vlan [vlan name or number]

Switch(config-if)#ip address [ip address] [subnet mask]
Assign an IP address to each VLAN from the reserved IP address of the corresponding
DHCP pool.

Switch(config)#interface vlan 20
Switch(config-if)#ip address 10.0.0.5 255.0.0.0
Switch(config-if)#exit
Switch(config)#interface vlan 20
Switch(config-if)#ip address 20.0.0.5 255.0.0.0
Switch(config-if)#exit
Switch(config)#interface vlan 30
Switch(config-if)#ip address 30.0.0.5 255.0.0.0
Switch(config-if)#exit
Switch(config)#
The following image shows the above configuration on the packet tracer.
Configuring the router's interface

By default, different VLANs cannot communicate with each other. To allow

communication between different VLANs, we have to connect them through a router. We
don't need a dedicated router interface for each VLAN. Routers support interface
virtualization. We can use a single router interface to allow communication between
multiple VLANs.

To virtualize the Fa0/0 interface and to configure it to allow communication between

different VLANs, use the following configuration on the router.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface FastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface FastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface FastEthernet 0/0.30
Router(config-subif)#encapsulation dot1Q 30
Router(config-subif)#ip address 30.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.
To learn how different VLANs communicate through the router in detail, you can check
the following tutorial. It explains how to configure and use VLANs in detail.
VLAN Configuration Commands Step by Step Explained

Configuring and verifying DHCP clients

To configure a host as the DHCP client, click the host and click the Desktop menu option
and click the IP configuration option and choose the DHCP option. If the DHCP server is
properly configured, the DHCP client will receive the IP configuration in a few seconds.

The following image shows this procedure step by step.

If you prefer, you can use the ping command to test and verify connectivity between two
hosts of different VLANs.

The following image shows how to use this command to test connectivity between PC1
and PC6. Since PC1 and PC6 belong to VLAN 10 and VLAN 30, respectively, a
successful ping response verifies that both VLANs have proper connectivity.
Configured packet tracer lab

To download the configured lab of this example, use the following download link.

Configured packet tracer lab of the example

That's all for this part. In the next part of this tutorial, we will understand how to configure
a DHCP server on a Cisco router. If you like this tutorial, please don't forget to share it with
friends through your favorite social channel.

How to Configure DHCP Server on Cisco

Routers
This tutorial explains how to configure and verify a DHCP server on Cisco routers in detail
through a packet tracer example. Learn how to use a Cisco router as a DHCP server.

For this tutorial, I assume that you know what DHCP is and how it works. To learn basic
concepts and configurations of DHCP, please check the previous parts of this tutorial.

Packet Tracer LAB Setup for the practice of DHCP Server

Either download the following pre-created LAB or create a packet tracer lab as shown in
the following image.

Pre-created practice lab for the practice of DHCP server

In this lab, there are two networks: Left_network and Right_Network. Both networks are
connected to the router's Fast Ethernet 0/0 and 0/1 interfaces, respectively. Now our
objective is to configure the following IP configuration on both networks.

Configuration Left_Network Right_Netw

IP addresses 192.168.1.0 to 192.168.1.255 192.168.2.0

Available IP addresses for hosts 192168.1.10 to 192.168.1.254 192.168.2.1

Subnet mask 255.255.255.0 255.255.255

Default Gateway 192.168.1.1 192.168.2.1

DNS Server 192.168.1.2 192.168.2.2

TFTP Server 192.168.1.3 192.168.2.3

Reserved 192.168.1.4 to 192.168.1.10 192.168.2.4

Configuring IP configuration on the router

A router connects different networks. If a router is connected to a network, hosts of the

network use the router as the default gateway to reach the host of other networks.

In our example, since the Left_Network and Right_Network are respectively connected
to the Fast Ethernet 0/0 and 0/1 interfaces of the router, both networks will use the IP
addresses of their respective interfaces as the default gateway IPs.
In simple terms, Fast Ethernet 0/0 and Fast Ethernet 0/1 of the router are the default
gateways of the Left_Network and Right_Network respectively. Before configuring the
router to act as a DHCP server, we have to configure and enable these interfaces.

To configure and enable these interfaces, access the command prompt of the router, and
execute the following commands.

Router>enable
Router# configure terminal
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)#exit
Router(config)# interface FastEthernet 0/1
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)#exit
The following image shows the above commands on the packet tracer.

Configuring DHCP server on the router

For each network that will obtain IP configuration from the DHCP server, we have to
create and configure a DHCP pool on the router. In our example, we have two networks,
so we have to create two DHCP pools, one for each network.

