This chapter explains the DHCP DORA process, a fundamental mechanism for automatic IP address assignment in IPv4 networks. The N10-009 exam frequently tests your understanding of this four-step handshake, including the exact sequence, the role of broadcasts, and the specific fields in each message. Mastering DORA is essential for troubleshooting IP configuration issues and is directly linked to exam objectives under Domain 1.3, with approximately 10-15% of exam questions touching on DHCP-related topics.
Jump to a section
Consider a hotel where guests arrive without a reservation. The guest (DHCP client) walks up to the front desk and says, 'I need a room for the night.' The front desk clerk (DHCP server) hears this broadcast request but doesn't know the guest's identity yet. The clerk checks available rooms and offers one: 'I have room 204 available. Here is the key card, the Wi-Fi password, and the checkout time.' The guest accepts the offer by taking the key card and saying, 'I'll take room 204.' The clerk then records the guest's name and room number in the log, confirming the assignment. The guest can now use the room and all amenities. If the guest doesn't respond within a certain time, the clerk may offer the room to someone else. Just like DHCP, this process has four steps: the guest's initial request (Discover), the clerk's offer (Offer), the guest's acceptance (Request), and the clerk's final confirmation (Acknowledge). The hotel's system ensures no two guests get the same room, and the guest knows exactly when the stay ends (lease time).
What is DHCP and Why Does It Exist?
Dynamic Host Configuration Protocol (DHCP), defined in RFC 2131, automates the assignment of IP addresses, subnet masks, default gateways, DNS servers, and other network parameters to client devices. Without DHCP, every device would require manual static configuration, which is impractical in networks with hundreds or thousands of hosts. DHCP eliminates address conflicts, reduces administrative overhead, and enables mobility by allowing devices to obtain a valid configuration when connecting to different subnets.
The DORA Process: Four-Step Handshake
DORA stands for Discover, Offer, Request, Acknowledge. This is the sequence of messages exchanged between a DHCP client and a DHCP server to obtain an IP address lease. The process always starts with the client and ends with the server.
Step 1: DHCPDISCOVER
When a client boots up or needs an IP address, it sends a DHCPDISCOVER message as a UDP broadcast on port 67. The source IP is 0.0.0.0 (since the client has no IP yet), and the destination IP is 255.255.255.255 (limited broadcast). The source MAC is the client's MAC address. The message contains a transaction ID (XID) to match requests with responses. The client may also include a 'Requested IP Address' option if it remembers a previous lease, but this is not guaranteed.
Step 2: DHCPOFFER
Any DHCP server that receives the DISCOVER and has an available IP address responds with a DHCPOFFER message. This is typically a unicast to the client's MAC address (though some implementations use broadcast). The OFFER includes:
A proposed IP address
Subnet mask (option 1)
Default gateway (option 3)
DNS server(s) (option 6)
Lease duration (option 51)
Server identifier (option 54)
The server reserves the offered IP address temporarily to prevent double assignment but does not yet commit it.
Step 3: DHCPREQUEST
After receiving one or more OFFERs, the client selects one server and sends a DHCPREQUEST message. This is a broadcast (destination 255.255.255.255) so that all servers know which offer was accepted. The REQUEST includes:
The 'Server Identifier' option (the chosen server's IP)
The 'Requested IP Address' option (the offered IP)
The client's hardware address
If the client previously had an IP and is renewing, it sends a REQUEST directly to the server (unicast) during the renewal phase, but during initial DORA, it is always broadcast.
Step 4: DHCPACK
The chosen server responds with a DHCPACK message, confirming the lease. The ACK includes the same configuration parameters as the OFFER. The client then applies the IP address and other settings. If the server cannot honor the request (e.g., the IP was taken in the meantime), it sends a DHCPNAK, and the client restarts the DORA process.
Key Components and Defaults
DHCP Server: Listens on UDP port 67, responds on port 68.
DHCP Client: Listens on UDP port 68, sends requests from port 68.
Lease Time: Default is 24 hours (86400 seconds) on most servers, but configurable.
Renewal Timer (T1): 50% of lease time (12 hours by default). Client attempts to renew by sending unicast REQUEST to the server.
Rebinding Timer (T2): 87.5% of lease time (21 hours by default). If renewal fails, client broadcasts REQUEST to any server.
Grace Period: After lease expiry, the client may continue using the IP for a short time (often 2 minutes) but will eventually drop it.
Configuration and Verification Commands
On a Cisco IOS router acting as DHCP server:
ip dhcp pool LAN_POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7To verify DHCP operations:
show ip dhcp binding
show ip dhcp server statistics
debug ip dhcp server eventsOn a Windows client, to release and renew:
ipconfig /release
ipconfig /renewInteraction with Related Technologies
DHCP Relay: When the server is on a different subnet, a router or Layer 3 switch with ip helper-address forwards DHCP broadcasts as unicasts to the server. The relay agent adds the gateway IP (giaddr) so the server knows which subnet to assign.
DHCP Snooping: A security feature on switches that filters untrusted DHCP messages to prevent rogue DHCP servers. It validates DHCP messages on untrusted ports and builds a DHCP snooping binding table.
Dynamic ARP Inspection (DAI): Uses the DHCP snooping binding table to validate ARP packets and prevent ARP spoofing.
IP Address Management (IPAM): Centralized management of DHCP scopes, often integrated with DNS for dynamic updates.
Troubleshooting DORA
Common failure points: - No DISCOVER broadcast: Client interface down, firewall blocking UDP 67/68. - No OFFER: Server out of addresses, scope not activated, relay agent missing. - No REQUEST: Client received OFFER but didn't respond, possibly due to firewall or client configuration. - No ACK: Server rejected the request because the IP was taken or the client's MAC is blocked.
Use packet capture (Wireshark) to see the exact DORA sequence. Filter with 'bootp' (DHCP uses the BOOTP protocol format).
DHCPDISCOVER
The client sends a UDP broadcast to 255.255.255.255:67 from source 0.0.0.0:68. The frame contains the client's MAC address and a transaction ID. This message essentially says, 'I need an IP address; is anyone there?' The broadcast is sent because the client does not know the server's IP. If a DHCP relay agent is present, it forwards this broadcast as a unicast to the configured server(s). The client may also include a requested IP address option if it has a previous lease it wants to reuse.
DHCPOFFER
A DHCP server with available addresses responds with a unicast (or sometimes broadcast) to the client's MAC address. The OFFER includes the offered IP, subnet mask, default gateway, DNS servers, lease time, and server identifier. The server temporarily reserves the IP to prevent conflicts but does not commit it. The client may receive multiple OFFERs from different servers; it will choose one based on the first received or a preferred server.
DHCPREQUEST
The client selects one server and sends a broadcast REQUEST to 255.255.255.255:67. This broadcast informs all servers which offer was accepted. The REQUEST includes the server identifier of the chosen server and the requested IP address. If the client is renewing an existing lease, this message is sent as a unicast directly to the server. The client may also use a REQUEST to decline an offered IP (e.g., if it detects a duplicate via ARP).
DHCPACK
The chosen server sends a DHCPACK to the client, confirming the lease. The ACK contains the same configuration parameters as the OFFER. Upon receiving the ACK, the client applies the IP address and other settings. If the server cannot honor the request (e.g., the IP was assigned to another client in the meantime), it sends a DHCPNAK, forcing the client to restart the DORA process from DISCOVER.
Enterprise Scenario 1: Large Campus Network with DHCP Relay
A university with multiple buildings and subnets uses a centralized DHCP server in the data center. Each building has a Layer 3 switch that acts as the default gateway. Without DHCP relay, broadcasts from clients would not reach the server. The solution is to configure 'ip helper-address' on each VLAN interface pointing to the DHCP server. The relay agent sets the giaddr field to the subnet's gateway IP, allowing the server to assign addresses from the correct scope. Common issues: forgetting to configure helper addresses on all VLANs, or misconfiguring the relay to forward to multiple servers, causing duplicate OFFERs. The network team monitors DHCP statistics using 'show ip dhcp server statistics' to ensure address pool utilization stays below 90%.
Enterprise Scenario 2: DHCP Snooping for Security
A financial company deploys DHCP snooping on all access switches to prevent rogue DHCP servers. Access ports are set as untrusted, while uplinks to the legitimate DHCP server are trusted. The switch builds a DHCP snooping binding table that maps MAC addresses to IP addresses, VLANs, and ports. This table is used by Dynamic ARP Inspection (DAI) to validate ARP packets, preventing man-in-the-middle attacks. Misconfiguration: setting an access port as trusted accidentally allows a rogue server to distribute malicious IP configurations. The network team verifies snooping with 'show ip dhcp snooping binding' and monitors for DHCPOFFER messages on untrusted ports.
