- Table of Contents
-
- 04-Layer 3-IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-IP forwarding basics configuration
- 06-Fast forwarding configuration
- 07-Adjacency table configuration
- 08-IRDP configuration
- 09-IP performance optimization configuration
- 10-UDP helper configuration
- 11-IPv6 basics configuration
- 12-DHCPv6 configuration
- 13-IPv6 fast forwarding configuration
- 14-Tunneling configuration
- 15-GRE configuration
- 16-HTTP redirect configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
03-DHCP configuration | 811.28 KB |
Vendor-specific option (Option 43)
Relay agent option (Option 82)
DHCP address assignment mechanisms
Principles for selecting an address pool
IP address allocation sequence
Configuring an address pool on the DHCP server
DHCP address pool tasks at a glance
Specifying a primary subnet and multiple address ranges in a DHCP address pool
Specifying a primary subnet and multiple secondary subnets in a DHCP address pool
Configuring a static binding in a DHCP address pool
Specifying gateways for DHCP clients
Specifying a domain name suffix for DHCP clients
Specifying DNS servers for DHCP clients
Specifying WINS servers and NetBIOS node type for DHCP clients
Specifying BIMS server for DHCP clients
Specifying the configuration file for DHCP client automatic configuration
Specifying a server for DHCP clients
Configuring Option 184 parameters for DHCP clients
Applying a DHCP address pool to a VPN instance
Configuring the DHCP user class whitelist
Applying an address pool to an interface
Configuring a DHCP policy for dynamic assignment
Enabling the DHCP server on an interface
Configuring IP address conflict detection
Enabling handling of Option 82
Configuring the DHCP server security features
Configuring DHCP flood attack protection
Configuring DHCP starvation attack protection
Configuring DHCP server compatibility
Configuring the DHCP server to always broadcast responses
Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses
Configuring the DHCP server to ignore BOOTP requests
Configuring the DHCP server to send BOOTP responses in RFC 1048 format
Setting the DSCP value for DHCP packets sent by the DHCP server
Configuring DHCP binding auto backup
Enabling client offline detection on the DHCP server
Configuring address pool usage alarming
Enabling DHCP logging on the DHCP server
Display and maintenance commands for DHCP server
DHCP server configuration examples
Example: Configuring static IP address assignment
Example: Configuring dynamic IP address assignment
Example: Configuring DHCP user class
Example: Configuring DHCP user class whitelist
Example: Configuring primary and secondary subnets
Example: Customizing DHCP option
Troubleshooting DHCP server configuration
Failure to obtain a non-conflicting IP address
Configuring the DHCP relay agent
DHCP relay agent support for Option 82
DHCP relay agent support for MCE
DHCP relay agent tasks at a glance
Enabling the DHCP relay agent on an interface
Specifying DHCP servers on a relay agent
Specifying DHCP servers in a DHCP relay address pool
Specifying the DHCP server selecting algorithm
Specifying a DHCP relay address pool for DHCP clients
Configuring the DHCP relay agent security features
Restrictions and guidelines for DHCP relay agent security feature configuration
Enabling the DHCP relay agent to record relay entries
Enabling periodic refresh of dynamic relay entries
Configuring DHCP flood attack protection
Enabling DHCP starvation attack protection
Enabling DHCP server proxy on the DHCP relay agent
Enabling client offline detection on the DHCP relay agent
Configuring the DHCP relay agent to release an IP address
Configuring DHCP relay agent support for Option 82
Enabling Option 60 insertion into DHCP requests
Setting the DSCP value for DHCP packets sent by the DHCP relay agent
Specifying the DHCP relay agent address for the giaddr field
Manually specifying the DHCP relay agent address for the giaddr field
Configuring smart relay to specify the DHCP relay agent address for the giaddr field
Specifying the source IP address for relayed DHCP requests
Discarding DHCP requests that are delivered from VXLAN tunnels
Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table
Display and maintenance commands for DHCP relay agent
DHCP relay agent configuration examples
Example: Configuring basic DHCP relay agent
Example: Configuring Option 82
Example: Configuring DHCP server selection
Troubleshooting DHCP relay agent configuration
Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent
Restrictions and guidelines: DHCP client configuration
Enabling the DHCP client on an interface
Configuring a DHCP client ID for an interface
Enabling duplicated address detection
Setting the DSCP value for DHCP packets sent by the DHCP client
Display and maintenance commands for DHCP client
DHCP client configuration examples
Example: Configuring DHCP client
Application of trusted and untrusted ports
DHCP snooping support for Option 82
Restrictions and guidelines: DHCP snooping configuration
DHCP snooping tasks at a glance
Configuring basic DHCP snooping features
Configuring basic DHCP snooping features in a common network
Configuring basic DHCP snooping features in a VXLAN network
Configuring DHCP snooping support for Option 82
Configuring DHCP snooping entry auto backup
Setting the maximum number of DHCP snooping entries
Configuring DHCP packet rate limit
Configuring DHCP snooping security features
Enabling DHCP starvation attack protection
Enabling DHCP-REQUEST attack protection
Configuring a DHCP packet blocking port
Enabling DHCP snooping logging
Disabling DHCP snooping on an interface
Display and maintenance commands for DHCP snooping
DHCP snooping configuration examples
Example: Configuring basic DHCP snooping features globally
Example: Configuring basic DHCP snooping features for a VLAN
Example: Configuring DHCP snooping support for Option 82
Obtaining an IP address dynamically
Configuring an interface to use BOOTP for IP address acquisition
Display and maintenance commands for BOOTP client
DHCP overview
DHCP network model
The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.