Use the following commands to create and configure a DHCP pool for the Left_Network.

Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip dhcp excluded-address 192.168.1.0 192.168.1.10
Router(config)#ip dhcp pool Left_Network
Router(dhcp-config)#default-router 192.168.1.1
Router(dhcp-config)#dns-server 192.168.1.2
Router(dhcp-config)#option 150 ip 192.168.1.3
Router(dhcp-config)#network 192.168.1.0 255.255.255.0
Router(dhcp-config)#exit
The following table describes the above commands.
 Command Description
ip dhcp excluded-address 192.168.1.0 This command tells the DHCP server not to assign the
192.168.1.10 addresses from 192.168.1.0 to 192.168.1.10 to DHCP
clients.

ip dhcp pool Left_Network This command creates a DHCP pool

named, Left_Network and changes command mode to
DHCP pool configuration mode.

default-router 192.168.1.1 This command assigns the default gateway to clients of

this DHCP pool.

dns-server 192.168.1.2 This command sets a primary DNS server for the clients.

option 150 ip 192.168.1.3 This command provides the IP address of the TFTP server
to the clients.

network 192.168.1.0 255.255.255.0 This command specifies the range of IP addresses for the
pool.

exit This command exits DHCP pool configuration mode.

Create and configure a DHCP pool for the Right_Network using the same commands as
shown below.

Router(config)#ip dhcp excluded-address 192.168.2.0 192.168.2.10

Router(config)#ip dhcp pool Right_Network
Router(dhcp-config)#default-router 192.168.2.1
Router(dhcp-config)#dns-server 192.168.2.2
Router(dhcp-config)#option 150 ip 192.168.2.3
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#exit
Router(config)#
The following image shows how to execute the above commands on the router.
Configuring DHCP clients

To configure a device as a DHCP client, change its IP configuration option to DHCP. To do

this, click the device. In opened Windows, click the IP configuration option from
the Desktop menu and set the IP configuration option to DHCP.

The following image shows the above procedure.

Verifying DHCP clients

To verify that the client has obtained IP configuration from the DHCP server, you can
check the IP configuration option of the client again. For example, the following image
shows how to verify this on a host of the Left_Network.
The following image shows how to verify this on a host of the Right_Network.

Verifying the DHCP Server

To verify that the DHCP server is working properly and to see the IP addresses that are
provided by the DHCP server, run the following command in privileged-exec mode.

#ip dhcp binding

The following image shows the output of this command.

To view detailed information about a specific DHCP pool, use the following command.

#show ip dhcp pool [pool-name]

For example, the following commands list the detailed information about the DHCP
pools: Left_Network and Right_Network, respectively.

#show ip dhcp pool Left_Network

#show ip dhcp pool Right_Network
The following image shows the output of the above commands.
Configured LAB of the example
The following download link provides the configured LAB of this example.

Configured practice LAB of the DHCP server

That's all for this part. In the next part of this tutorial, we will understand what a DHCP
relay agent is and how to configure it on Cisco routers. If you like this tutorial, please don't
forget to share it with friends through your favorite social channel.

How DHCP Relay Agents work Explained

This tutorial explains what a DHCP relay agent is and how it works. Learn how DHCP relay
agents allow local hosts to obtain their IP configuration from the remote DHCP server.

DHCP clients use local broadcast messages to obtain IP addresses from the DHCP server.
By default, routers do not forward local broadcast messages. This means, if the DHCP
server is configured on another network or a router is configured between the DHCP
server and DHCP clients, the DHCP clients will not receive IP addresses from the DHCP
server.

In such a situation, a network administrator has two choices either configure a DHCP
server in each subnet or configure the router as a DHCP relay agent that connect the
subnet to the DHCP server. A DHCP relay agent sits between a DHCP server and DHCP
clients and allows the DHCP clients to obtain IP addresses from the DHCP server that is
not configured on the same LAN.

In this tutorial, we will understand how configure Cisco routers as DHCP relay agents
trough a packet tracer example. If you want to learn how to use Cisco routers' interfaces
to configure a DHCP server on each subnet or how a DHCP server works, please check the
previous parts of this article.

How do DHCP Relay agents work?

A DHCP client always uses the local broadcast address to send a DHCP request. When a
router's interface that is connected to a local subnet receives a DHCP broadcast message,
depending on how it is configured, it can forward the message to the DHCP server or can
discard the message immediately.

If the interface is not configured as the DHCP relay, it will discard the message
immediately. But if it is configured as the DHCP relay it will forward that message to the
DHCP server.

Since a router's interface forwards only unicast messages and a DHCP message is a
broadcast message, the router's interface wraps the broadcast message in a new unicast
message and forwards it to the DHCP server.

When the DHCP server receives a DHCP request in the unicast message, it realizes that the
request is made by a DHCP relay instead of a DHCP client. Because a DHCP client never
uses a unicast address to send a DHCP request.

The DHCP server uses the source address of the incoming unicast message to determine
the subnet of the client. For example, if the source address of an incoming message is
10.0.0.1/8, then the DHCP server realizes that the client belong to a subnet which default
gateway IP must be 10.0.0.1/8.

Once the default gateway IP is determined, the DHCP server checks its pools and finds the
pool that uses the same default gateway. In this case, it finds the pool that is configured
with the default gateway IP 10.0.0.1/8.

After determining the pool, the DHCP server picks an available IP configuration from the
pool and wraps it in a unicast message and sends it back to the DHCP relay.

When the DHCP relay receives a unicast message from the DHCP server, it converts that
unicast message in local broadcast message and sends it in local subnet. The original client
receives the DHCP offer message as a local broadcast message.

The following image shows how a client of the subnet 10.0.0.1/8 receives IP configuration
from the server.
In nutshell, a DHCP relay agent converts the local DHCP broadcast message in a unicast
message by using its IP address as the source IP address and sends the unicast message to
the DHCP server. When the DHCP server replies, it converts the received unicast replay in
local broadcast message and sends it to the local network.

That's all for this tutorial. In the next part of this tutorial, we will understand how to
configure DHCP relay agents on Cisco routers. If you like this tutorial, please don't forget to
share it friends through your favorite social channel.

How to Configure DHCP Relay Agent on

Cisco Routers
This tutorial explains the DHCP relay agent configuration in detail. Learn how to use the 'ip
helper-address' command to configure DHCP relay agents on Cisco routers through a
packet tracer example.

Configuring a router's interface as a DHCP relay agent is much easier than you might think.
To configure a router's interface as a DHCP relay agent, use the following command in
interface configuration mode.

Router(config-if)#ip helper-address [ip-address-of-the-dhcp-server]

The 'ip helper-address' command tells the interface to forward the incoming DHCP
message to the configured DHCP server. Use this command on all interfaces that are
connected to the local subnets containing DHCP clients.
Before we take a practical example to understand how to use this command to configure a
router's interface as the DHCP relay agent, I assume that you know how a DHCP relay
agent functions. To learn what a DHCP relay agent is and how it works, please check the
previous parts of this tutorial.

Packet tracer practice lab setup

● Create a network that contains five subnets: 10.0.0.0/8, 20.0.0.0/8, 30.0.0.0/8,

40.0.0.0/8, and 50.0.0.0/8.
● Add some hosts in each network except the fifth subnet. In the fifth subnet add a DHCP
Server.
● To connect subnets, use three routers: Router0, Router1, and Router2.

● Connect subnets 10.0.0.0/8 and 20.0.0.0/8 to Router1's FastEthernet 0/0 and

FastEthernet0/1 interfaces, respectively.
● Connect subnets 30.0.0.0/8 and 40.0.0.0/8 to Router2's FastEthernet 0/0 and
FastEthernet0/1 interfaces, respectively.
● Connect the serial 0/0/0 interface of Router1 to the serial 0/0/0 interface of Router0. Use
the subnet 192.168.1.0/252 for the IP configuration on this connection.
● Connect the serial 0/0/1 interface of Router2 to the serial 0/0/1 interface of Router0. Use
the subnet 192.168.4.0/252 for the IP configuration on this connection.
● Configure RIP routing between routers and test connectivity between subnets.

The following image shows this network.

Objective

● Configure the hosts of the first four subnets to obtain IP addresses from the DHCP server
that is available in the fifth subnet.
● On the DHCP server, create four DHCP pools and assign one pool to each subnet.

● Configure routers to act as DHCP relay agents.

Pre-created practice lab

Instead of replicating this lab, if you want to download and use the practice lab used in
this tutorial, you can download it from the following link.

Packet Tracer LAB without configuration

Let's configure this lab and complete all the above-listed objectives step by step.

Assigning IP configuration

The following table lists all necessary commands to assign IP configuration on a router's
interface.

Command Description (used for)

 Router>enable To start the command prompt and to change the
command mode to privileged-exec mode.

Router#configure terminal To navigate to global configuration mode.

