DHCP - Dynamic Host Configuration Protocol N10-009

Slide 1 of 10  |  N10-009 Obj 3.4  |  Network Operations
DHCP: Dynamic Host Configuration
IP Addressing on Autopilot
Four messages. Four seconds. A fully configured network stack.
A new employee plugs in their laptop. Within seconds they have an IP address, subnet mask, default gateway, and DNS server — all without touching a single configuration dialog. Over the next 10 slides we will trace every step of that process, understand what can go wrong, and learn how to fix it.
10 Slides N10-009 Obj 3.4 Application Layer (Layer 7) Ports 67 / 68 UDP
Slide 2 of 10
What DHCP Does — and Why It Exists
Before DHCP, every device needed manual IP configuration. DHCP automated that entirely — and added lease management on top.
The Core Job
DHCP (Dynamic Host Configuration Protocol) automatically assigns IP configuration to clients when they connect to the network. The client does not need to know anything — it broadcasts a request and receives a fully configured set of parameters in response.
What Gets Configured
A DHCP server can assign: IP address, subnet mask, default gateway, DNS servers, domain name, NTP server, WINS server, and more — all delivered via DHCP options in a single message.
Ports
DHCP uses UDP. Server listens on port 67. Client sends from port 68. Both Discover and Request messages are broadcast because the client has no IP yet.
New Employee's Laptop — After DHCP
IP Address: 192.168.10.45
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.10.1
DNS Server: 10.10.1.1
Lease Duration: 8 hours
Every one of those values was delivered by the DHCP server automatically — no IT desk visit, no manual entry, no static assignment required. The employee is on the network and fully routable within seconds of plugging in.
Slide 3 of 10
The DORA Process
Four messages. This is the entire IP address negotiation. Every step has a specific sender, receiver, and payload.
D
Discover
Client → Network
"Is there a DHCP server out there?"
BROADCAST
O
Offer
Server → Client
"Here is an IP offer: 192.168.10.45"
BROADCAST
R
Request
Client → Network
"I accept that offer. Confirming server."
BROADCAST
A
Acknowledge
Server → Client
"Confirmed. Lease starts now."
UNICAST
Why Discover and Request are broadcast: The client has no IP address yet — it cannot send unicast packets with a valid source IP. It broadcasts so every device on the segment receives the message. The server is the only one that responds. The final ACK is unicast because the server now knows the client's MAC address.
Multiple DHCP servers? If more than one server responds to a Discover with an Offer, the client picks the first one it receives and sends a broadcast Request naming that specific server (so the other servers know their offer was declined and can reclaim the reserved address).
Slide 4 of 10
DHCP Scope — Pool, Exclusions, Reservations
A scope defines what addresses the DHCP server can give out and how. Three components build the scope.
Component What It Is Example Why It Matters
Pool (Range) The full block of IPs the server can assign from 192.168.10.1 to 192.168.10.254 Defines the maximum capacity for dynamic assignment in a subnet
Exclusions Addresses inside the pool that the server will never assign .1 (gateway), .2 (switch), .10 (server) Prevents DHCP from handing out IPs already in use by static devices
