Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Configuring the DHCP Server Feature

Configuring the DHCP Server Feature

Feb 02,2010 by alperen

small font medium font large font
image

Configuring the DHCP Server Feature

Since version 5.2 of PIX Firewall OS, the DHCP server daemon can only be enabled on the inside interface and only supports clients directly connected to that interface, in the same network. This means IP Helper and other DHCP request-forwarding techniques won’t work with a PIX device working as a DHCP server. Because using any firewall as a DHCP server is a small network solution, this should be a serious limitation.

The PIX Firewall uses variations of the dhcpd command to implement the DHCP server features. The following are the most frequently used options. The no form of each command without the variable parameters will remove the command.

The dhcpd address Command

The dhcpd address command specifies the DHCP server address pool. This address pool must be within the same subnet as the PIX Firewall DHCP server interface. The size of the pool is limited to the maximum DHCP clients for that platform and license. The -ipadd2 option is used to define an address range, so interface names can’t use names with a “-” (dash). The default interface and only one supported since OS v5.1 is the inside interface. Use the no dhcpd address command to remove the DHCP address pool. The syntax is

pix(config)#dhcpd address ip_add1[-ipadd2] [if_name]
pix(config)#no dhcpd address

In the first of the following examples, the address pool is a single address. The second example creates a pool of ten addresses:

pix(config)#dhcpd address 192.168.1.2
pix(config)#dhcpd address 192.168.1.2-192.168.1.11

The dhcpd dns Command

The dhcpd dns command specifies the IP address of one or two DNS servers for DHCP clients. The no dhcpd dns command removes the DNS IP address(es) from the configuration. The syntax is

pix(config)#dhcpd dns dns1 [dns2]
pix(config)#no dhcpd dns

The first of the following examples defines one DNS server. The second example defines two DNS servers.

pix(config)#dhcpd dns 192.168.100.5
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5

The dhcpd wins Command

The dhcpd wins command specifies the IP address of one or two WINS servers for DHCP clients. The no dhcpd wins command removes the WINS IP address(es) from the configuration. The syntax is

pix(config)#dhcpd wins wins1 [wins2]
pix(config)#no dhcpd wins

The first of the following examples defines one WINS server. The second example defines two WINS servers:

pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd wins 192.168.100.5 192.168.101.5

The dhcpd lease Command

The dhcpd lease command specifies the length of the DHCP lease in seconds. This represents how long the DHCP client can use the IP address assigned by the DHCP granted. The no dhcpd lease command restores the lease length with the default value of 3,600 seconds. The syntax is

pix(config)#dhcpd lease seconds
pix(config)#no dhcpd lease

This example sets the lease time to 7,200 seconds (two hours).

pix(config)#dhcpd lease 7200

The dhcpd domain Command

The dhcpd domain command defines the DNS domain name for the DHCP clients. The no dhcpd domain command removes the DNS domain server from your configuration. The syntax is

pix(config)#dhcpd domain dom_name
pix(config)#no dhcpd domain

This example sets the DNS domain name to cisco.com.

pix(config)#dhcpd domain cisco.com

The dhcpd enable Command

The dhcpd enable command turns on DHCP services. This enables the DHCP daemon to begin to listen for the DHCP client requests on the DHCP-enabled interface. While an interface name option exists, since version 5.1, the inside interface is both the default and the only interface supported. The no dhcpd enable command disables the DHCP server feature. The syntax is

pix(config)#dhcpd enable
pix(config)#no dhcpd enable

The dhcpd ping_timeout Command

The dhcpd ping_timeout command allows a short delay to be configured, in milliseconds, before responding to a DHCP client request. This delay allows the PIX Firewall to work as a backup DHCL server. The no dhcpd ping_timeout command removes the delay. The syntax is

pix(config)#dhcpd ping_timeout timeout
pix(config)#no dhcpd ping_timeout

This example sets the DHCP ping_timeout to 750 milliseconds.

pix(config)#dhcpd ping_timeout 750

Using Cisco IP Phones with a DHCP Server

A growing number of organizations with small branch offices are implementing a Cisco IP Telephony VoIP (Voice over IP) solution. A common implementation is to install the Cisco CallManager at the central office and use it to control IP Phones at the small branch offices. The benefits to this implementation include the following:

  • Centralizes call processing

  • Reduces the equipment required

  • Eliminates the administration of additional Cisco CallManager servers

  • Eliminates other servers at branch offices

Part of the simplicity of the Cisco IP Telephony solution is that the phones can download their configuration from a TFTP server. To eliminate the need to preconfigure the Cisco IP Phone with the phone IP address and the IP address of the TFTP server, the phone sends out a DHCP request with the option parameter set to 150 or 66 to a DHCP server.

PIX Firewall version 6.2 introduced the two new options for the dhcpd command specifically to support VoIP installations. Use the no form of the command to remove the configuration entry. The syntax is

pix(config)#dhcpd option 66 ascii {server_name | server_ip_str}
pix(config)#no dhcpd option 66
pix(config)#dhcpd option 150 ip server_ip1 [server_ip2]
pix(config)#no dhcpd option 150

server_name

TFTP server host name (only one)

server_ip_str

TFTP server host IP address (only one)

server_ip1

IP address of the primary TFTP server

server_ip2

IP address of the secondary TFTP server (maximum of two TFTP servers)

Cisco IP Phones can include both option 150 and 66 requests in a single DHCP request. In this case, the PIX Firewall DHCP server assigns values for both options in the response if they’re configured on the PIX Firewall.

The current versions of PIX Firewall DHCP server (v6.2) can only be enabled on the inside interface and, therefore, can only respond to DHCP option 150 and 66 requests from Cisco IP Phones or from other network devices on the internal network. If any outside clients need to connect to the inside TFTP server, then a group of static and access list statements must be created for the TFTP server, instead of using the dhcpd option command.

This partial configuration demonstrates configuring the firewall with DHCP support for the dhcpd option 66 and option 150 features. Note, the server IP addresses are on the same network as the inside interface and outside the range of available IP addresses assigned to the DHCP server.

pix(config)#ip address inside 192.168.1.1 255.255.255.0
pix(config)#dhcpd address 192.168.1.6-192.168.1.254
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5
pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd domain test.com
pix(config)#dhcpd option 66 ascii 192.168.1.5
pix(config)#dhcpd option 150 192.168.1.4 192.168.1.5
pix(config)#dhcpd enable

Verifying and Monitoring DHCP Configuration

In addition to performing a write terminal command to see the configuration, the PIX Firewall offers the following commands:

show dhcpd [binding|statistics]

Displays the configured dhcpd commands, and binding and statistics information associated with those commands

clear dhcpd [binding|statistics]

Clears all the dhcpd commands, binding, and statistics

debug dhcpd event

Displays event information about the DHCP server

debug dhcpd packet

Displays packet information about the DHCP server

This partial configuration demonstrates configuring the DHCP features for a SOHO implementation.

pix(config)#ip address inside 192.168.1.1 255.255.255.0
pix(config)#dhcpd address 192.168.1.2-192.168.1.254
pix(config)#dhcpd dns 192.168.100.5 192.168.101.5
pix(config)#dhcpd wins 192.168.100.5
pix(config)#dhcpd lease 7200
pix(config)#dhcpd ping_timeout 750
pix(config)#dhcpd domain test.com
pix(config)#dhcpd enable

This next example is sample output from the show dhcpd command:

pix(config)#show dhcpd
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd domain test.com
dhcpd lease 7200
dhcpd ping_timeout 750
dhcpd dhcpd dns 192.168.100.5 192.168.101.5
dhcpd wins 192.168.100.5
dhcpd enable inside

This next example is sample output from the show dhcpd binding command:

pix(config)#show dhcpd binding
IP Address Hardware Address Lease Expiration Type
192.168.1.100 0100.a0c9.868e.43 84985 seconds automatic

The following is sample output from the show dhcpd statistics command: 

pix(config)#show dhcpd statistics
Address Pools 1
Automatic Bindings 1
Expired Bindings 1
Malformed messages 0
 
Message Received
BOOTREQUEST 0
DHCPDISCOVER 1
DHCPREQUEST 2
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
 
Message Sent
BOOTREPLY 0
DHCPOFFER 1
DHCPACK 1
DHCPNAK 1

1922 times read

Related news
» Debugging DHCP
by admin posted on Jul 21,2008
» Firewalls as a DHCP Client and Server
by alperen posted on Feb 02,2010
» Getting Started with the Cisco PIX Firewall Questions and answers
by alperen posted on Feb 03,2010
» Configuring Multiple DHCP Servers per Subnet
by admin posted on Jul 21,2008
» DHCP Client
by alperen posted on Feb 02,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.