Router(config)#interface [interface name] To navigate to interface mode

[interface number]

Router(config-if)#ip address [ip address] To set the IP address on the interface

[subnet mask]

Router(config-if)#clock rate 64000 To set the clock rate to 64000. (Use only if the
interface is serial DCE)

Router(config-if)#bandwidth 64 To set the bandwidth to 64 (Use only if the interface is

serial DCE)

Router(config-if)#no shutdown To enable the interface

Router(config-if)#exit To exit interface mode

If you want to learn more about the above commands, you can check the following
tutorial.
RIP Protocol configuration Guide with Examples
This tutorial explains how to enable a Cisco router's interface and how to configure RIP
routing on Cisco routers in detail.
Access the command prompt of each router and configure its interfaces as shown below.

Router0 IP configuration
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.2 255.255.255.252
Router(config-if)#clock rate 64000
Router(config-if)#bandwidth 64
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/1
Router(config-if)#ip address 192.168.1.6 255.255.255.252
Router(config-if)#clock rate 64000
Router(config-if)#bandwidth 64
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.
Router1 IP configuration
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.
Router2 IP configuration
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 30.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 40.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface serial 0/0/1
Router(config-if)#ip address 192.168.1.5 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.
Configuring RIP routing

The following table lists all necessary commands to configure RIP routing on a router.

Command Description (Used for)

Router>enable To enter privileged-exec mode

Router#configure terminal To enter global configuration mode

Router(config)#router rip To enable RIP routing and enter routing configuration

mode

Router(config-router)#network To add the locally available network to the list of

[network] networks that the RIP will advertise.

Router(config-router)#version 2 To use the RIP version 2.

Router(config-router)#no auto-summary To support the classless subnets or to disable the

auto-summary feature.

Router(config-router)#exit To exit from routing configuration mode.

Access the CLI prompt of each router and configure RIP routing as shown below.

Router0
Router>enable
Router#configure terminal
Router(config)#router rip
Router(config-router)#network 50.0.0.0
Router(config-router)#network 192.168.1.0
Router(config-router)#network 192.168.4.0
Router(config-router)#version 2
Router(config-router)#no auto-summary
Router(config-router)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.

Router1
Router>enable
Router#configure terminal
Router(config)#router rip
Router(config-router)#network 10.0.0.0
Router(config-router)#network 20.0.0.0
Router(config-router)#network 192.168.1.0
Router(config-router)#version 2
Router(config-router)#no auto-summary
Router(config-router)#exit
Router(config)#
The following image shows the above configuration on the packet tracer.

Router2
Router>enable
Router#configure terminal
Router(config)#router rip
Router(config-router)#network 30.0.0.0
Router(config-router)#network 40.0.0.0
Router(config-router)#network 192.168.1.4
Router(config-router)#version 2
Router(config-router)#no auto-summary
Router(config-router)#exit
Router(config)#
The following image shows the above configuration on packet tracer.

Assigning static IP to DHCP server

Before we configure the DHCP service on the server, we have to assign a static IP address
to the server.
To assign a static IP address to the server, click Server and click Config and click the
interface that is connected to Router0's FastEthernet 0/0. In the IP configuration section,
select the Static option, and set the IP address.

The following image shows this process.

Since the server is connected to the network through the Router0's FastEthernet
0/0 interface, we will set the IP address of Router0's FastEthernet 0/0 interface as the
default gateway IP address on the server.

To set default gateway IP, click the Settings button in the left pane and choose
the Static option in the IP configuration section of the right pane and set the IP address of
the default gateway.

The following image shows this process.

Enabling and Configuring DHCP Service on the Server

To enable DHCP service on the Server, click Server and click Services. In the left pane
click DHCP and in the right pane select the 'On' option. This will enable the DHCP service.

DHCP service uses DHCP pools to provide IP addresses. A DHCP pool is a group of IP
configurations that the DHCP server assigns to a specific subnet. We have to create pools
equal to subnets. In our network, since we have four subnets, we have to create four
pools.

If you don't know the DHCP pool and its options, please take a pause here and check the
previous part of this article. For this tutorial, I assume that you know the DHCP pool and
its options.

To create and add a pool, fill entries and click the Add button. Make sure that you add the
correct default gateway IP in each pool. DHCP service uses the default gateway IP to
identify the subnet.

The following image shows the entries for the first pool.
The following image shows the entries for the second pool.
The following image shows the entries for the third pool.
The following image shows the entries for the fourth pool.
The following image shows all the pools configured.

Configuring DHCP clients

To configure the device as a DHCP client, we need to select the DHCP option in its IP
configuration. To do this, click the device and click Desktop and click the IP
Configuration and select the DHCP option.

