# ============================================================================= # WUC Technologies — IPv4 Field Guide # CLI cheat sheet: APIPA / link-local — 169.254.0.0/16 # Source: https://www.wuctechnologies.com/resources/field-guides/ipv4-address-analyzer/ # License: CC0 1.0 Public Domain (https://creativecommons.org/publicdomain/zero/1.0/) # Released: 2026-05-22 # # 169.254.0.0/16 is the IPv4 link-local range (RFC 3927). Operating systems # auto-assign an APIPA address when a DHCP request fails. APIPA addresses # are not routable beyond the local link. # ============================================================================= # ----------------------------------------------------------------------------- # Diagnosis — is the host stuck on APIPA? # ----------------------------------------------------------------------------- # Show all addresses; flag any 169.254.x.y entries: ip -4 addr show | grep -E "inet 169\.254\." # Equivalent on Windows (run in elevated cmd): # ipconfig | findstr 169.254 # If a production interface is on 169.254.x.y, DHCP has failed. Most common # causes: # - DHCP server is down or unreachable # - DHCP relay is misconfigured on the upstream switch / router # - The interface is on the wrong VLAN # - The DHCP scope is exhausted # - A captive portal / NAC is denying the lease # ----------------------------------------------------------------------------- # Force a new DHCP lease request # ----------------------------------------------------------------------------- # Release and reacquire (systemd-networkd or NetworkManager): sudo dhclient -r eth0 sudo dhclient eth0 # If using NetworkManager: sudo nmcli connection down "Wired connection 1" sudo nmcli connection up "Wired connection 1" # Watch the DHCP transaction live: sudo tcpdump -i eth0 -nn -e \ '(udp port 67 or udp port 68)' # Expect: DHCPDISCOVER (broadcast from client) → DHCPOFFER (from server) → # DHCPREQUEST → DHCPACK. If only DHCPDISCOVERs appear with no OFFER, the # DHCP server isn't seeing the broadcast — check L2 / VLAN / relay. # ----------------------------------------------------------------------------- # Manually assign and test link-local # ----------------------------------------------------------------------------- # Adjacent hosts on the same physical link can communicate over APIPA: sudo ip addr add 169.254.10.5/16 dev eth0 sudo ip addr add 169.254.10.6/16 dev eth0 # on the peer # ARP-discover other APIPA hosts on the link: sudo arping -I eth0 -c 3 169.254.10.6 # Scan the whole /16 (slow but valid for troubleshooting): sudo nmap -sn 169.254.0.0/16 # ----------------------------------------------------------------------------- # DHCP server-side diagnosis (isc-dhcp-server, dnsmasq) # ----------------------------------------------------------------------------- # isc-dhcp-server log location and tail: sudo tail -f /var/log/syslog | grep dhcpd # dnsmasq log: sudo journalctl -u dnsmasq -f # Check scope utilization: sudo dhcp-lease-list # if dhcp-helper installed sudo cat /var/lib/dhcp/dhcpd.leases # raw lease database # ----------------------------------------------------------------------------- # Drop APIPA-sourced packets at L3 boundaries # ----------------------------------------------------------------------------- # APIPA traffic should NEVER cross a router. Defensive rules: sudo iptables -A FORWARD -s 169.254.0.0/16 -j DROP sudo iptables -A FORWARD -d 169.254.0.0/16 -j DROP # On Cisco IOS: # ip access-list extended NO-APIPA # deny ip 169.254.0.0 0.0.255.255 any # permit ip any any # interface GigabitEthernet0/1 # ip access-group NO-APIPA in # ----------------------------------------------------------------------------- # Permanent fix — restore DHCP # ----------------------------------------------------------------------------- # 1. Verify the DHCP server is running and reachable. # 2. If on an isolated VLAN, ensure `ip helper-address ` is set # on the gateway SVI for that VLAN. # 3. Confirm the DHCP scope has free leases. # 4. Check that the captive portal / NAC has the host's MAC authorized. # ----------------------------------------------------------------------------- # Address range reference # ----------------------------------------------------------------------------- # 169.254.0.0/16 = 169.254.0.0 through 169.254.255.255 # Total addresses: 65,536 Usable hosts: 65,534 # Subnet mask: 255.255.0.0 Wildcard mask: 0.0.255.255 # Not routable. Single-link scope only. # =============================================================================