This chapter covers DHCP troubleshooting, a critical skill for the N10-009 exam and real-world network management. DHCP failures are among the most common network issues, and you can expect 5-8% of exam questions to touch on DHCP configuration, operation, or troubleshooting. Mastering the DHCP message flow, lease timers, and common failure modes will help you quickly resolve client connectivity problems and ace exam scenarios.
Jump to a section
A hotel has a limited number of room keys (IP addresses) for guests. When a guest arrives at the front desk (broadcasts a DHCP Discover), the desk clerk checks a ledger (DHCP scope) for an available room. The clerk offers a specific room key (DHCP Offer) to the guest, who accepts by handing over a deposit (DHCP Request). The clerk then records the guest's name and room number in the ledger (DHCP Ack with lease) and sets a checkout time (lease duration). If the guest stays past checkout, the clerk sends a reminder (DHCP Renew) and the guest can extend by confirming (DHCP Ack). If the guest leaves without checking out, the clerk eventually marks the room as available again after a grace period (lease expiration). If two guests claim the same room (IP conflict), the clerk sends a warning (DHCP Decline) and reassigns. If the clerk runs out of keys (scope exhausted), the guest is turned away (DHCP Nak). This system ensures orderly distribution of limited resources, with time-bound leases that automatically return unused addresses to the pool.
What is DHCP and Why Does It Exist?
Dynamic Host Configuration Protocol (DHCP), defined in RFC 2131, automates the assignment of IP addresses, subnet masks, default gateways, DNS servers, and other network configuration parameters to devices. Without DHCP, every device would require manual static IP configuration, which is impractical in networks with hundreds or thousands of hosts. DHCP reduces administrative overhead and eliminates address conflicts caused by manual entry errors.
How DHCP Works Internally – The DORA Process
DHCP uses a four-step process known as DORA: Discover, Offer, Request, Acknowledge. This exchange occurs at the application layer (UDP ports 67 for server, 68 for client) and relies on broadcast or unicast communication.
Discover (Client → Server): When a client boots up or its lease expires, it sends a DHCPDISCOVER message as a UDP broadcast (destination IP 255.255.255.255, source IP 0.0.0.0) on its local subnet. The message includes the client's MAC address and a transaction ID. If the client has previously obtained a lease, it may include the requested IP address in the 'requested IP address' option.
Offer (Server → Client): Any DHCP server that receives the Discover responds with a DHCPOFFER message. This is typically a broadcast (unless the server knows the client's unicast address), containing a proposed IP address, subnet mask, lease duration, server identifier, and other options (e.g., router, DNS). The offer is not a reservation – the server may offer the same IP to another client if no acceptance is received within a timeout.
Request (Client → Server): The client selects one offer (usually the first received) and broadcasts a DHCPREQUEST message. This broadcast informs all servers of the selection, allowing other servers to withdraw their offers. The request includes the server identifier of the chosen server and the requested IP address.
Acknowledge (Server → Client): The selected server responds with a DHCPACK message, finalizing the lease. The client then configures its interface with the offered parameters. If the server cannot fulfill the request (e.g., the IP is now taken), it sends a DHCPNAK, forcing the client to restart the DORA process.
Key Components, Values, Defaults, and Timers
DHCP Scope: A range of IP addresses that a DHCP server is authorized to assign. Scopes include a start and end address, subnet mask, and exclusions (addresses not to be assigned).
DHCP Lease: The assignment of an IP address to a client for a specific period. Default lease duration is typically 24 hours (86400 seconds) on most servers, but can be configured from minutes to forever.
