, , ,

DHCP (Dynamic Host Configuration Protocol) is one of the most common protocols that everyone understand what it does. But very few of them spend time to learn how it work.

So in this post we will look at how DHCP works in wired & wireless network. I have setup simple lab (as shown below) with a Switch, WLC, AP & DHCP server(Microsoft DHCP server on a VM). Switch has been configured with basic SVI interfaces with listed gateway addresses.DHCP1-00

First we will check  how DHCP works in wired environment by capturing wireshark packets of  wired PC Ethernet interface while it is acquiring an IP from DHCP server.DHCP1-0

As you can see there are 4 type of packets (Discover, Offer, Request, ACK  ie DORA) exchanged prior to PC get an IP. We will look at each of these packets in detail.

Here is the  insight of DHCP discovery packet. As you can see in layer 4 it use UDP protocol with src port 68 & des port 67 which is bootpc (client) & bootps(server). Actually DHCP is an extension of BootP protocol. This discovery msg include certain options (53, 61,12,60,55) sometimes these field used to identify the client to DHCP server. In layer 3 src would be (as not yet aquire an IP) & dst ( would be all subnet broadcast. In layer 2 src MAC would be PC’s NIC mac address where as dst MAC would be broadcast MAC.DHCP1-01

This layer 2 broadcast message would go to all host in that subnet & will reach the switch SVI (int vlan 13-GW). Since DHCP server is in a different subnet (vlan 200) this DHCP discover msg will not reach that(broadcast will limited only to local subnet). Once you configure “ ip helper-address” command under interface vlan 13, this DHCP discover msg send as a unicast packet to the DHCP server. This function of the forwarding DHCP discover msg to DHCP server is called DHCP-Relaying. Then DHCP server will send a DHCP offer msg.

As switch acting as DHCP-Relay (note that int vlan 13 IP of the switch listed as relay-agent IP in this packet) it will receive the DHCP offer msg from DHCP server & then send to client. This packet includes Bootp options like IP address, subnet mask, lease time, DHCP server IP, domain name, default gateway,etc.  UDP src port would be 67 (as coming from server) & dst port would be 68 (to client). In layer 3, switch will set its vlan 13 IP address as src IP of this packet & dst IP would be layer 3 broadcast ( In layer 2 it will go as a broadcast frame.DHCP1-02

Once client receive this offer message, it will send a DCHP request message for asking that IP. By this time client knows what was “offered client IP” in the DHCP offer & therefore “Request msg” include that IP ( in this case). Also it lists DHCP server address (in this way even multiple DHCP servers responded, client can choose which DHCP server to ask for IP). Since traffic is going from client, UDP src port would be 68 & dst port would be 67. Still layer 3 src would be & dst In layer two this will go as broadcast.DHCP1-03

Finally client will get DHCP ACK, confirming it can use this requested IP. Still this packet dst IP is layer 3 broadcast (as client does not has IP) & hence layer 2 frame go as a broadcast as well.DHCP1-04

Once client get this frame & process he could confirm his MAC address listed as client MAC in bootp field. Then it will assign the given IP to NIC. As you can see next thing it will do is send an ARP request to find what is his gateway’s ( listed in bootp options) MAC address. Then client know everything (layer 2 & 3) to communicate with the rest of the network.

As you can see these DHCP messages go as local subnet broadcast any host (acting as rouge dhcp sever) in that subnet can responded to clients DCHP request  & could potentially issue wrong IP to client (usually faster than proper DHCP server as it sits outside of a user subnet) . To prevent this “DHCP snooping feature needs to enable (will describe this in a separate post)

Now we will look at how things work this in wireless set up. Now I am capturing packets at the WLC connected switch port (G1/0/1). Here is the my wireshark capture while wireless client is getting an IP. Since every packet encapsulated CAPWAP from AP <->WLC you will see each type of packet twice at the switch port (ie AP-> WLC, WLC -> DHCP server & vice versa)DHCP1-05 If you look at the DHCP discover msg goes to WLC AP will encapsulate original packet with CAPWAP (UDP dst port 5247). Traffic will go to AP Manager IP address from the AP. Inside information is identical to what you saw in the wired DHCP discover message.DHCP1-06

As you can see WLC is acting as DHCP relay to the client and forward this discovery msg to DHCP server. It will use interface(vlan 14) IP assign to WLAN where client is trying to connect. Note that both src & dst UDP port will be 67 as traffic goes from DHCP Relay to DHCP server.DHCP1-07

Then WLC will get DHCP offer msg from DHCP server and then forward it to the AP with CAPWAP encapsulation.DHCP1-08 When WLC forward this offer message to AP, it will use its virtual interface IP ( as the source of this DHCP offer msg. This is called “DHCP-proxy”. Therefore wireless client will think that is the DHCP server IP and requesting that  (in bootp fields) in DHCP request msg.DHCP1-09

Here is the DHCP request msg coming from the wireless client to WLC. Once WLC forward this to DHCP server, it will give the DHCP ACK msg.DHCP1-10

Here is the DSCP ACK coming from DHCP server to WLC.DHCP1-11 finally wireless client will get this DHCP ack from virtual IP of the WLC (acting as DHCP for the wireless client)DHCP1-12

Key point to remember is in wireless environment WLC’s virtual interface is pretending(or proxy) as DHCP server for clients & therefore in client configuration you will see this virutal IP as DHCP server.(see below)DHCP1-13

Related Posts

1. Understanding DHCP Snooping
2. Understanding DHCP Option 43
3. Understanding DHCP Option 82
4. WLC – DHCP Option 82 Configuration Example