In the CCNA 200-301 exam, understanding how to configure a Cisco router as a DHCP server is essential for automating IP address assignment in small-to-medium networks. This lab-based topic (exam objective 4.3) tests your ability to configure DHCP pools, exclude addresses, and verify operation using IOS CLI commands. In real-world networking, routers often serve as DHCP servers in branch offices or for small businesses, making this a practical skill for any network engineer.
Jump to a section
Imagine you manage a large apartment building where each new tenant needs a mailbox key. You have a stack of pre-assigned mailbox numbers (the IP address pool). When a tenant moves in, they knock on your door (the DHCP Discover broadcast). You, the landlord (the DHCP server), look at your list and assign them the next available mailbox number (DHCP Offer). The tenant accepts by signing a lease agreement (DHCP Request), and you finalize by giving them the key and noting the lease expiration date (DHCP Acknowledgment).
But you must be careful: some mailboxes are reserved for building staff or for the manager's office (static IPs). You mark those as 'Do Not Assign' (excluded addresses) so you don't accidentally give them to a tenant. Also, you keep a record of which mailbox is assigned to which tenant (the DHCP binding table) and when their lease expires. If a tenant moves out, you put that mailbox back in the pool after the lease expires.
In this analogy, the 'lease time' is like a rental agreement: it's temporary, but renewable. The tenant can ask to renew before the lease expires (DHCP Request with same IP). If they don't renew, the mailbox becomes available again. The 'ip dhcp excluded-address' command is like putting a 'Reserved' sticker on certain mailboxes. The 'show ip dhcp binding' command lists all current tenants and their mailbox numbers. This system automates address management, preventing conflicts where two tenants try to use the same mailbox.
What is a DHCP Server on a Router?
A Cisco router can be configured to act as a DHCP (Dynamic Host Configuration Protocol) server, assigning IP addresses, subnet masks, default gateways, DNS servers, and other options to clients on a LAN. This is useful in small networks where a dedicated DHCP server is not cost-effective. The router uses the DHCP pool configuration to define the range of addresses and options.
How DHCP Works (DORA Process)
DHCP uses a four-step process known as DORA: Discover, Offer, Request, Acknowledgment.
Discover: The client sends a DHCPDISCOVER broadcast (UDP port 67, source port 68) to 255.255.255.255. This packet contains the client's MAC address.
Offer: The DHCP server (router) responds with a DHCPOFFER unicast (or broadcast if the client doesn't have an IP yet) offering an IP address, subnet mask, lease time, and options. The offer includes the server's IP address and the offered IP.
Request: The client broadcasts a DHCPREQUEST (or unicasts if it knows the server) to accept the offer. This includes the server identifier and the requested IP.
Acknowledgment: The server sends a DHCPACK unicast (or broadcast) confirming the lease. It includes the lease duration and any options.
Key States, Timers, and Defaults
Lease Time: Default is 1 day (86400 seconds) on Cisco routers. Can be changed with lease {days [hours] [minutes]}.
Renewal (T1): At 50% of lease time, the client attempts to renew via unicast to the server. Default: 43200 seconds (12 hours).
Rebinding (T2): At 87.5% of lease time, if renewal fails, the client broadcasts to any server. Default: 75600 seconds (21 hours).
Address Pool: Defined by the network command under the DHCP pool. The router automatically assigns addresses from the subnet, excluding those configured with ip dhcp excluded-address.
Excluded Addresses: Used to reserve addresses for static devices (servers, printers, routers). Syntax: ip dhcp excluded-address low-address [high-address].
IOS CLI Configuration
To configure a router as a DHCP server, follow these steps:
1. Create a DHCP pool with a name:
R1(config)# ip dhcp pool LAN_POOL
R1(dhcp-config)# network 192.168.1.0 255.255.255.0
R1(dhcp-config)# default-router 192.168.1.1
R1(dhcp-config)# dns-server 8.8.8.8 4.4.4.4
R1(dhcp-config)# lease 2 12 30 ! 2 days, 12 hours, 30 minutes
R1(dhcp-config)# exit2. Exclude addresses (must be done before the pool is used, but can be added later):
R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
R1(config)# ip dhcp excluded-address 192.168.1.1003. Verify configuration:
R1# show ip dhcp pool
Pool LAN_POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 3
Pending event : none
1 subnet is currently in the pool
Current index IP address range Leased addresses
192.168.1.11 192.168.1.1 - 192.168.1.254 3
R1# show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.11 0063.6973.636f.2d63. Mar 01 2020 12:15 PM Automatic
6363.2d30.3030.332e.
30.3030.332e.3131.
3131.2d45.7430.2f30
R1# show ip dhcp server statistics
Memory usage : 26252
Address pools : 1
Database agents : 0
Automatic bindings : 3
Manual bindings : 0
Expired bindings : 0
Malformed messages : 0
Secure arp entries : 0
Message Received
BOOTREQUEST 0
DHCPDISCOVER 5
DHCPREQUEST 3
DHCPDECLINE 0
DHCPRELEASE 1
DHCPINFORM 0
Message Sent
BOOTREPLY 0
DHCPOFFER 5
DHCPACK 3
DHCPNAK 0Interaction with Related Protocols
DHCP Relay: If clients are on a different subnet than the DHCP server, you need a DHCP relay agent (IP helper-address) on the router interface to forward broadcasts as unicasts.
DHCP Snooping: A security feature on switches that filters untrusted DHCP messages to prevent rogue DHCP servers. Not configured on routers in CCNA scope.
DNS: The DHCP server can provide DNS server addresses to clients.
ARP: The router may check for duplicate IPs using ping or ARP before offering an address (configurable with ip dhcp ping packets).
Verification Commands Summary
show ip dhcp pool – Displays pool utilization and address ranges.
show ip dhcp binding – Shows current leases (IP, MAC, lease expiration).
show ip dhcp server statistics – Shows message counts (DISCOVER, OFFER, etc.).
show running-config | section dhcp – Shows DHCP configuration.
debug ip dhcp server events – Real-time debugging (use with caution).
Configure excluded addresses
Before creating the DHCP pool, exclude any IP addresses that should not be dynamically assigned. This includes the router's own interface IP, static servers, printers, or any reserved addresses. Use the global configuration command `ip dhcp excluded-address`. You can specify a single address or a range. For example: ``` R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10 R1(config)# ip dhcp excluded-address 192.168.1.100 ``` This prevents the DHCP server from offering these addresses to clients. If you forget to exclude the router's IP, a client might get it, causing a duplicate IP conflict. Note: Excluding addresses does not affect existing bindings; it only prevents future assignments.
Create DHCP pool and define subnet
Enter DHCP pool configuration mode with `ip dhcp pool <pool-name>`. The pool name is locally significant. Then specify the subnet that will be used for dynamic assignments using the `network` command. This defines the range of addresses the server can offer. For example: ``` R1(config)# ip dhcp pool LAN_POOL R1(dhcp-config)# network 192.168.1.0 255.255.255.0 ``` The network command also sets the subnet mask that will be sent to clients. The router will automatically assign addresses from this subnet, excluding those you previously excluded. The first assignable address is the lowest non-excluded address in the subnet.
Set default gateway and DNS servers
Clients need a default gateway to reach other networks. Use the `default-router` command to specify the gateway IP (usually the router's interface IP). You can also provide DNS server addresses with the `dns-server` command. Multiple DNS servers can be listed in order of preference. For example: ``` R1(dhcp-config)# default-router 192.168.1.1 R1(dhcp-config)# dns-server 8.8.8.8 4.4.4.4 ``` Other optional parameters include `domain-name` for the DNS domain, `option` for custom options, and `netbios-name-server` for WINS. These are sent in the DHCPACK packet.
Configure lease time
The lease time defines how long a client can use an assigned IP address before it must renew. The default is 1 day (86400 seconds). To change it, use the `lease` command in DHCP pool configuration mode. The format is `lease {days [hours] [minutes]}`. For example: ``` R1(dhcp-config)# lease 2 12 30 ``` This sets a lease of 2 days, 12 hours, and 30 minutes. Shorter leases are useful in environments with many transient devices (e.g., guest Wi-Fi), while longer leases reduce renewal traffic. The T1 (renewal) timer is 50% of the lease, and T2 (rebind) is 87.5%.
Verify DHCP pool and bindings
After configuration, use `show ip dhcp pool` to confirm the pool is active and see utilization. Use `show ip dhcp binding` to view current leases. Example output: ``` R1# show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.1.11 0063.6973.636f.2d63. Mar 01 2020 12:15 PM Automatic 6363.2d30.3030.332e. 30.3030.332e.3131. 3131.2d45.7430.2f30 ``` The Client-ID is typically the client's MAC address in a hexadecimal format. Also verify that excluded addresses are not being assigned. If a client fails to get an IP, check the `show ip dhcp server statistics` for DHCPNAK messages.
Test client connectivity
On a client device (PC or another router), configure the interface to use DHCP. For a PC, this is usually the default. On a Cisco router, use `ip address dhcp` on the interface. For example: ``` R2(config)# interface GigabitEthernet0/0 R2(config-if)# ip address dhcp ``` Then verify the assigned IP with `show ip interface brief`. On the DHCP server, use `debug ip dhcp server events` to watch the DORA process (use with caution in production). Verify that the client can ping the default gateway and access external networks. If not, check that the DHCP pool's network matches the router's interface subnet and that the default-router is correct.
In enterprise networks, dedicated DHCP servers (Windows Server, Linux ISC DHCP) are common, but Cisco routers often serve as DHCP servers in branch offices, small businesses, or for temporary networks. For example, a retail store with 20 devices might use a Cisco ISR router as the DHCP server, eliminating the need for a separate server. The router's DHCP service is lightweight and easy to configure via CLI or SDM.
Another scenario is a lab or training environment where multiple subnets are used. A router can serve multiple DHCP pools for different VLANs. For instance, a router-on-a-stick configuration with subinterfaces can have a DHCP pool for each VLAN (e.g., VLAN 10 – 192.168.10.0/24, VLAN 20 – 192.168.20.0/24). Each pool provides a default gateway pointing to the respective subinterface.
Common misconfigurations: Forgetting to exclude the router's own IP address causes IP conflicts. Using the wrong network mask (e.g., /24 instead of /25) wastes addresses or provides too few. Not setting the default-router results in clients that cannot reach other networks. Also, if the router's interface is down, DHCP clients will not get an IP because the server cannot respond (the router must have an IP in the same subnet as the pool).
Performance: Cisco routers can handle hundreds of DHCP clients, but for larger deployments (thousands), a dedicated server is better. The router's DHCP service uses CPU cycles; in high-traffic environments, consider offloading DHCP to a server. Also, DHCP snooping is often enabled on switches to prevent rogue DHCP servers, so ensure the router is trusted.
When troubleshooting, check that the router's interface is up and has an IP in the same subnet as the pool. Use show ip dhcp binding to see if clients are getting addresses. If clients are not receiving addresses, verify that the ip dhcp excluded-address list does not include the entire subnet, and that the pool has available addresses (show ip dhcp pool shows utilization). Also, ensure that no ACL is blocking DHCP traffic (UDP 67/68).
For CCNA 200-301 exam objective 4.3, you must be able to configure a router as a DHCP server and troubleshoot common issues. The exam tests your ability to interpret show commands and identify misconfigurations.
Common Wrong Answers:
1. 'The client will get a 169.254.x.x address if the DHCP server is not configured' – This is true only if the client is using Windows with APIPA. On Cisco routers, if DHCP fails, the interface will not have an IP (unless configured manually). The exam might show a router with ip address dhcp that fails, and the interface shows 'unassigned'.
2. 'The DHCP server must be in the same subnet as the client' – False. DHCP relay (ip helper-address) allows the server to be on a different subnet. The exam may test this with a topology where the server is on a different VLAN.
3. 'The lease time can be set to infinite' – Cisco IOS does not support infinite lease time. The maximum is 365 days. Some candidates confuse this with static bindings (manual bindings), which are permanent.
4. 'The network command must include the subnet mask in dotted decimal' – Actually, it can be in CIDR format (e.g., network 192.168.1.0 /24) or dotted decimal. Both are accepted.
Specific Values and Commands:
- Default lease: 1 day (86400 seconds).
- T1: 50% (43200 seconds). T2: 87.5% (75600 seconds).
- Command ip dhcp excluded-address is global configuration mode.
- show ip dhcp binding displays Client-ID (MAC in hex).
- show ip dhcp server statistics shows message counts – look for DHCPNAK if offers are rejected.
Decision Rule:
If a client cannot get an IP, first check if the DHCP pool has available addresses (show ip dhcp pool). If the pool is full, check lease times or increase the pool size. If the client is on a different subnet, check for ip helper-address on the router interface. If the client gets an IP but cannot ping the gateway, check the default-router configuration.
Trap: A question might show a configuration where the network statement uses a /28 mask but the router's interface is in a /24 subnet. The DHCP server will offer addresses from the /28, but the client will have a mismatched mask. The correct answer is that the client will get an IP but may have connectivity issues due to subnet mismatch.
Elimination Strategy: For multiple-choice questions, eliminate options that suggest DHCP is a Layer 2 protocol (it is Layer 4 – UDP) or that it uses TCP (it uses UDP). Also eliminate any option that says the DHCP server must be on the same broadcast domain (it can be across a router with relay).