DHCP Options: Additional configuration parameters sent to clients, such as:
- Option 3: Router (default gateway) - Option 6: DNS servers - Option 15: Domain name - Option 51: Lease time - Option 53: DHCP message type - Option 54: Server identifier - Option 55: Parameter request list - Option 66: TFTP server name (for PXE boot) - Option 150: TFTP server IP (for Cisco IP phones) - DHCP Timers: Clients track lease time using three timers: - T1 (Renewal Time): Default 50% of lease duration. When T1 expires, the client attempts to renew its lease by sending a unicast DHCPREQUEST directly to the server that granted the lease. - T2 (Rebinding Time): Default 87.5% of lease duration. If T1 renewal fails (no response from server), the client broadcasts a DHCPREQUEST to any server to extend the lease. - Lease Expiration: If neither T1 nor T2 succeeds, the client must stop using the IP address and begin the DORA process again. - DHCP Relay Agent: A device (usually a router or Layer 3 switch) that forwards DHCP broadcast messages between clients and servers on different subnets. It inserts the gateway IP address (giaddr field) so the server knows which subnet to assign an address from.
Configuration and Verification Commands
Cisco IOS Router as DHCP Server:
ip dhcp pool POOL_NAME
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7Exclude addresses:
ip dhcp excluded-address 192.168.1.1 192.168.1.10Configure DHCP Relay (ip helper-address):
interface GigabitEthernet0/1
ip helper-address 10.10.10.5Windows Server DHCP:
Scope created via DHCP console or PowerShell: Add-DhcpServerv4Scope -StartRange 192.168.1.100 -EndRange 192.168.1.200 -SubnetMask 255.255.255.0 -Name "Office LAN"
Options set via Set-DhcpServerv4OptionValue
Verification Commands:
- Cisco: show ip dhcp binding, show ip dhcp server statistics, show ip dhcp conflict
- Linux: dhcp-lease-list, cat /var/lib/dhcp/dhcpd.leases
- Windows: Get-DhcpServerv4Lease -ScopeId 192.168.1.0, Get-DhcpServerv4Statistics
- Client-side: ipconfig /all (Windows), ip a (Linux), ifconfig (macOS)
Interaction with Related Technologies
DNS: DHCP can automatically register client hostnames in DNS (dynamic DNS updates), ensuring name resolution matches IP assignments.
VLANs: DHCP relay is essential when clients and servers reside in different VLANs. Each VLAN typically has its own DHCP scope.
DHCP Snooping: A security feature on switches that filters untrusted DHCP messages to prevent rogue DHCP servers. It builds a DHCP snooping binding table (MAC-IP-VLAN-interface) and drops messages from untrusted ports.
IP Address Management (IPAM): Integrated tools that manage DHCP, DNS, and IP address allocation centrally.
Common Failure Modes and Symptoms
No IP address obtained (APIPA): Client self-assigns 169.254.x.x address. Caused by no DHCP server reachable, scope exhaustion, or relay misconfiguration.
Duplicate IP address: Two clients receive the same IP due to conflicting scopes or manual static assignment overlapping DHCP scope.
Wrong gateway or DNS: Misconfigured DHCP options.
Lease renewal failures: Server unreachable at T1/T2 due to network changes or server downtime.
Rogue DHCP server: An unauthorized server offering addresses, causing clients to get wrong configuration.
Troubleshooting Methodology
Verify client configuration: ipconfig /all or equivalent. Check for APIPA address, lease expiration, and option values.
Check DHCP server status: Ensure server is running, scope is active, and addresses are available.
Verify network connectivity: Ping the DHCP server from the client subnet. If ping fails, check routing and VLAN configuration.
Check DHCP relay: If client and server are on different subnets, confirm ip helper-address or DHCP relay agent configuration is correct.
Examine DHCP logs: Server logs may show NAK reasons (e.g., requested IP not in scope).
Use packet capture: Wireshark filter bootp or dhcp to see DORA messages. Look for missing Offer, NAK, or duplicate server responses.
Check for rogue DHCP: Look for DHCPOFFER from unexpected server IPs. Use DHCP snooping to block unauthorized servers.
Verify address pool: Ensure scope is not exhausted and exclusions are correct.
Test with static IP: Temporarily assign a static IP from the same subnet to verify network connectivity independent of DHCP.
Reset client lease: Release (ipconfig /release) and renew (ipconfig /renew) to force fresh DORA.
