With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology. Dynamic host configuration protocol (DHCP) is developed to solve these issues.

DHCP adopts a client/server model, where the DHCP clients send requests to DHCP servers for configuration parameters; and the DHCP servers return the corresponding configuration information such as IP addresses to implement dynamic allocation of network resources.

A typical DHCP application includes one DHCP server and multiple clients (such as PCs and laptops), as shown in Figure 1-1.

Figure 1-1 Typical DHCP application

DHCP IP Address Assignment

IP Address Assignment Policy

Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients:

l Manual assignment. The administrator configures static IP-to-MAC bindings for some special clients, such as a WWW server. Then the DHCP server assigns these fixed IP addresses to the clients.

l Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently.

l Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period. This policy applies to most clients.

Obtaining IP Addresses Dynamically

A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server:

1) Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a DHCP-DISCOVER packet.

2) Offer: In this phase, the DHCP server offers an IP address. After the DHCP server receives the DHCP-DISCOVER packet from the DHCP client, it chooses an unassigned IP address from the address pool according to the priority order of IP address assignment and then sends the IP address and other configuration information together in a DHCP-OFFER packet to the DHCP client. The sending mode is decided by the flag filed in the DHCP-DISCOVER packet, refer to DHCP Packet Format for details.

3) Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only accepts the DHCP-OFFER packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP address carried in the DHCP-OFFER packet.

4) Acknowledge: In this phase, the DHCP servers acknowledge the IP address. Upon receiving the DHCP-REQUEST packet, only the selected DHCP server returns a DHCP-ACK packet to the DHCP client to confirm the assignment of the IP address to the client, or returns a DHCP-NAK packet to refuse the assignment of the IP address to the client. When the client receives the DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address, and uses the IP address only if it does not receive any response within a specified period.

l After the client receives the DHCP-ACK message, it will probe whether the IP address assigned by the server is in use by broadcasting a gratuitous ARP packet. If the client receives no response within specified time, the client can use this IP address. Otherwise, the client sends a DHCP-DECLINE message to the server and requests an IP address again.

l If there are multiple DHCP servers, IP addresses offered by other DHCP servers are assignable to other clients.

Updating IP Address Lease

After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.

By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client. Otherwise, the DHCP server responds with a DHCP-NAK packet to notify the DHCP client that the IP address will be reclaimed when the lease time expires.

If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described above.

DHCP Packet Format

DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different. The DHCP packet format is based on that of the BOOTP packets. The following figure describes the packet format (the number in the brackets indicates the field length, in bytes):

Figure 1-2 DHCP packet format

The fields are described as follows:

l op: Operation types of DHCP packets, 1 for request packets and 2 for response packets.

l htype, hlen: Hardware address type and length of the DHCP client.

l hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent that the DHCP request packet passes, the field value increases by 1.

l xid: Random number that the client selects when it initiates a request. The number is used to identify an address-requesting process.

l secs: Elapsed time after the DHCP client initiates a DHCP request.

l flags: The first bit is the broadcast response flag bit, used to identify that the DHCP response packet is a unicast (set to 0) or broadcast (set to 1). Other bits are reserved.

l ciaddr: IP address of a DHCP client.

l yiaddr: IP address that the DHCP server assigns to a client.

l siaddr: IP address of the DHCP server.

l giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet.

l chaddr: Hardware address of the DHCP client.

l sname: Name of the DHCP server.

l file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client.

l option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.

Protocols and Standards

l RFC 2131: Dynamic Host Configuration Protocol

l RFC 2132: DHCP Options and BOOTP Vendor Extensions

l RFC 1542: Clarifications and Extensions for the Bootstrap Protocol

l RFC 3046: DHCP Relay Agent Information option

2 DHCP Relay Agent Configuration

When configuring the DHCP relay agent, go to these sections for information you are interested in:

l Introduction to DHCP Relay Agent

l Configuring the DHCP Relay Agent

l Displaying and Maintaining DHCP Relay Agent Configuration

l DHCP Relay Agent Configuration Example

l Troubleshooting DHCP Relay Agent Configuration

Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

Introduction to DHCP Relay Agent

Usage of DHCP Relay Agent

Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.