The following image shows how to set the DHCP option in the IP configuration section.

Set all PCs as DHCP clients by following the steps described above.

Configuring DHCP relay agents

We configure a DHCP relay agent only on the interface that is directly connected to a local
subnet. In this network, four interfaces are directly connected to the local subnets. These
interfaces are the following.

Router Interface Connected local subnet

Router1 Fa0/0 10.0.0.0/8

Router1 Fa0/1 20.0.0.0/8

Router2 Fa0/0 30.0.0.0/8

Router2 Fa0/1 40.0.0.0/8

To configure the above-listed interfaces as DHCP relay agents, use the 'ip helper-
address' command as shown below.
Router1
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip helper-address 50.0.0.10
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip helper-address 50.0.0.10
Router(config-if)#exit
Router(config)#
The following image shows the above configuration.

Router2
Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip helper-address 50.0.0.10
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip helper-address 50.0.0.10
Router(config-if)#exit
Router(config)#
The following image shows the above configuration.

Verifying DHCP relay

To verify that all DHCP relays are configured properly, check the IP configuration of their
connected devices. To check the IP configuration of a client device, click the device and
click the Desktop option and click the IP configuration. If the device shows the correct IP
configuration, the DHCP relay is configured properly.

The following image shows this process.

If you prefer the command prompt, you can use the 'ipconfig' command to view the
received IP configuration. The following image shows how to view IP configuration on PC2
at the command prompt.
Configured practice lab

The following download link provides the configured LAB of this example.

Packet Tracer LAB with configuration

That's all for this part. In the next part of this tutorial, we will understand what the DHCP
snooping is and how it works. If you like this tutorial, please don't forget to share it with
friends through your favorite social channel.

How DHCP Snooping works Explained

This tutorial explains the basic concept of DHCP snooping in detail. Learn what DHCP
snooping is and how it works on Cisco switches.

Network administrators use DHCP to automatically configure IP addresses on networking

devices. DHCP is one of the most popular networking protocols. Almost all modern
networks use DHCP. Due to its popularity, it also receives most attacks from attackers.

DHCP Snooping is a switch only feature. It means DHCP snooping only works on switches.
It does not work on other devices such as routers and servers. Typically all switches,
whether it is a layer 2 switch or a multilayer switch, support DHCP snooping.

DHCP snooping works on a per-VLAN basis. It means, you can enable and configure
DHCP snooping on your desired VLANs. For example, if you configure DHCP snooping on
VLAN-2, then it will work only on the ports that belong to VLAN-2. By default, DHCP
snooping is disabled on all VLANs.

How DHCP snooping works

DHCP snooping acts like a firewall. It inspects all incoming messages on the port. If an
incoming message is not related to DHCP, the DHCP snooping lets it in. If an incoming
message is related to DHCP, the DHCP snooping uses its logic. Based on its configuration,
DHCP snooping either let the message in or discard the message.

The following image shows how DHCP snooping works.

The man-in-middle attack on DHCP server

In such an attack, an attacker configures a replicated DHCP server on his device and
connects that device to the local network. When a DHCP client sends a local broadcast
message to obtain an IP configuration, the attacker's device receives this message and
lease a modified IP configuration to the client.
The modified IP configuration contains all addresses the same except the gateway IP
address. This configuration contains the gateway IP address of the attacker's device
instead of the original gateway. When the client uses this modified configuration, all
packets sent by the client to the default gateway reach the attacker device. The attacker
device reroutes them to the original gateway.

Since all packets sent by the client reach the default gateway through the attacker device,
the attacker can make a copy of all packets or can steal the sensitive information from the
packets. This attack is known as the man-in-middle attack on the DHCP server.

Let's take a simple example to understand how it works.

The following image shows an example network. In this network, the client receives an IP
configuration from the DHCP server and uses the received IP configuration to connect to
the remote network.

The following image shows the same example network. But this time, the client receives IP
configuration from the attacker's DHCP server.
The following image shows how data flows between the client and the default gateway
after a man-in-middle attack.
How does DHCP snooping protect the network from the man-in-middle attack?

DHCP uses four different types of messages: Discover, Offer, Request, and ACK. From
these messages, DHCP clients use Discover and Request messages while DHCP servers
use Offer and ACK messages.

Since a DHCP client never uses the Offer and ACK messages, DHCP snooping can be
configured to filter these messages on ports that are connected to DHCP clients. This
configuration will mitigate the threat of the man-in-middle attack on DHCP servers.

To understand it in more detail, let's take our example back.

In our example, the DHCP server is connected to the port Fa0/11. So we will configure
DHCP snooping to allow Offer/ACK messages only on port Fa0/11.

Once DHCP snooping is configured, the switch will accept Offer/ACK messages only on
the ports that are configured as the allowed (trusted) ports. If it
receives Offer/ACK messages on the ports that are not configured as the allowed ports, it
immediately discards those messages.

The following image shows how DHCP snooping protects our example network from
the man-in-middle attack.
In this example, when the attacker tries to lease an IP configuration to the client, the
switch blocks the attacker's offer. After this configuration, the client receives IP
configuration only from the authenticated DHCP server.

DHCP snooping trusted and untrusted ports

In DHCP snooping configuration, a trusted port is a port that can accept all four types of
messages and an untrusted port is a port that can accept only two types of messages: the
Discover and Request.

On untrusted ports DHCP snooping does not accept the messages that a DHCP server
needs to provide IP configuration to clients. These messages are the Offer and ACK. In
simple words, until a DHCP server can send these messages to the client, it can't lease the
IP configuration to the client.

Since on untrusted ports DHCP snooping does not allow the messages that the DHCP
server requires to function, a DHCP server connected on an untrusted port can't lease IP
configuration to clients.

The following image shows how DHCP snooping blocks and allows DHCP messages.
DHCP binding table

DHCP binding table is the next level of security that the DHCP snooping provides. DHCP
snooping maintains a record of all offered/leased IP addresses in the DHCP binding table.
DHCP snooping uses this record to block DoS attacks.

Let's understand how a DoS attack works and how DHCP snooping uses the DHCP
binding table to block this attack.

When a client broadcasts a DHCP Discovery message, the client also includes its MAC
address in the message. The DHCP server uses the client's MAC address to provide the IP
configuration to the client.

Since a client uses a local broadcast address to send the DHCP Discovery message, if an
attacker's device is connected to the local network, it also receives the broadcast
message. From the broadcast message, it learns the client MAC address and uses it to
make fake DHCP requests.

The following image shows a DHCP snooping enabled network. In this network, the client
sends a local DHCP Discovery broadcast message. Both original and fake DHCP servers
offer IP configuration to the client. DHCP snooping filters and blocks the fake DHCP
server's offer and allows the offer of the original DHCP server. The client receives IP
configuration only from the genuine DHCP server.
The attacker device fails to provide IP configuration to the client but it knows the MAC
address of the client. So it uses the client's MAC address to generate a lot of fake DHCP
requests.

Since DHCP snooping does not block Discovery/Request messages, all these messages
reach the genuine DHCP server and the DHCP server provides an IP configuration for each
request. The following image shows this process.
Soon the attacker leases all IP addresses from the DHCP server, leaving no IP addresses
for the actual clients. Once all IP addresses are leased, the DHCP server can't provide IP
addresses to the clients that are configured to obtain their IP addresses from the DHCP
server. Since clients can't receive IP addresses from the DHCP server, they lose
connectivity from the network.

This attack is known as the DoS attack on the DHCP server. To minimize this attack, DHCP
snooping keeps a record of each successful assignment in the DHCP binding table. When
it receives a Discovery/Request message on an untrusted port, it reads the MAC address
of the message and finds that address in the DHCP binding table. If it finds an entry in the
DHCP binding table, it discards the message.

The following image shows how it works.

That's all for this tutorial. In the next part of this tutorial, we will understand how to
configure DHCP snooping on Cisco switches through a packet tracer example. If you like
this tutorial, please don't forget to share this tutorial through your favorite social channel.

Configure DHCP Snooping on Cisco Switches

This tutorial explains how to configure DHCP Snooping on Cisco switches through a
packet tracer example. Learn DHCP snooping configuration in detail through examples.

DHCP Snooping is a security feature of Layer 2 switches. It allows us to filter and block
certain types of DHCP traffic. By using this feature, we can mitigate several security risks
caused by rogue DHCP servers and attackers.

DHCP snooping works on a per-VLAN basis. By default, this feature is not enabled. To use
this feature, first, we have to enable it. After enabling, we can configure it on some VLANs
or all VLANs. Once configured, it actively monitors incoming traffic on all ports of the
configured VLAN. If it detects any DHCP packet, based on its configuration either it allows
the packet or drops the packet.

To learn how this process works in detail, you can check the previous parts of this tutorial.
In this part, we will understand how to configure DHCP snooping on Cisco switches.
Packet Tracer lab setup
Create a packet tracer lab as shown in the following image.

Configure this lab as described below.

● Assign the IP address 10.0.0.1/8 to the Fa0/0 interface of router 0.

● Configure the Fa0/0 interface of the router to forward all DHCP requests to the Server0.

● Assign the IP address 20.0.0.1/8 to the Fa0/1 interface of the Router0.

● Assign the IP address 20.0.0.10/8 to the Server0.

● Configure a DHCP pool for the local network connected to the Switch0.

● Configure PCs of the local network as DHCP clients.

Configuring the router

Access the CLI prompt of the router and run the following commands.

Router>enable
Router#configure terminal
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/1
Router(config-if)#ip address 20.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip helper-address 20.0.0.10
Router(config-if)#exit
Router(config)#
The following table explains the commands used in the above configuration.

Command Description

Router>enable Enter privileged-exec mode.

Router#configure terminal Enter global configuration mode.

Router(config)#interface [interface] [slot/number] Enter interface configuration mode.

Router(config-if)#ip address [IP address] [subnet mask] Assign an IP address to the interface.

Router(config-if)#ip helper-address [IP address of the DHCP server] Configure the interface to forward DHCP

Router(config-if)#no shutdown Enable interface.

Router(config-if)#exit Exit interface configuration mode.

Assigning a static IP address to the Server0

To assign a static IP address to the Server0, click Server0 and click the IP
configuration option of the Desktop menu. In the IP configuration option, select
the Static option and set the static configuration.

The following image shows this procedure.

Enabling DHCP service and adding a DHCP pool

Click the Services menu icon and click the DHCP Service in the left pane and select
the on option in the right pane. Set the value in the DHCP Pool Options and click
the Add button. The following image shows this procedure.

Configure DHCP clients

To configure PCs as DHCP clients, click the PC and click the IP configuration option from
the Desktop menu item and select the DHCP option. The following image shows this
procedure.
Verifying DHCP Server

If the DHCP server is configured properly, DHCP clients get IP addresses automatically as
soon as they change their IP configuration to DHCP. The following image shows the IP
configuration of the PC2 that it gets from the DHCP server.
Adding the attacker's DHCP server

To understand how DHCP snooping protects the network from a rogue DHCP server, let's
add an attacker's DHCP server to our network. The following image shows our example
network after adding the attacker's DHCP server.

The following image shows the static IP configuration of the attacker DHCP server.
Add a DHCP pool that replicates the DHCP pool of the original DHCP server. In this pool,
change the default gateway IP to the IP address that you assigned to this server. The
following image shows how to do this.
By default, the server contains a default pool and the packet tracer does not allow us to
delete it. If multiple pools are configured, DHCP uses the source address to determine the
correct pool. Since DHCP clients use the 0.0.0.0 address as the source address and the
default pool also uses this address as the default gateway and DNS server addresses,
DHCP provides the IP configuration from the default pool instead of our pool. To force
DHCP to use our pool, change the default gateway IP to the IP address of the server in
the default pool.

The following image shows this step.

Verifying attacker's DHCP server

The attacker's DHCP server is available in the local network. It receives DHCP requests
from clients before the original DHCP server. Since the attacker's DHCP server receives
the request first, it also reacts first and the client gets an IP configuration from the
attacker's DHCP server.

To verify this, click a PC from the local network and change its IP configuration
to Static and back to DHCP.
The following image shows how PC2 obtains a new IP configuration from the attacker's
DHCP server instead of the original DHCP server upon requesting a new IP configuration.

If DHCP clients use the IP configuration provided by the attacker's DHCP server, the
attacker can misuse their data without knowing them. This is known as the man-in-
middle attack.

To learn this attack in more detail, please check the previous part of this tutorial. The
previous part of this tutorial explains the man-in-middle attack in detail with an
example.

Configuring DHCP snooping on the switch

Configuring DHCP snooping on the switch involves the following steps.

● By default, DHCP snooping is disabled on Cisco switches. To use this feature, first, we have
to enable it.
● DHCP snooping works a per-VLAN basic. Once DHCP snooping is enabled, we have to
specify the VLAN on which we want to apply this. You can specify a single VLAN or
 multiple VLANs. To configure a single VLAN, enter a single VLAN number. To configure a
range of VLANs, enter a beginning and an ending VLAN number or a dash and range of
VLANs.
● DHCP snooping treats all ports of the specified VLAN as the untrusted ports. An untrusted
port is a port that does not accept DHCP server messages. In other words, if a device is
connected to an untrusted port, it can obtain IP configuration from the DHCP server but it
cannot offer an IP configuration.
● If a DHCP server is connected to the port, we have to configure that port as the trusted
port. A trusted port is a port that accepts DHCP server messages. In other words, a DHCP
server can provide IP configuration only if it is connected to a trusted port.

