DHCPCCNA 200-301

DHCP Client Not Getting IP Address

Presenting Symptom

A client PC connected to a switch port in VLAN 10 is unable to obtain an IP address via DHCP; the client reports 'No IP address' or receives an APIPA address (169.254.x.x).

Network Context

The network is a small branch office with a single Cisco Catalyst 2960 switch (IOS 15.0) and a Cisco 4321 router acting as the DHCP server. The client PC is connected to FastEthernet0/1 on the switch, which is configured as an access port in VLAN 10. The router's GigabitEthernet0/0/0 is configured as a trunk to the switch, and the router has an IP helper-address pointing to a DHCP server at 192.168.1.10. The DHCP server is reachable and has a scope for VLAN 10 (192.168.10.0/24).

Diagnostic Steps

Verify client connectivity and link status

show interfaces fastEthernet 0/1

FastEthernet0/1 is up, line protocol is up
  Hardware is Fast Ethernet, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, 100BaseTX/FX
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

Check that the interface is up/up. If it is down/down, the cable or client is disconnected. If it is up/down, there may be a VLAN mismatch or spanning-tree blocking.

Verify VLAN assignment on the switch port

show running-config interface fastEthernet 0/1

interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast

Ensure the port is in access mode and assigned to VLAN 10. If the VLAN is missing or the port is in trunk mode, the client won't get an IP from the correct subnet.

Check DHCP snooping status (if enabled)

show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
   remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted     Allow option 82    Rate limit (pps)
-----------------------    -------     ----------------    ----------------
GigabitEthernet0/1         yes         yes                 unlimited
FastEthernet0/1            no          no                  15
Custom circuit-ids:

If DHCP snooping is enabled, the client port (FastEthernet0/1) must be untrusted, but the uplink to the router (GigabitEthernet0/1) must be trusted. If the client port is trusted, it could be receiving rogue DHCP offers. If the uplink is untrusted, DHCP offers from the legitimate server will be dropped.

Verify DHCP server configuration on the router

show ip dhcp pool VLAN10_POOL

Pool VLAN10_POOL :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 0
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 192.168.10.1         192.168.10.1    - 192.168.10.254     0

Check that the pool exists, has available addresses, and the subnet matches VLAN 10. If the pool is exhausted or misconfigured, clients won't get addresses.

Verify IP helper-address on the router interface

show running-config interface gigabitEthernet 0/0/0

interface GigabitEthernet0/0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip helper-address 192.168.1.10

Ensure the subinterface for VLAN 10 has the correct IP address and the ip helper-address points to the DHCP server. If the helper-address is missing or incorrect, DHCP broadcasts won't be forwarded.

Check DHCP packet statistics on the router

show ip dhcp server statistics

Memory usage                    : 12345
Address pools                   : 2
Database agents                 : 0
Automatic bindings              : 0
Manual bindings                 : 0
Expired bindings                : 0
Malformed messages              : 0
Secure arp entries              : 0

Message                         Received
BOOTREQUEST                     0
DHCPDISCOVER                    0
DHCPREQUEST                     0
DHCPDECLINE                     0
DHCPRELEASE                     0
DHCPINFORM                      0

Message                         Sent
BOOTREPLY                       0
DHCPOFFER                       0
DHCPACK                         0
DHCPNAK                         0

If the router is the DHCP server, check that it is receiving DISCOVER messages. If Received is 0, the client's broadcast is not reaching the router. If Received >0 but Sent is 0, the server may have no available addresses or the pool is misconfigured.

Debug DHCP events on the router

debug ip dhcp server events

DHCPD: DHCPDISCOVER received from client 0050.7966.6800 on interface GigabitEthernet0/0/0.10
DHCPD: Sending DHCPOFFER to client 0050.7966.6800 (192.168.10.2)
DHCPD: DHCPREQUEST received from client 0050.7966.6800
DHCPD: Sending DHCPACK to client 0050.7966.6800 (192.168.10.2)

Enable debug to see if the router receives the DISCOVER and sends OFFER/ACK. If no DISCOVER is seen, the broadcast is not reaching the router (check VLAN, trunk, helper-address). If OFFER is sent but no REQUEST, the client may be ignoring the offer (e.g., due to DHCP snooping dropping the offer).

Root Cause

The switch port FastEthernet0/1 is configured as a trunk port instead of an access port, causing the client's DHCP discover broadcast to be tagged with the native VLAN (VLAN 1) instead of VLAN 10. The router's subinterface for VLAN 10 does not receive the broadcast, so no DHCP offer is sent.

Resolution

Reconfigure the switch port as an access port in VLAN 10: Switch(config)# interface fastEthernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# no shutdown If spanning-tree portfast is desired to speed up convergence: Switch(config-if)# spanning-tree portfast

Verification

After reconfiguration, verify the port is in access mode and VLAN 10: Switch# show interfaces fastEthernet 0/1 switchport Name: Fa0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Then on the client, release and renew the IP address (ipconfig /release & ipconfig /renew on Windows). The client should receive an IP in the 192.168.10.0/24 subnet.

Prevention

1. Use consistent port configuration templates: always configure access ports with 'switchport mode access' and 'switchport access vlan X' explicitly. 2. Enable DHCP snooping with proper trust boundaries to prevent rogue DHCP servers and to log any misconfigurations. 3. Implement port security and disable trunking on access ports by using 'switchport nonegotiate' to prevent dynamic trunking misconfigurations.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests your ability to troubleshoot DHCP issues in a switched network. Expect a multiple-choice question or a drag-and-drop troubleshooting scenario where you must identify that a port configured as a trunk prevents DHCP from working. The key fact is that DHCP broadcasts are VLAN-specific; if the client is in the wrong VLAN, the DHCP server won't receive the request. Also, remember that 'switchport mode access' is required for client ports.

Exam Tips

Remember that DHCP uses broadcasts; if the client and server are in different VLANs, you need an IP helper-address on the router interface.

On the exam, if a client gets an APIPA address (169.254.x.x), it means DHCP failed; check VLAN assignment and trunking on the switch port.

Know the 'show interfaces switchport' command to quickly verify the operational mode and VLAN of a port.

Commands Used in This Scenario

show interfaces switchport

Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions