DHCP and DDNS
The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices.
About DHCP and DDNS Services
The following topics describe the DHCP server, DHCP relay agent, and DDNS update.
About the DHCPv4 Server
DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The FTD device can provide a DHCP server to DHCP clients attached to FTD device interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.
An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68; the DHCP server listens for messages on UDP port 67.
The DHCP server for IPv6 is not supported; you can, however, enable DHCP relay for IPv6 traffic.
DHCP Options
DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. The configuration parameters are carried in tagged items that are stored in the Options field of the DHCP message and the data are also called options. Vendor information is also stored in Options, and all of the vendor information extensions can be used as DHCP options.
For example, Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.
DHCP option 150 provides the IP addresses of a list of TFTP servers.
DHCP option 66 gives the IP address or the hostname of a single TFTP server.
DHCP option 3 sets the default route.
A single request might include both options 150 and 66. In this case, the ASA DHCP server provides values for both options in the response if they are already configured on the ASA.
You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients; DHCP option 15 is used for the DNS domain suffix.You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:
Manually configured settings.
Advanced DHCP options settings.
DHCP automatic configuration settings.
For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.
About the DHCP Relay Agent
You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the FTD device because it does not forward broadcast traffic. The DHCP relay agent lets you configure the interface of the FTD device that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.
Requirements and Prerequisites for DHCP and DDNS
Model Support
FTD
User Roles
Admin
Access Admin
Network Admin
Guidelines for DHCP and DDNS Services
This section includes guidelines and limitations that you should check before configuring DHCP and DDNS services.
Firewall Mode
DHCP Relay is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface.
DHCP Server is supported in transparent firewall mode on a bridge group member interface. In routed mode, the DHCP server is supported on the BVI interface, not the bridge group member interface. The BVI must have a name for the DHCP server to operate.
DDNS is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface.
IPv6
Does not support IPv6 for DHCP server; IPv6 for DHCP relay is supported.
DHCPv4 Server
The maximum available DHCP pool is 256 addresses.
You can configure only one DHCP server on each interface. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.
You cannot configure an interface as a DHCP client if that interface also has DHCP server enabled; you must use a static IP address.
You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.
FTD device does not support QIP DHCP servers for use with the DHCP proxy service.
The DHCP server does not support BOOTP requests.
DHCP Relay
You can configure a maximum of 10 DHCPv4 relay servers, global and interface-specific servers combined, with a maximum of 4 servers per interface.
You can configure a maximum of 10 DHCPv6 relay servers. Interface-specific servers for IPv6 are not supported.
You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.
DHCP relay services are not available in transparent firewall mode. You can, however, allow DHCP traffic through using an access rule. To allow DHCP requests and replies through the FTD device, you need to configure two access rules, one that allows DCHP requests from the inside interface to the outside (UDP destination port 67), and one that allows the replies from the server in the other direction (UDP destination port 68).
For IPv4, clients must be directly-connected to the FTD device and cannot send requests through another relay agent or a router. For IPv6, the FTD device supports packets from another relay server.
The DHCP clients must be on different interfaces from the DHCP servers to which the FTD device relays requests.
You cannot enable DHCP Relay on an interface in a traffic zone.
DHCP relay is not supported on Virtual Tunnel Interfaces (VTIs).
Configure the DHCP Server
See the following steps to configure a DHCP server.
Procedure
Step 1 | Choose , and edit the FTD device. | ||
Step 2 | Select DHCP > DHCP Server. | ||
Step 3 | Configure the following DHCP server options:
| ||
Step 4 | To override auto-configured settings, do the following:
| ||
Step 5 | Select Server, click Add, and configure the following options:
| ||
Step 6 | Click OK to save the DHCP server configuration. | ||
Step 7 | (Optional) Select Advanced, click Add, and specify the type of information you want the option to return to the DHCP client:
| ||
Step 8 | Click OK to save the option code configuration. | ||
Step 9 | Click Save on the DHCP page to save your changes. |
Configure the DHCP Relay Agent
You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the Firepower Threat Defense device because it does not forward broadcast traffic.
You can remedy this situation by configuring the interface of the Firepower Threat Defense device that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.