DHCP uses DORA: Discover (broadcast), Offer (unicast/broadcast), Request (broadcast/unicast), Acknowledgment (unicast/broadcast).
Configure excluded addresses before the pool to avoid conflicts: `ip dhcp excluded-address <low> [<high>]`.
Default lease time on Cisco routers is 1 day (86400 seconds); T1 renewal at 50%, T2 rebind at 87.5%.
Use `default-router` to set the gateway and `dns-server` for DNS in DHCP pool configuration.
Verify with `show ip dhcp binding` (current leases) and `show ip dhcp pool` (utilization).
For clients on different subnets, use `ip helper-address` on the router interface to forward DHCP broadcasts.
The router must have an IP address in the same subnet as the DHCP pool for the server to respond.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Server on Router
Router acts as the DHCP server, assigning IPs from local pools.
Requires the router to have an IP in the same subnet as the pool.
Configuration: ip dhcp pool, network, default-router, etc.
Used in small networks without a dedicated server.
Verification: show ip dhcp binding, show ip dhcp pool.
DHCP Relay (ip helper-address)
Router forwards DHCP broadcasts to a remote server as unicasts.
Router does not assign IPs; it only relays messages.
Configuration: interface command ip helper-address <server-IP>.
Used in larger networks with a central DHCP server.
Verification: show ip interface, debug ip dhcp server events.
Mistake
DHCP uses TCP for reliable delivery.
Correct
DHCP uses UDP ports 67 (server) and 68 (client). It relies on the application layer for reliability, not TCP.
Many assume all client-server protocols use TCP, but DHCP uses UDP because it needs to broadcast before the client has an IP.
Mistake
The DHCP server must be on the same subnet as the clients.
Correct
DHCP relay (ip helper-address) allows the server to be on a different subnet by converting broadcasts to unicasts.
In small networks, servers are often local, but CCNA tests relay as a common scenario.
Mistake
The 'ip dhcp excluded-address' command is configured under the DHCP pool.
Correct
It is a global configuration command, not under the pool. It applies to all pools.
Candidates confuse the hierarchy; excluded addresses are global to prevent conflicts across pools.
Mistake
If the lease expires, the client immediately loses its IP address.
Correct
The client will attempt to renew at T1 (50%) and rebind at T2 (87.5%). If it fails, it will release the IP only after the lease fully expires. The server may reclaim it after expiration.
The lease expiration is not immediate; the client tries to renew gracefully.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, a Cisco router can act as a DHCP server on one interface (serving clients) and as a DHCP client on another interface (obtaining an IP from an ISP, for example). This is common in home/SOHO routers. The DHCP server functionality is independent per interface. Just ensure the DHCP pool's subnet matches the interface where clients are connected.
'ip dhcp excluded-address' is a global configuration command that prevents the DHCP server from assigning specific IP addresses (or ranges) to clients. It is used to reserve addresses for static devices. 'ip dhcp pool' creates a pool of addresses for dynamic assignment. The pool defines the subnet and options; excluded addresses are subtracted from the pool's available addresses.
Under the DHCP pool configuration, use the 'dns-server' command followed by the IP address(es) of the DNS servers. For example: 'dns-server 8.8.8.8 4.4.4.4'. You can list up to eight DNS servers. These are sent to clients in the DHCPACK message. Clients will use them for name resolution.
When a client connects to a different network (different subnet), it will send a DHCPDISCOVER on the new network. The DHCP server on that network (or relay) will assign a new IP from the local pool. The old lease on the previous network will eventually expire (after the lease time) and be reclaimed by the server. The client does not inform the old server; it just abandons the old IP.
Use the 'show ip dhcp binding' command. It displays all active leases, including the IP address, client ID (MAC address in hex), lease expiration time, and type (Automatic or Manual). For a quick summary of pool utilization, use 'show ip dhcp pool'.
The default lease time is 1 day (86400 seconds). You can change it with the 'lease' command under the DHCP pool. The lease time affects how often clients must renew. Shorter leases are useful for networks with many transient devices; longer leases reduce DHCP traffic.
A DHCPNAK (Negative Acknowledgment) is sent when the server cannot honor a DHCPREQUEST. Common reasons: the requested IP address is already leased to another client, the requested IP is excluded, the subnet is full, or the client's request is invalid (e.g., wrong subnet). Check 'show ip dhcp server statistics' for DHCPNAK count.
You've just covered Lab: Configure DHCP Server on Router — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?