BCN3043

NETWORK SERVICE ADMINISTRATION

CHAPTER 3
CHAPTER : Dynamic Host Configuration
Protocol (DHCP)
by : Dr. Nor SyahidatulNadiahIsmail
Faculty of Computing, Universiti Malaysia [email protected]
• Every host on a TCP/IP network must have a unique IP address.
• Each host must be properly configured so that it knows its IP
address.
• When a new host comes online, it must be assigned an IP
address that is within the correct range of addresses for the
subnet and is not already in use.
• Although you can manually assign IP addresses to each computer on your
network, that task quickly becomes overwhelming if the network has more
than a few computers.
• That’s where DHCP –Dynamic Host Configuration Protocol, comes into play.
• DHCP is a TCP/IP standard that reduces the complexity and administrative
overhead of managing network client IPv4 addresses and other
configuration parameters.
• A properly configured DHCP infrastructure eliminates the configuration
problems associated with manually configuring TCP/IP.
• DHCP was created by the Dynamic Host Configuration Working Group of
the Internet Engineering Task Force(IETF)
• Runs over UDP
• Utilizing ports:
– 67 –connections to server
– 68 –connections to client
• Extension of BOOTP (protocol used for simple interaction)DHCP enhances
the capabilities of BOOTP
• DHCP is basically used for dynamic configuration
• Uses client–server model
DHCP infrastructure

• DHCP servers
– Computers that offer dynamic configuration of
IPv4 addresses and related configuration
parameters to DHCP clients.
• DHCP clients
– Network nodes that support the ability to
communicate with a DHCP server to obtain a
dynamically leased IPv4 address and related
configuration parameters.
• DHCP relay agents
– Network nodes, typically routers, that listen for
broadcast and unicast DHCP messages and
relay them between DHCP servers and DHCP
clients. Without DHCP relay agents, you would
have to install a DHCP server on each subnet
that contains DHCP clients
• Each time a DHCP client starts, it requests IPv4 addressing
information from a DHCP server, including:
–IPv4 address
–Subnet mask
–Additional configuration parameters, such as a default gateway
address, Domain Name System (DNS) server addresses, a DNS
domain name, and Windows Internet Name Service (WINS)
server addresses.
Benefits of Using DHCP
 HOW DHCP Works?

• •DHCP uses a client-server model. The network administrator establishes one or more
DHCP servers that maintain TCP/IP configuration information and provide it to clients. The
server database includes the following:
– Valid configuration parameters for all clients on the network.
– Valid IP addresses maintained in a pool for assignment to clients, plus reserved addresses for
manual assignment.
– Duration of a lease offered by the server. The lease defines the length of time for which the
assigned IP address can be used.
• •With a DHCP server installed and configured on your network, DHCP-enabled clients can
obtain their IP address and related configuration parameters dynamically each time they
start and join your network.
• •DHCP servers provide this configuration in the form of an address-lease offer to requesting
clients.
• DHCP Message = DHCP Packet
– Client = DHCP Client
– Server = DHCP Server
• Broadcast and unicast used for Packets’s in
• both directions
– “Broadcast”: link and IP addresses are broadcast
– “Unicast”: link and IP addresses are unicast
How DHCP Lease Renewal Works
 DHCP Message Types

• Value Message Type

• DHCPDISCOVER
• DHCPOFFER
• DHCPREQUEST
• DHCPACK
• DHCPNAK
• DHCPRELEASE
• DHCPINFORM
 DHCP Message type

• DHCPDISCOVER: Broadcast by a client to find available DHCP

servers.
• DHCPOFFER: Response from a server to a DHCPDISCOVER and
offering IP address and other parameters.
• DHCPREQUEST: Message from a client to servers that does one of
the following:
– Requests the parameters offered by one of the servers and declines all
other offers.
– Verifies a previously allocated address after a system or network change
(a reboot for example).
– Requests the extension of a lease on a particular address.
• DHCPACK: Acknowledgement from server to client with
parameters,including IP address.
• DHCPNACK: Negative acknowledgement from server to client,
indicating that the client's lease has expired or that a requested IP
address is incorrect.
• DHCPRELEASE: Message from client to server canceling remainder
of a lease and relinquishing network address.
• DHCPINFORM: Message from a client that already has an IP
address (manually configured for example), requesting further
configuration parameters from the DHCP server.
 Lease Renewal Times (Client)

• T1 < T2 < Lease time

• T1 default value = 1/2 of lease time
• T2 default value = 7/8 of lease time
• Communicated via DHCPOFFER, DHCPACK
• Client actions when times elapse
– T1: client must renew address with the DHCP server
– T2: client must renew address with any DHCP server
• Lease time end: client must stop using IP address
Renewal Message Flow
DHCP States and messages
What are DHCP Scopes
 What are DHCP Scopes

