Debugging DHCP and the IP HELPER in Cisco IOS

When deploying VLANs in enterprise networks, you often find that you have to provide access to a core DHCP server. In IOS you can do this by using the IP HELPER command to define the address for the DHCP server within the VLAN configuration, as I show below, where 192.0.0.3 is the DHCP server:


interface Vlan10
description HQ Staff Network
ip address 192.0.1.254 255.255.255.0
ip helper-address 192.0.0.3
!
interface Vlan50
description Wireless Vlan
ip address 192.0.5.254 255.255.255.0
ip helper-address 192.0.0.3

Using the DEBUG IP DHCP SERVER PACKET command, we can see what happens when a client device makes a DHCP request for an IP address:


002121: *Apr 29 17:37:55.549: DHCPD: Reload workspace interface Vlan10 tableid 0.
002122: *Apr 29 17:37:55.549: DHCPD: tableid for 192.0.1.254 on Vlan10 is 0
002123: *Apr 29 17:37:55.549: DHCPD: client's VPN is .
002124: *Apr 29 17:37:55.549: DHCPD: using received relay info.
002125: *Apr 29 17:37:55.549: DHCPD: Looking up binding using address 192.0.1.254
002126: *Apr 29 17:37:55.549: DHCPD: setting giaddr to 192.0.1.254.
002127: *Apr 29 17:37:55.549: DHCPD: BOOTREQUEST from 0100.248c.6e62.52 forwarded to 192.0.0.3.

The (in this case) switch sees the incoming DHCP broadcast and knows it has to help the device get an IP address. It forwards the packet to the DHCP server on the address in the IP HELPER command and inserts it’s own address on the device VLAN into the packet that it sends to the DHCP server. This is placed in the GI field (the Gateway Information) field, and the DHCP server will use the value in that field to determine which scope on the server should be used for the request to be handled.

At one recent site, devices in a newly defined VLAN were not getting an IP address assigned. The helper address was correct, and the administrator said the DHCP server was set up in the same way as scopes for other VLANs. I could see the BOOTREQUESTs being forwarded but I could see no replies. Since the DHCP server was in a VLAN directly served off the same switch, and there were no access control lists in the way, it had to be an issue with the server. The scope looked identical to all the other scopes on the server – until I noticed that it had been set up to only serve to BOOTP requests. BOOTP is not DHCP. The default service parameter in Windows 2008 R2 DHCP server is Automatic, which serves BOOTP and DHCP. Fat fingers had mistakenly caused only BOOTP to be selected. Once changed, the reply from the server was seen:


003119: *Apr 29 18:08:50.052: DHCPD: Reload workspace interface Vlan10 tableid 0.
003120: *Apr 29 18:08:50.052: DHCPD: tableid for 192.0.1.254 on Vlan10 is 0
003121: *Apr 29 18:08:50.052: DHCPD: client's VPN is .
003122: *Apr 29 18:08:50.052: DHCPD: using received relay info.
003123: *Apr 29 18:08:50.052: DHCPD: Looking up binding using address 192.0.1.254
003124: *Apr 29 18:08:50.052: DHCPD: setting giaddr to 192.0.1.254.
003125: *Apr 29 18:08:50.052: DHCPD: BOOTREQUEST from 0100.248c.6e62.52 forwarded to 192.0.0.3.

003129: *Apr 29 18:08:52.972: DHCPD: forwarding BOOTREPLY to client 0024.8c6e.6252.
003130: *Apr 29 18:08:52.972: DHCPD: no option 125
003131: *Apr 29 18:08:52.972: DHCPD: Check for IPe on Vlan10
003132: *Apr 29 18:08:52.972: DHCPD: creating ARP entry (192.0.1.100, 0024.8c6e.6252).
003133: *Apr 29 18:08:52.972: DHCPD: unicasting BOOTREPLY to client 0024.8c6e.6252 (192.0.1.100).

Advertisements

One thought on “Debugging DHCP and the IP HELPER in Cisco IOS

  1. Festo May 10, 2016 at 10:21 am Reply

    Thanks! 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: