Tags
DHCP (Dynamic Host Configuration Protocol) is one of the most common protocols that everyone understand what it does. But very few of them spend time to learn how it work.
So in this post we will look at how DHCP works in wired & wireless network. I have setup simple lab (as shown below) with a Switch, WLC, AP & DHCP server(Microsoft DHCP server on a VM). Switch has been configured with basic SVI interfaces with listed gateway addresses.
First we will check how DHCP works in wired environment by capturing wireshark packets of wired PC Ethernet interface while it is acquiring an IP from DHCP server.
As you can see there are 4 type of packets (Discover, Offer, Request, ACK ie DORA) exchanged prior to PC get an IP. We will look at each of these packets in detail.
Here is the insight of DHCP discovery packet. As you can see in layer 4 it use UDP protocol with src port 68 & des port 67 which is bootpc (client) & bootps(server). Actually DHCP is an extension of BootP protocol. This discovery msg include certain options (53, 61,12,60,55) sometimes these field used to identify the client to DHCP server. In layer 3 src would be 0.0.0.0 (as not yet aquire an IP) & dst (255.255.255.255) would be all subnet broadcast. In layer 2 src MAC would be PC’s NIC mac address where as dst MAC would be broadcast MAC.
This layer 2 broadcast message would go to all host in that subnet & will reach the switch SVI (int vlan 13-GW). Since DHCP server is in a different subnet (vlan 200) this DHCP discover msg will not reach that(broadcast will limited only to local subnet). Once you configure “ ip helper-address 192.168.200.1” command under interface vlan 13, this DHCP discover msg send as a unicast packet to the DHCP server. This function of the forwarding DHCP discover msg to DHCP server is called DHCP-Relaying. Then DHCP server will send a DHCP offer msg.
As switch acting as DHCP-Relay (note that int vlan 13 IP of the switch listed as relay-agent IP in this packet) it will receive the DHCP offer msg from DHCP server & then send to client. This packet includes Bootp options like IP address, subnet mask, lease time, DHCP server IP, domain name, default gateway,etc. UDP src port would be 67 (as coming from server) & dst port would be 68 (to client). In layer 3, switch will set its vlan 13 IP address as src IP of this packet & dst IP would be layer 3 broadcast (255.255.255.255). In layer 2 it will go as a broadcast frame.
Once client receive this offer message, it will send a DCHP request message for asking that IP. By this time client knows what was “offered client IP” in the DHCP offer & therefore “Request msg” include that IP (10.10.13.10 in this case). Also it lists DHCP server address (in this way even multiple DHCP servers responded, client can choose which DHCP server to ask for IP). Since traffic is going from client, UDP src port would be 68 & dst port would be 67. Still layer 3 src would be 0.0.0.0 & dst 255.255.255.255. In layer two this will go as broadcast.
Finally client will get DHCP ACK, confirming it can use this requested IP. Still this packet dst IP is layer 3 broadcast (as client does not has IP) & hence layer 2 frame go as a broadcast as well.
Once client get this frame & process he could confirm his MAC address listed as client MAC in bootp field. Then it will assign the given IP to NIC. As you can see next thing it will do is send an ARP request to find what is his gateway’s (10.10.13.1 listed in bootp options) MAC address. Then client know everything (layer 2 & 3) to communicate with the rest of the network.
As you can see these DHCP messages go as local subnet broadcast any host (acting as rouge dhcp sever) in that subnet can responded to clients DCHP request & could potentially issue wrong IP to client (usually faster than proper DHCP server as it sits outside of a user subnet) . To prevent this “DHCP snooping“ feature needs to enable (will describe this in a separate post)
Now we will look at how things work this in wireless set up. Now I am capturing packets at the WLC connected switch port (G1/0/1). Here is the my wireshark capture while wireless client is getting an IP. Since every packet encapsulated CAPWAP from AP <->WLC you will see each type of packet twice at the switch port (ie AP-> WLC, WLC -> DHCP server & vice versa)
If you look at the DHCP discover msg goes to WLC AP will encapsulate original packet with CAPWAP (UDP dst port 5247). Traffic will go to AP Manager IP address from the AP. Inside information is identical to what you saw in the wired DHCP discover message.
As you can see WLC is acting as DHCP relay to the client and forward this discovery msg to DHCP server. It will use interface(vlan 14) IP assign to WLAN where client is trying to connect. Note that both src & dst UDP port will be 67 as traffic goes from DHCP Relay to DHCP server.
Then WLC will get DHCP offer msg from DHCP server and then forward it to the AP with CAPWAP encapsulation.
When WLC forward this offer message to AP, it will use its virtual interface IP (1.1.1.1) as the source of this DHCP offer msg. This is called “DHCP-proxy”. Therefore wireless client will think that is the DHCP server IP and requesting that (in bootp fields) in DHCP request msg.
Here is the DHCP request msg coming from the wireless client to WLC. Once WLC forward this to DHCP server, it will give the DHCP ACK msg.
Here is the DSCP ACK coming from DHCP server to WLC.
finally wireless client will get this DHCP ack from virtual IP of the WLC (acting as DHCP for the wireless client)
Key point to remember is in wireless environment WLC’s virtual interface is pretending(or proxy) as DHCP server for clients & therefore in client configuration you will see this virutal IP as DHCP server.(see below)
Related Posts
1. Understanding DHCP Snooping
2. Understanding DHCP Option 43
3. Understanding DHCP Option 82
4. WLC – DHCP Option 82 Configuration Example
mrn-cciew 
Once again you show that you created very good detailed instructions for WLC. Only the link for 2 Understanding DHCP Option 43 is not active, why?