• A scope is simply a range of IP addresses that a DHCP server is

configured to distribute.
• In the simplest case, where a single DHCP sever oversees IP
configuration for an entire subnet, the scope corresponds to
the subnet.
• However, if you set up two DHCP servers for a subnet, you can
configure each with a scope that allocates only one part of the
complete subnet range.
 DHCP Scopes

• In addition, a single DHCP server can serve more than one

scope.
• You must create a scope before you can enable a DHCP server.
When you create a scope, you can provide it with the following
properties:
1) A scope name, which helps you to identify the scope and its
purpose.
 DHCP Scopes

2) A scope description, which lets you provide additional details

about the scope and its purpose.
3) A starting IP address for the scope.
4) An ending IP address for the scope.
5) A subnet mask for the scope. You can specify the subnet mask
with dotted decimal notation or with CIDR notation.
 DHCP Scopes

6) One or more ranges of excluded addresses. These addresses won’t

be assigned to clients.
7) One or more reserved addresses. These are addresses that will
always be assigned to particular host devices.
8) The lease duration, which indicates how long the host will be
allowed to use the IP address.
- The client will attempt to renew the lease when half of the lease
duration has elapsed. For example, if you specify a lease duration of
eight days, the client will attempt to renew the lease after four days
have passed. This allows the host plenty of time to renew the lease
before the address is reassigned to some other host.
 DHCP Scopes

9) The router address for the subnet. This value is also known as
the Default Gateway address.
10) The domain name and the IP address of the network’s DNS
server and WINS servers.
 Exclusions Range

• In the case of DHCP scopes, exclusions can help you to prevent

IP address conflicts and can enable you to divide the DHCP
workload for a single subnet among two or more DHCP
servers.
• An exclusion is a range of addresses that are not included in a
scope. The exclusion range falls within the range of the
scope’s starting and ending addresses.
 Exclusions Range

• In effect, an exclusion range lets you punch a hole in a scope.

• The IP addresses that fall within the hole won’t be assigned.
• The following are several reasons for excluding IP addresses
from a scope:
1) The computer that runs the DHCP service itself must usually
have a static IP address assignment. As a result, the address of
the DHCP server should be listed as exclusion.
 Exclusions Range

2) Some hosts many not be able to support DHCP. In that case,

the host will require a static IP address. For example, you may
have a really old MSDOS computer that doesn’t have a DHCP
client.
By excluding its IP address from the scope, you can prevent that
address from being assigned to any other host on the network.
 Exclusion Range

• Set of one or more IP addresses that is included within the range of a defined
scope but you don’t want to lease to DHCP client
• Exclusion range ensure that the DHCP Server does not assign addresses that
already assigned manually to server or others computer
• Example:
- new scope : 192.168.0.10 – 192.168.0.254
- number of preexisting servers whose static address within this range 192.168.0.200
to 192.168.0.210
• - server with isolated static address such as 192.168.0.99
 Reservation

• In some cases, you may want to assign a particular IP address

to a particular host.
• One way to do this is to configure the host with a static IP
address so that the host doesn’t use DHCP to obtain its IP
configuration.
DHCP Reservation
What are Superscopesand Multicast Scopes?
What are DHCP Option?
DHCP Class-Level Options
DHCP Server Authorization
DHCP Database Back up and Restored

DHCP Database Back up and Restored

Overview of monitoring DHCP
Common DHCP issue
Monitoring DHCP Server Perfomance
Securing DHCP
Basic precautions that you should take to limit unauthorized
access include:
 Make sure that you reduce physical access.
 If users can access a live network connection in the network, they are likely to be able to obtain an IP address. If a
network port is not being used -> you should disconnect it physically from the switching infrastructure.
 Enable audit logging on all DHCP servers.
 This can provide an historical view of activity, as well as allow you to trace when a potentially malicious user obtained an
IP address in the network. -> Make sure to schedule time at regular intervals to review the audit logs.
 Authenticate users.
 Most enterprise switches now support Institute of Electrical and Electronics
Engineers, Inc. (IEEE), and 802.1X authentication.->This allows for port-level user authentication.
 Implement NAP.
 NAP allows administrators to validate that a client computer is running all the
latest Windows updates.
 It also validates the client is running an up-to-date antivirus client.
 If a user who does not meet security requirements tries to access the network:
 They will be allowed to access a remediation network where they can receive the necessary updates.
 restrict access to the network by allowing only authenticated users access
to the internal local area network (LAN).
THANK
YOU