DHCP (Dynamic Host Configuration Protocol) is one of the most common protocols that everyone understand what it does. But very few of them spend time to learn how it work.
So in this post we will look at how DHCP works in wired & wireless network. I have setup simple lab (as shown below) with a Switch, WLC, AP & DHCP server(Microsoft DHCP server on a VM). Switch has been configured with basic SVI interfaces with listed gateway addresses.
As you can see there are 4 type of packets (Discover, Offer, Request, ACK ie DORA) exchanged prior to PC get an IP. We will look at each of these packets in detail.
Here is the insight of DHCP discovery packet. As you can see in layer 4 it use UDP protocol with src port 68 & des port 67 which is bootpc (client) & bootps(server). Actually DHCP is an extension of BootP protocol. This discovery msg include certain options (53, 61,12,60,55) sometimes these field used to identify the client to DHCP server. In layer 3 src would be 0.0.0.0 (as not yet aquire an IP) & dst (255.255.255.255) would be all subnet broadcast. In layer 2 src MAC would be PC’s NIC mac address where as dst MAC would be broadcast MAC.
This layer 2 broadcast message would go to all host in that subnet & will reach the switch SVI (int vlan 13-GW). Since DHCP server is in a different subnet (vlan 200) this DHCP discover msg will not reach that(broadcast will limited only to local subnet). Once you configure “ ip helper-address 192.168.200.1” command under interface vlan 13, this DHCP discover msg send as a unicast packet to the DHCP server. This function of the forwarding DHCP discover msg to DHCP server is called DHCP-Relaying. Then DHCP server will send a DHCP offer msg.
As switch acting as DHCP-Relay (note that int vlan 13 IP of the switch listed as relay-agent IP in this packet) it will receive the DHCP offer msg from DHCP server & then send to client. This packet includes Bootp options like IP address, subnet mask, lease time, DHCP server IP, domain name, default gateway,etc. UDP src port would be 67 (as coming from server) & dst port would be 68 (to client). In layer 3, switch will set its vlan 13 IP address as src IP of this packet & dst IP would be layer 3 broadcast (255.255.255.255). In layer 2 it will go as a broadcast frame.
Once client receive this offer message, it will send a DCHP request message for asking that IP. By this time client knows what was “offered client IP” in the DHCP offer & therefore “Request msg” include that IP (10.10.13.10 in this case). Also it lists DHCP server address (in this way even multiple DHCP servers responded, client can choose which DHCP server to ask for IP). Since traffic is going from client, UDP src port would be 68 & dst port would be 67. Still layer 3 src would be 0.0.0.0 & dst 255.255.255.255. In layer two this will go as broadcast.
Once client get this frame & process he could confirm his MAC address listed as client MAC in bootp field. Then it will assign the given IP to NIC. As you can see next thing it will do is send an ARP request to find what is his gateway’s (10.10.13.1 listed in bootp options) MAC address. Then client know everything (layer 2 & 3) to communicate with the rest of the network.
As you can see these DHCP messages go as local subnet broadcast any host (acting as rouge dhcp sever) in that subnet can responded to clients DCHP request & could potentially issue wrong IP to client (usually faster than proper DHCP server as it sits outside of a user subnet) . To prevent this “DHCP snooping“ feature needs to enable (will describe this in a separate post)
Now we will look at how things work this in wireless set up. Now I am capturing packets at the WLC connected switch port (G1/0/1). Here is the my wireshark capture while wireless client is getting an IP. Since every packet encapsulated CAPWAP from AP <->WLC you will see each type of packet twice at the switch port (ie AP-> WLC, WLC -> DHCP server & vice versa) If you look at the DHCP discover msg goes to WLC AP will encapsulate original packet with CAPWAP (UDP dst port 5247). Traffic will go to AP Manager IP address from the AP. Inside information is identical to what you saw in the wired DHCP discover message.
As you can see WLC is acting as DHCP relay to the client and forward this discovery msg to DHCP server. It will use interface(vlan 14) IP assign to WLAN where client is trying to connect. Note that both src & dst UDP port will be 67 as traffic goes from DHCP Relay to DHCP server.
Then WLC will get DHCP offer msg from DHCP server and then forward it to the AP with CAPWAP encapsulation. When WLC forward this offer message to AP, it will use its virtual interface IP (126.96.36.199) as the source of this DHCP offer msg. This is called “DHCP-proxy”. Therefore wireless client will think that is the DHCP server IP and requesting that (in bootp fields) in DHCP request msg.
Key point to remember is in wireless environment WLC’s virtual interface is pretending(or proxy) as DHCP server for clients & therefore in client configuration you will see this virutal IP as DHCP server.(see below)