Verify client IP configuration
On the affected client, run `ipconfig /all` (Windows) or `ifconfig` (Linux/macOS). Check if the IP address is in the APIPA range (169.254.x.x with mask 255.255.0.0). APIPA indicates the client failed to reach a DHCP server. Also check lease expiration time and the DHCP server IP (if assigned). If the client has a valid IP but connectivity issues, verify default gateway and DNS server values match expected configuration.
Check DHCP server availability
Ping the DHCP server from the client subnet. If the server is on a different subnet, ensure the relay agent is forwarding correctly. On the server, verify the DHCP service is running (e.g., `service isc-dhcp-server status` on Linux, or check Services console on Windows). Check server logs for errors like 'no free leases' or 'network unreachable'. On Cisco routers, use `show ip dhcp server statistics` to see number of offers, requests, and NAKs.
Inspect DHCP scope and lease pool
On the DHCP server, examine the scope for the client's subnet. Ensure the scope is active and has available addresses. Check exclusions – if the client's MAC is excluded or the requested IP is in an exclusion range, the server will NAK. Use `show ip dhcp binding` (Cisco) or `Get-DhcpServerv4Lease` (Windows) to see current leases. Look for the client's MAC – if present, verify the IP matches expectations.
Verify DHCP relay configuration
If the client and server are on different subnets, a DHCP relay agent (usually a router or Layer 3 switch) must forward broadcasts. On the router interface connected to the client subnet, confirm `ip helper-address <server-ip>` is configured. Check that the relay agent inserts the correct giaddr (gateway IP) – this tells the server which subnet to assign from. Misconfigured relay is a common cause of clients getting no response.
Capture and analyze DHCP traffic
Use Wireshark or tcpdump on the client or relay agent to capture DHCP traffic. Filter with `bootp` or `dhcp`. Look for the DORA sequence. Common issues: no Offer (server not responding or broadcast not reaching server), multiple Offers (rogue server), or NAK (server refuses request). Check transaction IDs to match messages. Also look for DHCPOFFER with incorrect subnet mask or gateway.
Check for rogue DHCP servers
A rogue DHCP server can assign incorrect IP addresses, causing connectivity issues. In packet captures, look for DHCPOFFER messages from unexpected IP addresses. Use `show ip dhcp server statistics` to see if multiple servers are responding. Mitigate by enabling DHCP snooping on switches: configure trusted ports (uplinks to legitimate servers) and untrusted ports (client-facing). The switch will drop DHCPOFFER from untrusted ports.
Test with static IP and reset lease
Temporarily assign a static IP from the same subnet to the client. If connectivity works, the issue is DHCP-related. Then release and renew the DHCP lease: `ipconfig /release` followed by `ipconfig /renew` (Windows). On Linux, use `dhclient -r` then `dhclient`. This forces a fresh DORA exchange and often resolves transient issues like expired lease or stale server cache.
Enterprise Scenario 1: Multi-subnet DHCP with Relay Agents
A large enterprise has 50 VLANs across multiple buildings, each with its own IP subnet. Two centralized DHCP servers (Windows Server 2019) handle all assignments. Each building's Layer 3 switch acts as the DHCP relay agent. The problem: users in one VLAN suddenly cannot obtain IP addresses. Troubleshooting reveals that the relay agent's ip helper-address points to a retired server IP. The fix: update the helper address to the active server. In production, this scenario highlights the need for consistent relay configuration documentation and regular audits. Performance consideration: relay agents add latency; each DORA exchange traverses the network twice. To scale, enterprises often use DHCP failover (hot standby) between two servers to ensure availability.
Enterprise Scenario 2: DHCP Scope Exhaustion in a Guest Network
A university's guest wireless network uses a /22 subnet (1022 usable addresses). During orientation week, thousands of students connect, exhausting the scope. Symptoms: clients get APIPA addresses. The solution: expand the scope to a /21 (2046 addresses) and reduce lease duration from 24 hours to 4 hours to accelerate address recycling. In production, monitoring tools alert when pool utilization exceeds 80%. Misconfiguration: the DHCP server had a reservation block for 200 static IPs that were never used, effectively reducing the pool. Removing unused reservations restored capacity.
Enterprise Scenario 3: Rogue DHCP Server in a Corporate LAN
An employee plugs a consumer-grade router into the corporate network for convenience. This router's DHCP server is enabled by default, offering IPs from its private range (192.168.1.x). Clients receiving these IPs lose access to corporate resources. Detection: helpdesk tickets spike with 'no internet' complaints. Packet capture reveals DHCPOFFER from 192.168.1.1 (the rogue). Mitigation: enable DHCP snooping on all access switches, marking uplink ports as trusted and all other ports as untrusted. The switch drops DHCPOFFER from the rogue. Prevention: implement 802.1X authentication to block unauthorized devices.
N10-009 Exam Focus on DHCP Troubleshooting
The exam tests your ability to identify and resolve DHCP issues. Key objective codes: 5.3 (Given a scenario, troubleshoot common network issues), with DHCP failures falling under 'IP addressing issues' and 'DHCP server issues'.
Most Common Wrong Answers and Why Candidates Choose Them
'The client has a duplicate IP address' – Candidates see APIPA (169.254.x.x) and think duplicate IP. Reality: APIPA indicates no DHCP server reached, not a conflict. Duplicate IP typically shows a valid IP but with a warning in logs.
'The DHCP server is out of addresses' – While possible, exam scenarios often present APIPA due to relay misconfiguration, not exhaustion. Always check relay first if client and server are on different subnets.
'The client's NIC is faulty' – A common distractor. If the client gets an APIPA address, the NIC is working (it self-assigned). The issue is upstream.
'The DHCP server is down' – Candidates assume server failure. But the exam loves scenarios where the server is up but the relay agent is misconfigured or the scope is inactive.
Specific Numbers and Values to Memorize
APIPA range: 169.254.0.0/16 (169.254.0.1 to 169.254.255.254) with automatic mask 255.255.0.0.
Default lease time: 24 hours (86400 seconds) – but can vary.
T1 timer: 50% of lease (12 hours for 24-hour lease).
T2 timer: 87.5% of lease (21 hours for 24-hour lease).
DHCP uses UDP ports 67 (server) and 68 (client).
DHCP message types: 1 (Discover), 2 (Offer), 3 (Request), 4 (Decline), 5 (Ack), 6 (Nak), 7 (Release), 8 (Inform).
Edge Cases and Exceptions
DHCP Inform: A client that already has an IP (e.g., via static) can use DHCPINFORM to request other parameters (DNS, domain) without getting an IP. The exam may test this as an alternative to full DORA.
DHCP Decline: If a client detects an IP conflict (via ARP), it sends DHCPDECLINE to the server, which marks the address as conflicted. The server will not reassign it until cleared.
Multiple DHCP servers: Clients accept the first offer. The exam may present a scenario where a rogue server responds faster than the legitimate one.
DHCP over VPN: DHCP broadcasts typically do not traverse VPN tunnels. Clients may need static IPs or DHCP relay over VPN.
How to Eliminate Wrong Answers
If the client has 169.254.x.x, eliminate 'duplicate IP' and 'server out of addresses' – focus on connectivity to server or relay.
If the client has a valid IP but no internet, check gateway and DNS options (DHCP options 3 and 6).
If the client gets a NAK, the server is reachable but refusing the request – check scope exclusions or that the requested IP is within scope.
Use the DORA flow: missing Offer = server unreachable or not responding; missing Request = client didn't accept (rare); missing Ack = server NAK'd.
DHCP uses DORA: Discover (broadcast), Offer (broadcast/unicast), Request (broadcast/unicast), Ack (unicast).
APIPA range is 169.254.0.0/16 – indicates no DHCP server reached.
Default lease time is 24 hours; T1 at 50% (12h), T2 at 87.5% (21h).
DHCP relay uses the giaddr field to tell the server which subnet to assign from.
DHCP snooping prevents rogue servers by blocking DHCPOFFER on untrusted ports.
Common DHCP options: 3 (router), 6 (DNS), 15 (domain), 51 (lease time), 66 (TFTP server), 150 (TFTP server IP for VoIP).
DHCP uses UDP ports 67 (server) and 68 (client).