Note | DHCP Relay is not supported in transparent firewall mode. |
Procedure
Step 1 | Choose , and edit the FTD device. |
Step 2 | Select DHCP > DHCP Relay. |
Step 3 | In the Timeout field, enter the amount of time in seconds that the Firepower Threat Defense device waits to time out the DHCP relay agent. Valid values range from 1 to 3600 seconds. The default value is 60 seconds. The timeout is for address negotiation through the local DHCP Relay agent. |
Step 4 | On DHCP Relay Agent, click Add, and configure the following options:
|
Step 5 | Click OK to save the DHCP relay agent changes. |
Step 6 | On DHCP Servers, click Add, and configure the following options: Add the IPv4 and IPv6 server addresses as separate entries, even if they belong to the same server.
|
Step 7 | Click OK to save the DHCP server changes. |
Step 8 | Click Save on the DHCP page to save your changes. |
Configure Dynamic DNS
When an interface uses DHCP IP addressing, the assigned IP address can change when the DHCP lease is renewed. When the interface needs to be reachable using a fully qualified domain name (FQDN), the IP address change can cause the DNS server resource records (RRs) to become stale. Dynamic DNS (DDNS) provides a mechanism to update DNS RRs whenever the IP address or hostname changes. You can also use DDNS for static or PPPoE IP addressing.
DDNS updates the following RRs on the DNS server: the A RR includes the name-to-IP address mapping, while the PTR RR maps addresses to names.
The FTD supports the following DDNS update methods:
Standard DDNS—The standard DDNS update method is defined by RFC 2136.
With this method, the FTD and the DHCP server use DNS requests to update the DNS RRs. The FTD or DHCP server sends a DNS request to its local DNS server for information about the hostname and, based on the response, determines the main DNS server that owns the RRs. The FTD or DHCP server then sends an update request directly to the main DNS server. See the following typical scenarios.
The FTD updates the A RR, and the DHCP server updates the PTR RR.
Typically, the FTD "owns" the A RR, while the DHCP server "owns" the PTR RR, so both entities need to request updates separately. When the IP address or hostname changes, the FTD sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request a PTR RR update.
The DHCP server updates both the A and PTR RR.
Use this scenario if the FTD does not have the authority to update the A RR. When the IP address or hostname changes, the FTD sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request an A and PTR RR update.
You can configure different ownership depending on your security needs and the requirements of the main DNS server. For example, for a static address, the FTD should own the updates for both records.
Web—The Web update method uses the DynDNS Remote API specification (//help.dyn.com/remote-access-api/).
With this method when the IP address or hostname changes, the FTD sends an HTTP request directly to a DNS provider with which you have an account.
The DDNS page also supports setting DHCP server settings relating to DDNS.
Note | DDNS is not supported on the BVI or bridge group member interfaces. |
Before you begin
Configure a DNS server group on , and then enable the group for the interface on . See Configure DNS.
Configure the device hostname. You can configure the hostname when you perform the FTD initial setup, or by using the configure network hostname command. If you do not specify the hostname per interface, then the device hostname is used.
Procedure
Step 1 | Choose , and edit the FTD device. | ||||
Step 2 | Choose . | ||||
Step 3 | Standard DDNS method: Configure a DDNS update method to enable DNS requests from the FTD. You do not need to configure a DDNS update method if the DHCP server will perform all requests.
| ||||
Step 4 | Web method: Configure a DDNS update method to enable HTTP update requests from the FTD.
| ||||
Step 5 | Configure interface settings for DDNS, including setting the update method, DHCP client settings, and the hostname for this interface.
| ||||
Step 6 | If you enable the DHCP server on an FTD, you can configure DHCP server settings for DDNS. To enable the DHCP server, see Configure the DHCP Server). You can configure the server behavior when DHCP clients use the standard DDNS update method. If the server performs any updates, then if the client lease expires (and is not renewed), the server will request that the DNS server remove the RRs for which it was responsible.
| ||||
Step 7 | (Optional) Configure general DHCP client settings. These settings are not related to DDNS, but are related to how the DHCP client behaves.
| ||||
Step 8 | Click Save on the Device page to save your changes. | ||||
Step 9 | The Web method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection. The following example shows how to add a DDNS server's CA as a trustpoint.
|