DHCP relay agent is designed to address this problem. It enables DHCP clients in a subnet to communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP addresses. In this case, the DHCP clients in multiple networks can use the same DHCP server, which can decrease your cost and provide a centralized administration.

DHCP Relay Agent Fundamentals

Figure 2-1 illustrates a typical DHCP relay agent application.

Figure 2-1 Typical DHCP relay agent application

In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent. For the interaction process of the packets, see Obtaining IP Addresses Dynamically.

1) After receiving the DHCP-DISCOVER or DHCP-REQUEST broadcast from the client, the network device providing the DHCP relay agent function unicasts the message to the designated DHCP server based on the configuration.

2) The DHCP server selects an IP address and other parameters and sends the configuration information to the DHCP relay agent that relays the information to the client (the sending mode is decided by the flag filed in the client’s DHCP-DISCOVER packet, refer to DHCP Packet Format for details).

DHCP Relay Agent Support for Option 82

Introduction to Option 82

Option 82 is the relay agent information option in the DHCP message. It records the location information of the DHCP client. With this option, the administrator can locate the DHCP client to further implement security control and accounting. The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients.

Option 82 involves at most 255 sub-options. If Option 82 is defined, at least one sub-option must be defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (circuit ID sub-option) and sub-option 2 (remote ID sub-option).

Padding content of Option 82

Option 82 has no unified definition in RFC 3046. Its padding information varies with vendors. Currently, the device that operates as a DHCP relay agent supports the extended padding format of Option 82 sub-options. By default, the sub-options of Option 82 are padded as follows, as shown in Figure 2-2 and Figure 2-3. (The content in brackets is the fixed value of each field.)

l Sub-option 1: Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request.

l Sub-option 2: Padded with the bridge MAC address of the DHCP relay agent device that received the client’s request.

Figure 2-2 Padding contents for sub-option 1 of Option 82

Figure 2-3 Padding contents for sub-option 2 of Option 82

Mechanism of Option 82 supported on DHCP relay agent

The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of Option 82 support on DHCP relay agent.

1) Upon receiving a DHCP request, the DHCP relay agent checks whether the packet contains Option 82 and processes the packet accordingly.

l If the request packet contains Option 82, the DHCP relay agent processes the packet depending on the configured strategy (that is, discards the packet, replaces the original Option 82 in the packet with its own, or leaves the original Option 82 unchanged in the packet), and forwards the packet (if not discarded) to the DHCP server.

l If the request packet does not contain Option 82, the DHCP relay agent adds Option 82 to the packet and forwards the packet to the DHCP server.

2) Upon receiving the packet returned from the DHCP server, the DHCP relay agent strips Option 82 from the packet and forwards the packet with the DHCP configuration information to the DHCP client.

Request packets sent by a DHCP client fall into two categories: DHCP-DISCOVER packets and DHCP-REQUEST packets. As DHCP servers coming from different manufacturers process DHCP request packets in different ways (that is, some DHCP servers process Option 82 in DHCP-DISCOVER packets, whereas the rest process Option 82 in DHCP-REQUEST packets), a DHCP relay agent adds Option 82 to both types of packets to accommodate to DHCP servers of different manufacturers.

Configuring the DHCP Relay Agent

If a device belongs to an IRF fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent.

DHCP Relay Agent Configuration Task List

Complete the following tasks to configure the DHCP relay agent:

Task	Remarks
Correlating a DHCP Server Group with a Relay Agent Interface	Required
Configuring DHCP Relay Agent Security Functions	Optional
Configuring the DHCP Relay Agent to Support Option 82	Optional

Correlating a DHCP Server Group with a Relay Agent Interface

To enhance reliability, you can set multiple DHCP servers on the same network. These DHCP servers form a DHCP server group. When an interface of the relay agent establishes a correlation with the DHCP server group, the interface will forward received DHCP packets to all servers in the server group.

Follow these steps to correlate a DHCP server group with a relay agent interface:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the DHCP server IP address(es) in a specified DHCP server group	dhcp-server groupNo ip ip-address&<1-8>	Required By default, no DHCP server IP address is configured in a DHCP server group.
Map an interface to a DHCP server group	interface interface-type interface-number	Required By default, a VLAN interface is not mapped to any DHCP server group.
Map an interface to a DHCP server group	dhcp-server groupNo

To improve security and avoid malicious attack to the unused SOCKETs, the device provides the following functions:

l UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled.

l UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

The corresponding implementation is as follows:

l When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled. At the same time, UDP 67 and UDP 68 ports used by DHCP are enabled.

l When the mapping between a VLAN interface and a DHCP server group is removed with the undo dhcp-server command, DHCP services are disabled. At the same time, UDP 67 and UDP 68 ports are disabled.

l You can configure up to eight DHCP server IP addresses in a DHCP server group.

l You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group.

l If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites the previous one.

l You need to configure the group number specified in the dhcp-server groupNo command in VLAN interface view by using dhcp-server groupNo ip ip-address&<1-8> in advance.

Configuring DHCP Relay Agent Security Functions

Configuring address checking

After relaying an IP address from the DHCP server to a DHCP client, the DHCP relay agent can automatically record the client’s IP-to-MAC binding and generate a dynamic address entry. It also supports static bindings, which means you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.

The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users from statically configuring IP addresses to access external networks. With this function enabled, a DHCP relay agent inhibits a user from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries (including the entries dynamically tracked by the DHCP relay agent and the manually configured static entries) in the user address table on the DHCP relay agent.

Follow these steps to configure address checking:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a static IP-to-MAC binding	dhcp-security static ip-address mac-address	Optional Not created by default.
Enter interface view	interface interface-type interface-number	—
Enable the address checking function	address-check enable	Required Disabled by default.

l The address-check enable command is independent of other commands of the DHCP relay agent. That is, the invalid address check takes effect when this command is executed, regardless of whether other commands (such as the command to enable DHCP) are used.

l Before executing the address-check enable command on the interface connected to the DHCP server, you need to configure the static binding of the IP address to the MAC address of the DHCP server. Otherwise, the DHCP client will fail to obtain an IP address.

Configuring the dynamic client address entry updating function

After relaying an IP address from the DHCP server to the DHCP client, the DHCP relay agent can automatically record the client’s IP-to-MAC binding and generate a dynamic address entry. But as a DHCP relay agent does not process DHCP-RELEASE packets, which are sent to DHCP servers by DHCP clients through unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. You can solve this problem by enabling the DHCP relay agent handshake function and configuring the dynamic client address entry updating interval.

After the handshake function is enabled, the DHCP relay agent sends the handshake packet (the DHCP-REQUEST packet) periodically to the DHCP server using a client’s IP address and its own MAC address.

l If the DHCP relay agent receives the DHCP-ACK packet from the DHCP server, or receives no response from the server within a specified period, the IP address can be assigned. The DHCP relay agent ages out the corresponding entry in the client address table.

l If the DHCP relay agent receives the DHCP-NAK packet from the DHCP server, the lease of the IP address does not expire. The DHCP relay agent does not age out the corresponding entry.

Follow these steps to configure the dynamic user address entry updating function:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the DHCP relay agent handshake function	dhcp relay hand enable	Optional Enabled by default.
Set the interval at which the DHCP relay agent dynamically updates the client address entries	dhcp-security tracker { interval \| auto }	Optional By default, auto is adopted, that is, the interval is automatically calculated.

Enabling unauthorized DHCP server detection

If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.

With this feature enabled, upon receiving a DHCP message with the siaddr field (IP addresses of the servers offering IP addresses to the client) not being 0 from a client, the DHCP relay agent will record the value of the siaddr field and the receiving interface. The administrator can use this information to check out any DHCP unauthorized servers.

Follow these steps to enable unauthorized DHCP server detection:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable unauthorized DHCP server detection	dhcp-server detect	Required Disabled by default.

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable unauthorized DHCP server detection

dhcp-server detect

Required

Disabled by default.

With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers, including authorized ones, and each server is recorded only once until such information is removed and is recorded again. The administrator needs to find unauthorized DHCP servers from the system log information.

Configuring the DHCP Relay Agent to Support Option 82

Prerequisites

Before configuring Option 82 support on a DHCP relay agent, you need to:

l Configure network parameters and relay function of the DHCP relay device.

l Perform assignment strategy-related configurations, such as network parameters of the DHCP server, address pool, and lease time.

l The routes between the DHCP relay agent and the DHCP server are reachable.

Configuring the DHCP relay agent to support Option 82

Follow these steps to configure the DHCP relay agent to support Option 82:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable Option 82 support on the DHCP relay agent	dhcp relay information enable	Required Disabled by default.
Configure the strategy for the DHCP relay agent to process request packets containing Option 82	dhcp relay information strategy { drop \| keep \| replace }	Optional By default, the replace strategy is adopted

l By default, with the Option 82 support function enabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy to process the request packets containing Option 82. However, if other strategies are configured before, then enabling the 82 support on the DHCP relay agent will not change the configured strategies.

l To enable Option 82, you need to perform the corresponding configuration on the DHCP server and the DHCP relay agent.

Displaying and Maintaining DHCP Relay Agent Configuration

To do…	Use the command…	Remarks
Display the information about a specified DHCP server group	display dhcp-server groupNo	Available in any view
Display the information about the DHCP server group to which a specified VLAN interface is mapped	display dhcp-server interface vlan-interface vlan-id
Display the specified client address entries on the DHCP relay agent	display dhcp-security [ ip-address \| dynamic \| static \| tracker ]
Clear the statistics information of the specified DHCP server group	reset dhcp-server groupNo	Available in user view

DHCP Relay Agent Configuration Example

Network requirements

As shown in Figure 2-4, VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is 10.1.1.2/24 that communicates with the DHCP server 10.1.1.1/24. As shown in the figure below, Switch A forwards messages between DHCP clients and the DHCP server to assign IP addresses in subnet 10.10.1.0/24 to the clients.

Figure 2-4 Network diagram for DHCP relay agent

Configuration procedure

# Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it.

<SwitchA> system-view

[SwitchA] dhcp-server 1 ip 10.1.1.1

# Map VLAN-interface 1 to DHCP server group 1.

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] dhcp-server 1

l You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations vary with different DHCP server devices, so the configurations are omitted.

l The DHCP relay agent and DHCP server must be reachable to each other.

Troubleshooting DHCP Relay Agent Configuration

Symptom

A client fails to obtain configuration information through a DHCP relay agent.

Analysis

This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command.)

Solution

l Check if DHCP is enabled on the DHCP server and the DHCP relay agent.

l Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server.

l Check if a reachable route is configured between the DHCP relay agent and the DHCP server.

l Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides. Check if the IP address of the DHCP server group is correct.

l If the address-check enable command is configured on the interface connected to the DHCP server, verify the DHCP server’s IP-to-MAC address binding entry is configured on the DHCP relay agent; otherwise the DHCP client cannot obtain an IP address.

3 DHCP Snooping Configuration

After DHCP snooping is enabled on a device, clients connected with the device cannot obtain IP addresses dynamically through BOOTP.

DHCP Snooping Overview

Function of DHCP Snooping

For security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

l Switches can track DHCP clients’ IP addresses through the security function of the DHCP relay agent operating at the network layer.

l Switches can track DHCP clients’ IP addresses through the DHCP snooping function at the data link layer.

When an unauthorized DHCP server exists in the network, a DHCP client may obtains an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, you can specify a port to be a trusted port or an untrusted port by the DHCP snooping function.

l Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards DHCP messages to guarantee that DHCP clients can obtain valid IP addresses.

l Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses.

Figure 3-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is a WX3000 series device.

Figure 3-1 Typical network diagram for DHCP snooping application

DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients:

l DHCP-REQUEST packet

l DHCP-ACK packet