The following table lists the commands that are used to configure and verify DHCP
snooping on Cisco switches.

Command Description
Switch(config)# ip dhcp snooping To enable DHCP snooping globally.

Switch(config)# ip dhcp snooping vlan To enable DHCP snooping on the specified VLAN.
number [number]

Switch(config-if)# ip dhcp snooping trust To configure the interface as a trusted interface.

Switch(config-if)# ip dhcp snooping limit To limit the number of DHCP packets that the
rate [rate] interface can receive in a second.

Switch# show ip dhcp snooping To view DHCP snooping configuration and status

Switch# debug ip dhcp snooping event To debug DHCP snooping events.

Switch# debug ip dhcp snooping packet To view DHCP messages and packets.

The following commands configure DHCP snooping on the switch of our example
network.

Switch>enable
Switch#configure terminal
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#interface fa0/4
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
Switch(config)#exit
Switch#
The following image shows the above commands on the packet tracer.
Let's understand the above configuration in detail.

We used the first and second commands to enter global configuration mode. We used the
third command to enable the DHCP snooping.

VLAN 1 is the default VLAN on Cisco switches. By default, all ports belong to this VLAN.
Since DHCP snooping works on VLANs and we did not create any VLAN in our example,
we implemented DHCP snooping on the default VLAN using the fourth command.

In our example, the original DHCP is connected to the interface Fa0/4. We used the fifth
command to enter the interface configuration mode of the Fa0/4 interface. In interface
configuration mode, we used the sixth command to configure the interface as the trusted
interface.

We used the last command to exit interface configuration mode.

Once DHCP snooping is enabled, only the DHCP server that is connected to the trusted
interface can provide IP configuration. To verify this, let's obtain a new IP configuration on
a PC of the local network.

The following image shows how PC2 obtains a new IP configuration from the original
DHCP server.
Viewing DHCP snooping configuration

To view DHCP snooping configuration and statistics, use the 'show ip dhcp
snooping' command in privileged-exec mode.

The following image shows the output of this command.

DHCP rate limit

By default, DHCP snooping does not limit the number of DHCP packets that an interface
can receive. Since untrusted interfaces connect to DHCP clients, to enhance the security
you can limit the number of DHCP packets on these interfaces.

The recommended rate limit for each untrusted port is 15 packets per second. Generally,
the rate limit is applied to untrusted interfaces. But if required, you can also configure it on
a trusted interface.

To configure DHCP snooping rate limit on an interface, use the 'ip dhcp snooping limit
rate [number]' command in interface configuration mode of the interface.

The following image shows how to set the rate limit on the Fa0/1 interface and verifies the
same.

Debugging DHCP snooping

To debug DHCP snooping events and packets, use the 'debug ip dhcp snooping
event' and 'debug ip dhcp snooping packet' commands in privileged-exec mode. To
disable debugging, use the keyword 'no' before the same commands.

The following image shows how to enable and disable the debugging of DHCP snooping.
Downloading the practice lab used in this tutorial
If you want to download the practice lab used in this tutorial, you can download it from
the following links. Each link provides the practice lab in a different stage.

Practice lab without any configuration

This lab does not contain any configuration. Use this lab, if you want to configure the lab
from the starting as explained in this tutorial.

Practice lab with working DHCP server

In this lab, the DHCP server, router, and DHCP clients are configured but, the attacker's
DHCP server is not connected to the network. Use this lab, if you want to practice by
adding and configuring an attacker's DHCP server.

Practice lab with both DHCP servers

In this lab, both the original and attacker's DHCP servers are configured but DHCP
snooping on the switch is not configured. Use this lab, if you only want to practice of the
DHCP snooping.

Configured practice lab

This lab contain all configuration. Use this lab for your references or to cross-check your
configuration.
If you download and use the lab used in this tutorial, wait for a minute after loading the
lab on the packet tracer. Switches take about 45 - 50 seconds to initialize. Due to this
reason, all DHCP requests that were made before the switch initialized fail. If you see a
DHCP fail message, it means PC tried to obtain a new IP configuration when the switch
was initialing. To get a new IP configuration, change IP configuration to static and back
to DHCP. This will force the PC to obtain a new IP configuration.

That's all for this tutorial. If you like this tutorial, please don't forget to share it with friends
through your favorite social network.