A DHCPNak forces the client to restart the DORA process.
Reservations bind a specific IP to a MAC address, ensuring consistent assignment.
Troubleshooting order: check client config → server status → relay → packet capture → rogue detection.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Discover (Broadcast)
Sent by client with source IP 0.0.0.0 and destination 255.255.255.255
Uses UDP port 68 source, 67 destination
Contains client MAC and transaction ID
May include requested IP if client had previous lease
Triggers Offer from any listening server
DHCP Request (Broadcast after Offer)
Sent by client to select a specific server's offer
Also broadcast to inform other servers to withdraw offers
Includes server identifier of chosen server
If unicast (renewal), sent directly to server at T1
Triggers Ack or Nak from selected server
Mistake
APIPA means the IP address is duplicated.
Correct
APIPA (169.254.x.x) is assigned when no DHCP server responds. Duplicate IP detection uses ARP and results in a DHCPDECLINE, not APIPA. APIPA is a self-assigned fallback, not a conflict indicator.
Mistake
A DHCP server always assigns the same IP to a client.
Correct
Without a reservation, DHCP assigns any available IP from the pool. A client may get a different IP after lease expiration if the previous IP was reassigned. Reservations bind a MAC address to a specific IP.
Mistake
DHCP relay only works with Cisco routers.
Correct
DHCP relay (RFC 1542) is supported by many devices: routers, Layer 3 switches, firewalls, and even some servers. The configuration method varies but the principle is the same: forwarding broadcasts as unicasts.
Mistake
Lease renewal always uses broadcast.
Correct
At T1 (50% lease), the client sends a unicast DHCPREQUEST directly to the server. Broadcast is only used at T2 (87.5%) if the unicast renewal fails. This reduces broadcast traffic.
Mistake
DHCP snooping prevents all DHCP attacks.
Correct
DHCP snooping primarily prevents rogue DHCP servers by filtering DHCPOFFER from untrusted ports. It does not prevent DHCP starvation attacks (exhausting the pool) unless combined with rate limiting.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
APIPA (Automatic Private IP Addressing) means the client failed to get a response from a DHCP server. The client assigns itself an IP in the 169.254.0.0/16 range. To fix: check connectivity between client and DHCP server, verify the server is running and has available addresses, ensure DHCP relay is configured if on different subnets, and check for rogue servers that might be interfering.
On the interface facing the client subnet, use the command `ip helper-address <DHCP-server-IP>`. For example: `interface GigabitEthernet0/1` then `ip helper-address 192.168.10.5`. This tells the router to forward DHCP broadcasts to that server. The router inserts its own IP (giaddr) so the server knows which subnet to assign from.
Renewal (T1 at 50% lease) is a unicast DHCPREQUEST sent directly to the server that granted the lease. If no response, at T2 (87.5% lease) the client enters rebinding state and broadcasts a DHCPREQUEST to any server. If both fail, the lease expires and the client must start over with a Discover.
A DHCP server sends a NAK when it cannot honor a request. Common reasons: the requested IP is outside the scope, the IP is already leased to another client, the client's MAC is in an exclusion list, or the server's scope is inactive. Check server logs for the specific reason.
DHCP snooping is a switch feature that builds a binding table (MAC-IP-VLAN-interface) from trusted DHCPACK messages. It drops DHCPOFFER messages received on untrusted ports (client-facing) to prevent rogue servers. It also rate-limits DHCP traffic to prevent starvation attacks. Enable globally and per VLAN, then designate trusted ports (uplinks to legitimate servers).
Option 3 (default gateway), Option 6 (DNS servers), Option 51 (lease time), Option 66 (TFTP server name for PXE boot), and Option 150 (TFTP server IP for Cisco IP phones). Know their numbers and purposes.
Yes, multiple DHCP servers can coexist on the same subnet. Clients accept the first offer they receive. This can cause issues if one server is rogue or misconfigured. DHCP snooping can filter untrusted servers. For redundancy, use DHCP failover (e.g., Windows Server DHCP failover) rather than independent servers.
You've just covered DHCP Troubleshooting — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?