Enterprise Scenario 3: Cloud/Hybrid DHCP with IPAM
A multinational corporation uses an IP Address Management (IPAM) solution integrated with Microsoft DHCP servers. The IPAM provides centralized scope management, DNS registration, and lease monitoring. DHCP failover is configured in hot standby mode to ensure high availability. When a primary server fails, the standby takes over within seconds. The team uses 'netsh dhcp server show scope' and PowerShell scripts to audit leases. Common pitfalls: lease time set too short (e.g., 30 minutes) causing excessive DORA traffic, or too long (e.g., 30 days) leading to address exhaustion. Best practice is to set lease time to 8-24 hours for wired networks and 1-4 hours for Wi-Fi.
What the N10-009 Tests
Objective 1.3 covers 'Explain the concepts and purposes of DHCP and DNS.' For DHCP, the exam expects you to:
Recall the DORA sequence in order (Discover, Offer, Request, Acknowledge)
Identify the purpose of each message
Know the default ports (67 server, 68 client)
Understand the role of broadcasts and when unicast is used (renewal)
Recognize DHCP relay and the giaddr field
Differentiate between DHCP and static IP assignment
Common Wrong Answers and Why Candidates Choose Them
Order confusion: Many candidates select 'Discover, Request, Offer, Acknowledge' because they think the client requests first. Wrong—the server must offer before the client requests. Remember: the server cannot know what to offer without the client's initial broadcast.
DHCPOFFER is a broadcast: Some think the OFFER is always a broadcast because DISCOVER is. In practice, the OFFER is typically unicast to the client's MAC address if the server knows it. However, some implementations broadcast. The exam may test that OFFER can be broadcast or unicast, but the standard allows unicast.
DHCPREQUEST is unicast: Candidates confuse the initial REQUEST (which is broadcast) with the renewal REQUEST (which is unicast). The exam expects you to know that during initial DORA, REQUEST is broadcast.
DHCPACK is optional: Some think the client can use the IP after OFFER. No—the client must wait for ACK. Without ACK, the client cannot use the IP.
Specific Numbers and Terms to Memorize
UDP ports: 67 (server), 68 (client)
Default lease time: 24 hours
T1 timer: 50% of lease (renewal)
T2 timer: 87.5% of lease (rebinding)
DHCP message types: 1 (DISCOVER), 2 (OFFER), 3 (REQUEST), 4 (DECLINE), 5 (ACK), 6 (NAK), 7 (RELEASE), 8 (INFORM)
BOOTP fields: op (1=request, 2=reply), htype (1=Ethernet), hlen (6 for MAC), hops, xid, secs, flags, ciaddr, yiaddr, siaddr, giaddr, chaddr, sname, file, options
Edge Cases and Exceptions
DHCPINFORM: A client with a static IP can use INFORM to obtain other parameters (e.g., DNS) without getting an IP.
DHCPDECLINE: If a client detects an IP conflict via ARP, it sends DECLINE to the server.
DHCPRELEASE: A client can voluntarily release its IP by sending RELEASE to the server.
Multiple servers: If multiple servers respond, the client picks one (usually the first OFFER).
APIPA (Automatic Private IP Addressing): If no DHCP server responds after a timeout, Windows clients assign themselves an IP in 169.254.0.0/16. This is not part of DORA but is a fallback.
How to Eliminate Wrong Answers
Focus on the direction of communication. DORA always starts with client broadcast, then server unicast/broadcast, then client broadcast, then server unicast/broadcast. If an answer shows a server initiating the process, eliminate it. Also, check the port numbers: server uses 67, client uses 68. If the question mentions a different port, it's wrong.
DORA stands for Discover, Offer, Request, Acknowledge — always in that order.
DHCP uses UDP ports 67 (server) and 68 (client).
Default lease time is 24 hours; T1 renewal at 50% (12h), T2 rebinding at 87.5% (21h).
DHCPDISCOVER and initial DHCPREQUEST are broadcasts; DHCPOFFER and DHCPACK are typically unicast.
DHCP relay (ip helper-address) forwards broadcasts across subnets by setting the giaddr field.
DHCP snooping prevents rogue DHCP servers by filtering untrusted DHCP messages on access ports.
APIPA assigns 169.254.0.0/16 addresses when no DHCP server responds.
DHCPINFORM allows a statically configured client to obtain other parameters like DNS servers.
The transaction ID (XID) in DHCP messages matches requests with responses.
A DHCPNAK forces the client to restart the DORA process from DISCOVER.
These come up on the exam all the time. Here's how to tell them apart.
DHCP (Dynamic)
IP address assigned automatically via DORA
Reduces administrative overhead in large networks
Supports mobility and plug-and-play
Leases expire and must be renewed
Uses UDP broadcasts and requires a DHCP server
Static IP Configuration
IP address manually configured on each device
Prone to human error and address conflicts
No automatic reconfiguration when network changes
IP address is permanent until manually changed
No dependency on a server; works offline
Mistake
DHCP uses TCP for reliable delivery.
Correct
DHCP uses UDP (User Datagram Protocol) because it is connectionless and fast. Reliability is handled by the client retrying DISCOVER messages if no OFFER is received. The standard ports are UDP 67 and 68.
Mistake
The DHCPOFFER is always a broadcast.
Correct
While the DISCOVER is always broadcast, the OFFER can be unicast to the client's MAC address if the server knows it. Many implementations use unicast. The RFC allows either, but unicast is preferred to reduce broadcast traffic.
Mistake
A client can use the IP address immediately after receiving the DHCPOFFER.
Correct
The client must wait for the DHCPACK from the server. The OFFER is only a proposal; the server still holds the IP in a reserved state. Only after receiving ACK does the client apply the configuration. If the server sends a NAK, the client must start over.
Mistake
DHCPREQUEST is always a unicast.
Correct
During the initial DORA process, the REQUEST is sent as a broadcast to inform all servers which offer was accepted. Only during the renewal phase (after the client already has an IP) is the REQUEST sent as a unicast to the specific server.
Mistake
DHCP servers assign IP addresses permanently.
Correct
DHCP assigns IP addresses on a lease basis. The default lease time is 24 hours, but it can be configured. The client must renew the lease before it expires, or the IP is returned to the pool. Permanent assignment is possible only by setting an infinite lease (e.g., lease infinite on Cisco).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
DORA is the four-step handshake used by DHCP to assign IP addresses: Discover (client broadcasts for a server), Offer (server offers an IP), Request (client accepts the offer), Acknowledge (server confirms the lease). This sequence ensures automatic and conflict-free IP configuration.
The initial DHCPREQUEST is broadcast so that all DHCP servers on the network know which offer was accepted. This allows other servers to release the IP they offered back to their pool. If it were unicast only to the chosen server, other servers would keep reserving their offered IPs until timeout.
A DHCP relay agent (often a router or Layer 3 switch) forwards DHCP broadcast messages from clients to a DHCP server on a different subnet. It sets the giaddr (gateway IP address) field to the interface IP of the relay, allowing the server to assign an IP from the correct scope. The relay then unicasts the server's response back to the client.
DHCPACK is a positive acknowledgment indicating that the server has granted the IP lease and the client can use the configuration. DHCPNAK is a negative acknowledgment sent when the server cannot honor the request (e.g., the requested IP is already in use or the scope is full). Upon receiving a NAK, the client must restart the DORA process from Discover.
The default lease time is 24 hours (86400 seconds). The renewal timer (T1) is 50% of the lease (12 hours), at which the client attempts to renew by sending a unicast DHCPREQUEST to the server. The rebinding timer (T2) is 87.5% of the lease (21 hours), after which the client broadcasts to any server if renewal fails.
Automatic Private IP Addressing (APIPA) is a fallback mechanism in Windows that assigns an IP address in the 169.254.0.0/16 range (169.254.0.1 to 169.254.255.254) when a DHCP server is unreachable. It allows local communication but not internet access. APIPA addresses are not routable and are used only on the local subnet.
DHCP snooping is a security feature on switches that filters DHCP messages. It marks ports as trusted (connected to legitimate DHCP servers) or untrusted (all other ports). The switch drops DHCPOFFER, DHCPACK, and DHCPNAK messages from untrusted ports, preventing rogue DHCP servers. It also builds a binding table of valid MAC-IP-lease mappings.
You've just covered DHCP DORA Process — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?