Reservations Specific IP always assigned to a specific MAC address Printer at 192.168.10.50 always gets the same IP Gives a device a predictable IP while keeping the convenience of DHCP delivery
Lease Time How long a client may use the assigned IP before renewal 8 hours (campus), 7 days (office), 1 hour (hotel/guest) Controls how quickly IPs are recycled back to the pool after a device leaves
The new employee's laptop was handed 192.168.10.45 — a dynamic address from the pool, above the exclusion range. If they were in IT and needed a predictable IP for remote access, the network team would add a reservation mapping their MAC address to a specific IP.
Slide 5 of 10
Lease Lifecycle — Renewal and Expiry
A DHCP lease is not permanent. The client must renew it or lose the address. Understanding the timeline explains why IPs go stale.
Using Lease
T1 Renew
T2 Rebind
Grace / Expire
0% — 50%: Active use, no action needed 50%: T1 87.5%: T2 100%: Expired
Active Phase
Client uses the IP normally. No renewal needed until 50% of the lease time has elapsed.
T1 — Renewal (50%)
Client unicasts a renewal request to its original server. If the server responds, the lease timer resets. This is the normal renewal path.
T2 — Rebind (87.5%)
Original server did not respond. Client broadcasts to any DHCP server. It will accept a new lease from any server at this point.
Expiry
No server responded. Client loses the IP, falls to APIPA (169.254.x.x), and starts the full DORA process again from scratch.
APIPA (Automatic Private IP Addressing): Windows assigns 169.254.x.x / 16 when DHCP fails. The client can communicate with other APIPA devices on the local segment but cannot reach the gateway or any routed network. Seeing 169.254.x.x on a client is always a DHCP failure indicator.
Slide 6 of 10
DHCP Options — More Than Just an IP
DHCP delivers network configuration through numbered options. Several appear on the exam. Know which number maps to which setting.
Option 1
Subnet Mask
The prefix length delivered alongside the IP address. e.g., 255.255.255.0 for /24.
Option 3
Default Gateway
The router IP clients use to reach networks outside their subnet. Critical for routing.
Option 6
DNS Servers
IP(s) of the DNS resolver(s). Without this, clients cannot resolve hostnames.
Option 15
Domain Name
The DNS domain appended to unqualified hostnames. e.g., "company.com".
Option 42
NTP Server
Network Time Protocol server address. Ensures clients have accurate time for logs and Kerberos.
Option 51
Lease Time
How long (in seconds) the client may use the assigned IP before renewal is required.
Exam focus: Option 3 (gateway) and Option 6 (DNS) appear most frequently. A misconfigured Option 3 means clients cannot leave their subnet. A missing Option 6 means clients get an IP but cannot resolve any hostnames.
The new employee gets an IP (pool assignment). They get a gateway (Option 3). They get a DNS server (Option 6). That is why intranet.company.com resolves — assuming the internal DNS server is correctly pointed to by Option 6.
Slide 7 of 10
DHCP Relay & IP Helper
Broadcasts do not cross routers. A single DHCP server serving multiple subnets requires relay agents — one on every remote segment.
New Laptop
Subnet B: 10.20.x.x
Broadcasts Discover

Broadcast
stops here
Router / L3 Switch
ip helper-address 10.10.1.5
Relay Agent

Unicast
forwarded
DHCP Server
10.10.1.5 — Subnet A
Serves both subnets
How It Works
The DHCP relay agent (configured on a router or Layer 3 switch) intercepts the broadcast Discover from the client. It rewrites it as a unicast packet and forwards it to the DHCP server's IP address. The server sees the relay's source IP and knows which scope to use. The reply travels unicast back through the relay to the client.
IP Helper Address (Cisco)
Configured per-interface on the router:
ip helper-address 10.10.1.5

This command forwards several UDP broadcast services to the specified IP, including DHCP (ports 67/68), DNS (53), TFTP (69), and others. The server must have a matching scope for each subnet the relay represents.
Without a relay agent, every floor or building subnet would need its own DHCP server. With one relay per remote subnet pointing at a central DHCP server, a single server can manage address assignment across the entire enterprise.
Slide 8 of 10
DHCPv6 vs SLAAC
IPv6 introduced a new auto-configuration method that does not require a DHCP server at all. Both approaches appear on the exam.
DHCPv6 — Stateful
Works like DHCPv4 with a server that allocates and tracks each address. Uses Solicit / Advertise / Request / Reply (SARR — analogous to DORA). Delivers full options including DNS. Uses UDP ports 546 (client) and 547 (server). The router sends Router Advertisements with the M flag set (Managed) to tell clients to use DHCPv6.
SLAAC — Stateless
Stateless Address Autoconfiguration. The client generates its own IPv6 address using the network prefix from a Router Advertisement combined with its interface identifier (from MAC or randomly generated per RFC 7217). No DHCP server required. The O flag (Other) in RA tells the client to get options like DNS from DHCPv6 while generating its own address.
RA Flags Summary
M=1, O=1 Full DHCPv6 — stateful. Server provides address and options.
M=0, O=1 SLAAC for address, DHCPv6 for options (DNS) only.
M=0, O=0 Pure SLAAC. Client configures everything from RA prefix only.
Key Difference for the Exam
DHCPv6 is stateful — the server tracks which address went to which client. SLAAC is stateless — the client self-assigns and no server records the allocation. If you need to audit which device has which IPv6 address, you need DHCPv6.
Slide 9 of 10
Rogue DHCP Server — The Invisible Threat
Any device on the network can respond to a DHCP Discover. If an attacker or misconfigured device does so first, every client it answers gets poisoned configuration.
The Attack
How It Starts Attacker connects a rogue device (or compromised host) with DHCP server software running. May be accidental (someone brought a home router) or intentional.
Poisoned Options Rogue server sends Option 3 (gateway) pointing to attacker's machine. All client traffic now routes through the attacker. This is a man-in-the-middle at Layer 3.
DNS Hijack Rogue server sends Option 6 (DNS) pointing to a malicious resolver. Clients resolve hostnames to attacker-controlled IPs. Phishing at infrastructure level.
DoS Variant Rogue server hands out duplicate IPs or an exhausted pool, causing IP conflicts and connectivity failures across the segment.
Defenses
DHCP Snooping Switch feature. Designates trusted ports (uplinks, known DHCP server ports). Drops DHCP Offer/ACK messages arriving on untrusted ports. This is the primary mitigation.
Dynamic ARP Pairs with DHCP snooping. Validates ARP packets against the snooping binding table, preventing ARP spoofing from an attacker who bypassed DHCP snooping.
802.1X Port-based authentication. A device cannot send any traffic — including DHCP — until it has successfully authenticated. Prevents unauthorized devices entirely.
Monitoring Alerts on unexpected DHCP server traffic. Baseline the expected DHCP servers and alert on any Offer from an unknown source IP or MAC.
Exam tip: DHCP snooping is the specific answer to "rogue DHCP server." Know that it works by marking switchports as trusted or untrusted and blocking server responses from untrusted ports.
Slide 10 of 10  |  N10-009 Obj 3.4
The Laptop Is Online
The new employee plugged in their laptop. Here is every step that happened in those first few seconds:

The NIC came up and broadcast a DHCP Discover on UDP port 68 to 255.255.255.255. The DHCP server on a remote subnet received it via the router's relay agent (ip helper-address). The server found an available IP in the scope, checked it against exclusions and reservations, and sent a DHCP Offer back through the relay. The laptop accepted with a DHCP Request. The server confirmed with an ACK delivering the IP, mask, Option 3 gateway, and Option 6 DNS servers. The lease clock started.

The employee can now reach intranet.company.com — assuming the DNS server (Option 6) is the internal authoritative server with the correct A record. That is where DNS picks up where DHCP leaves off.
6 Facts to Carry Out of This Presentation
1 DORA: Discover (broadcast) → Offer (broadcast) → Request (broadcast) → ACK (unicast). Ports 67/68 UDP.
2 Scope components: pool (range), exclusions (static devices), reservations (MAC-to-IP), lease time.
3 Key options: Option 3=gateway, Option 6=DNS, Option 15=domain name, Option 51=lease time.
4 Relay agent (ip helper-address) forwards broadcasts across subnets so one DHCP server can serve many segments.
5 169.254.x.x (APIPA) = DHCP failure. Client could not get a lease. Check server reachability and relay configuration.
6 Rogue DHCP defense: DHCP snooping on managed switches. Trusted ports forward DHCP; untrusted ports block server responses.