Thank you very much
Jamal
Hi Jamal,
that post is not yet published.. it is in draft stage. will publish that soon..
Rasika
Hi
I have a problem to getting an IP address for my wireless clients. The design is very similar to yours. A DHCP server is on this same network as an AP and wired clients – vlan 100 ( and future wireless I hope ). I would like to offer my clients this same IP range on wired and wireless connection. WLC is configured with interface on Vlan 800 for SSID which is advertised for clients on VLAN 100 – office. I don’t understand where the problem is. The WLC is getting the message Discover, but message Offer is never coming back to a wireless clients.
/——-DHCP
WLC—SW—R—-SW——-AP ))))))) WiFi clients
/——–Wired clients
Thank you
If DHCP proxy not enable, you have to configure “ip helper address x.x.x.x” under SVI configured for wireless clients. Makesure WLC connected switchport is configured as trunk port & allow all required vlan traffic between switch & WLC.
HTH
Rasika
Thank you for your replay.
I was trying with Proxy off/on with and without ip helper – failed
To be clear:
Vlan 10 is the management vlan on WLC
Vlan 800 is an interface on WLC – SSID Office
Connection between the WLC and switch is trunked, like a connection going between a switch and a Router-R1. R1 is connected to R2. The link going between R2 and a switch is trunked on Vlan 100. on Vlan 100 we have DHCP server for clients on this Vlan. an AP is set up with IP address from this scope and it is advertising SSID Office. How I can get the IP address from the DHCP server on Vla100 for wireless clients.
I have problem with that.
Thank you for your time and help
Regards
If vlan 800 is the interface map on to SSID, then your DHCP request go from vlan 800 interface on your WLC. So you will get vlan 800 IP address to the clinet.
If you want to asign vlan 100 to the wireless users, then you have to create a dynamic interface on vlan 100 on your WLC & trunk vlan 100 to WLC.
HTH
Rasika
Hi
I was thinking to do this, but there are 2 routers between WLC and AP.
I shouldn’t create vlan 100 on both site ( wlc—trunk with vlan 100 switch—trunk with vlan 100—R1—-L3—R2—trunk witch vlan 100—switch—access vlan 100—–AP, DHCP, wired clients
Routing issue.
Yes, you cannot create the same vlan aross L3. So in this case you have to assign a vlan available on the WLC for the client associate to that SSID. It cannot be something like vlan 100 which is not present at your WLC.
HTH
Rasika
Pingback: Understanding DHCP Snooping | CCIE Blogger
Can you confirm what layer of the OSI and TCP/IP models does DHCP runs?
DHCP is Application Layer protocol
HTH
Rasika
Hi Rasika,
First I would like most sincerely to congratulate for the very good performance from your Homepage.
I have a question and I very much hope that you can answer my question or tell you where I can seek help for my problem to me:
We have to get a cisco 5760 WLC in use with 110 AP\’s and 7\’s VLAN networks for wireless client and an external DHCP server is running Windows Server 2012 R2 for the IP addresses for wireless clients.
Now we get from the juniper firewall this alarm message (arp req detected an IP conflict (IP 10.157.3.254; MAC 188796818413; on interface ethernet1/2.466)?
Where IP address 10.157.3.254 is the gateway from WLAN Vlan clients and it is not assigned by the DHCP server for the clients because this IP address as the gateway for the network on the juniper virtual interface 1/2.466 and 466 is the clients Vlan.
And the config on the WLC 5760 is as follows for the WLAN client VLANs:
!
!
!
ip dhcp snooping vlan 463-469
no ip dhcp snooping information option
ip dhcp snooping wireless bootp-broadcast enable ip dhcp snooping !
!
vlan group mt_labor_vlan vlan-list 466
!
!
interface Vlan466
description Client_vlan_466
ip address 10.157.3.253 255.255.255.0
ip helper-address 10.10.158.10
!
>>>> Here is the gateway (10.157.3.253) for WLAN clients Vlan on the WLC <<<<<
What we have set wrong here and what you can give us suggestions which to make on wlc to eliminate these errors?
I thank you for the good work and I await your reply
Jamal
Hi,
Could you please abbreviate these terms related to diagram?
WLC & HQ-AP1
CAPWAP
CAT2
G 1/0/2
Fa 1/0/13
When compared to wired and wireless, In wireless,why there are two layer-4(UDP) in sniff.
Why CAPWAP in wireless only why not in wired ?
Hi Rasika,
Thanks for the good explanation about DHCP. I have one query regarding DHCP offer packet.
While sending the DHCP offer packet, We already know about the Station MAC address (from DHCP discover packet) then we can sent the DHCP offer packet as Unicast right ? but why it is broadcast here . Any reason ?
Best Regards,
Madhu
Hi Madhu,
MAC address only being used to send traffic in a local L2 segment. Most likely DHCP server sits on a network outside from the client who asks IP. In that sense, we cannot send offer messages as Unicast unless the client & DHCP server on the same subnet.
HTH
Rasika
Hi Sir,
AP is sending DHCP broadcast packets to other stations in the subnet.
Is to expected behaviur or not?
because why Station need to get DHCP broadcast packets when it is not destined to Station?