Figure 1 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."
Figure 1 A typical DHCP application
DHCP address allocation
Allocation mechanisms
DHCP supports the following allocation mechanisms:
· Static allocation—The network administrator assigns an IP address to a client, such as a WWW server, and DHCP conveys the assigned address to the client.
· Automatic allocation—DHCP assigns a permanent IP address to a client.
· Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.
IP address allocation process
Figure 2 IP address allocation process
As shown in Figure 2, a DHCP server assigns an IP address to a DHCP client in the following process:
1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.
2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."
3. If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)
4. All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:
¡ Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.
¡ Returns a DHCP-NAK message to deny the IP address allocation.
After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address:
· The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP packet. The assigned IP address is not in use if no response is received within the specified time.
· The assigned IP address is not on the same subnet as any IP address in use on the client.
Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.
IP address lease extension
A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.
When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages:
· A DHCP-ACK unicast confirming that the client's lease duration has been extended.
· A DHCP-NAK unicast denying the request.
If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.
DHCP message format
Figure 3 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.
· op—Message type defined in options field. 1 = REQUEST, 2 = REPLY
· htype, hlen—Hardware address type and length of the DHCP client.
· hops—Number of relay agents a request message traveled.
· xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.
· secs—Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. This field is reserved and set to 0.
· flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.
· ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)
· yiaddr—Your IP address. It is an IP address assigned by the DHCP server to the DHCP client.
· siaddr—Server IP address, from which the client obtained configuration parameters.
· giaddr—Gateway IP address. It is the IP address of the first relay agent to which a request message travels.
· chaddr—Client hardware address.
· sname—Server host name, from which the client obtained configuration parameters.
· file—Boot file (also called system software image) name and path information, defined by the server to the client.
· options—Optional parameters field that is variable in length. Optional parameters include the message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.
DHCP options
DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.
Figure 4 DHCP option format
Common DHCP options
The following are common DHCP options:
· Option 3—Router option. It specifies the gateway address to be assigned to the clients.
· Option 6—DNS server option. It specifies the DNS server IP address to be assigned to the clients.
· Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.
· Option 51—IP address lease option.
· Option 53—DHCP message type option. It identifies the type of the DHCP message.
· Option 55—Parameter request list option. It is used by a DHCP client to request specified configuration parameters. The option includes values that correspond to the parameters requested by the client.
· Option 60—Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.
· Option 66—TFTP server name option. It specifies the TFTP server domain name to be assigned to the clients.
· Option 67—Boot file name option. It specifies the boot file name to be assigned to the client.
· Option 121—Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.
· Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the clients.
For more information about DHCP options, see RFC 2132 and RFC 3442.
Custom DHCP options
Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.
Vendor-specific option (Option 43)
Option 43 function
DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.
The DHCP client can obtain the following information through Option 43:
· ACS parameters, including the ACS URL, username, and password.
· Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.
· PXE server address, which is used to obtain the boot file or other control information from the PXE server.
Option 43 format
Figure 5 Option 43 format
Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 5.
· Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).
· Sub-option length—Excludes the sub-option type and sub-option length fields.
· Sub-option value—The value format varies by sub-option.
Sub-option value field format
· ACS parameter sub-option value field—Includes the ACS URL, username, and password separated by spaces (hexadecimal number 20) as shown in Figure 6.
Figure 6 ACS parameter sub-option value field
· Service provider identifier sub-option value field—Includes the service provider identifier.
· PXE server address sub-option value field—Includes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 7.
Figure 7 PXE server address sub-option value field
Relay agent option (Option 82)
Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.
The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.
Option 82 can include a maximum of 255 sub-options and must include a minimum of one sub-option. Option 82 supports the following sub-options: sub-option 1 (Circuit ID), sub-option 2 (Remote ID), sub-option 5 (Link Selection), and sub-option 9 (Vendor-Specific). Option 82 has no standard definition. Its padding formats vary by vendor.
· Circuit ID has the following padding modes:
¡ String padding mode—Includes a character string specified by the user.
¡ Normal padding mode—Includes the VLAN ID and interface number of the interface that receives the client's request.
¡ Verbose padding mode—Includes the access node identifier specified by the user, and the VLAN ID, interface number and interface type of the interface that receives the client's request.
· Remote ID has the following padding modes:
¡ String padding mode—Includes a character string specified by the user.
¡ Normal padding mode—Includes the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that receives the client's request.
¡ Sysname padding mode—Includes the name of the device. To set the device name, use the sysname command in system view.
· The Link Selection sub-option carries the IP address in the giaddr field or the IP address of a relay interface. If you use the dhcp relay source-address { ip-address | interface interface-type interface-number } command, you must enable the DHCP relay agent to support Option 82. This sub-option will then be included in Option 82.
· The Vendor-Specific sub-option supports only the bas padding mode. The padding content includes the user-configured access node identifier and the VLAN ID, interface number, and interface type of the interface that receives the client's request. This sub-option is supported only on DHCP snooping devices.
Option 184
Option 184 is a reserved option. You can define the parameters in the option as needed. The device supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get voice parameters from the DHCP server.
Option 184 has the following sub-options:
· Sub-option 1—Specifies the IP address of the primary network calling processor. The primary processor acts as the network calling control source and provides program download services. For Option 184, you must define sub-option 1 to make other sub-options take effect.
· Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients contact the backup processor when the primary one is unreachable.
· Sub-option 3—Specifies the voice VLAN ID and the result whether the DHCP client takes this VLAN as the voice VLAN.
· Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable.
Protocols and standards
· RFC 2131, Dynamic Host Configuration Protocol
· RFC 2132, DHCP Options and BOOTP Vendor Extensions
· RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
· RFC 3046, DHCP Relay Agent Information Option
· RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4
Configuring the DHCP server
About DHCP server
A DHCP server manages a pool of IP addresses and client configuration parameters. It selects an IP address and configuration parameters from the address pool and allocates them to a requesting DHCP client.
DHCP address assignment mechanisms
Configure the following address assignment mechanisms as needed:
· Static address allocation—Manually bind the MAC address or ID of a client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.
· Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.
You can specify IP address ranges in an address pool by using either of the following methods:
· Method 1—A primary subnet being divided into multiple address ranges in an address pool
· Method 2—A primary subnet and multiple secondary subnets in an address pool
A primary subnet being divided into multiple address ranges in an address pool
An address range includes a common IP address range and IP address ranges for DHCP user classes.
Upon receiving a DHCP request, the DHCP server finds a user class matching the client and selects an IP address in the address range of the user class for the client. A user class can include multiple matching rules, and a client matches the user class as long as it matches any of the rules. In address pool view, you can specify different address ranges for different user classes.
The DHCP server selects an IP address for a client by performing the following steps:
1. DHCP server compares the client against DHCP user classes in the order they are configured.
2. If the client matches a user class, the DHCP server selects an IP address from the address range of the user class.
3. If the matching user class has no assignable addresses, the DHCP server compares the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range.
4. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails.
|
NOTE: All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range. |
A primary subnet and multiple secondary subnets in an address pool
The DHCP server selects an IP address from the primary subnet first. If there is no assignable IP address on the primary subnet, the DHCP server selects an IP address from secondary subnets in the order they are configured.
Principles for selecting an address pool
The DHCP server observes the following principles to select an address pool for a client:
1. If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.
2. If the receiving interface has an address pool applied, the DHCP server selects an IP address and other configuration parameters from this address pool.
3. If the receiving interface has a DHCP policy and the DHCP client matches a user class, the DHCP server selects the address pool that is bound to the matching user class. If no matching user class is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.
4. If the above conditions are not met, the DHCP server selects an address pool depending on the client location.
¡ Client on the same subnet as the server—The DHCP server compares the IP address of the receiving interface with the primary subnets of all address pools.
- If a match is found, the server selects the address pool with the longest-matching primary subnet.
- If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.
¡ Client on a different subnet than the server—The DHCP server compares the IP address in the giaddr field of the DHCP request with the primary subnets of all address pools.
- If a match is found, the server selects the address pool with the longest-matching primary subnet.
- If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.
For example, two address pools 1.1.1.0/24 and 1.1.1.0/25 are configured but not applied to any DHCP server's interfaces.
· If the IP address of the receiving interface is 1.1.1.1/25, the DHCP server selects the address pool 1.1.1.0/25. If the address pool has no available IP addresses, the DHCP server will not select the other pool and the address allocation will fail.
· If the IP address of the receiving interface is 1.1.1.130/25, the DHCP server selects the address pool 1.1.1.0/24.
To ensure correct address allocation, keep the IP addresses used for dynamic allocation on one of the subnets:
· Clients on the same subnet as the server—Subnet where the DHCP server receiving interface resides.
· Clients on a different subnet than the server—Subnet where the first DHCP relay interface that faces the clients resides.
|
NOTE: As a best practice, configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses. |
IP address allocation sequence
The DHCP server selects an IP address for a client in the following sequence:
1. IP address statically bound to the client's MAC address or ID.
2. IP address that was ever assigned to the client.
3. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.
Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.
4. First assignable IP address found in the way discussed in "DHCP address assignment mechanisms" and "Principles for selecting an address pool."
5. IP address that was a conflict or passed its lease duration. If no IP address is assignable, the server does not respond.
DHCP server tasks at a glance
To configure the DHCP server, perform the following tasks:
1. (Optional.) Creating a DHCP user class
2. Configuring an address pool on the DHCP server
3. (Optional.) Modifying the address pool selection method on the DHCP server
¡ Applying an address pool to an interface
¡ Configuring a DHCP policy for dynamic assignment
5. Enabling the DHCP server on an interface
6. (Optional.) Configuring advanced DHCP features
¡ Configuring IP address conflict detection
¡ Enabling handling of Option 82
¡ Configuring the DHCP server security features
¡ Configuring DHCP server compatibility
¡ Setting the DSCP value for DHCP packets sent by the DHCP server
¡ Configuring DHCP binding auto backup
¡ Enabling client offline detection on the DHCP server
7. (Optional.) Configuring SNMP notification and logging
¡ Configuring address pool usage alarming
¡ Enabling DHCP logging on the DHCP server
Creating a DHCP user class
About DHCP user class
The DHCP server classifies DHCP users into different user classes according to the hardware address, option information, or the giaddr field in the received DHCP requests. The server allocates IP addresses and configuration parameters to DHCP clients in different user classes.
Procedure
1. Enter system view.
system-view
2. Create a DHCP user class and enter DHCP user class view.
dhcp class class-name
3. Configure a match rule for the DHCP user class.
if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }
By default, no match rule is configured for a DHCP user class.
Configuring an address pool on the DHCP server
DHCP address pool tasks at a glance
To configure a DHCP address pool, perform the following tasks:
1. Creating a DHCP address pool
2. Specifying IP address ranges in a DHCP address pool
In one DHCP address pool, the two dynamic allocation methods cannot be both configured, but static and dynamic address allocations can be both implemented.
¡ Specifying a primary subnet and multiple address ranges in a DHCP address pool
¡ Specifying a primary subnet and multiple secondary subnets in a DHCP address pool
¡ Configuring a static binding in a DHCP address pool
3. Specifying other configuration parameters to be assigned to DHCP clients
¡ Specifying gateways for DHCP clients
¡ Specifying a domain name suffix for DHCP clients
¡ Specifying DNS servers for DHCP clients
¡ Specifying WINS servers and NetBIOS node type for DHCP clients
¡ Specifying BIMS server for DHCP clients
¡ Specifying the configuration file for DHCP client automatic configuration
¡ Specifying a server for DHCP clients
¡ Configuring Option 184 parameters for DHCP clients
4. (Optional.) Applying a DHCP address pool to a VPN instance
5. (Optional.) Configuring the DHCP user class whitelist
Creating a DHCP address pool
1. Enter system view.
system-view
2. Create a DHCP address pool and enter its view.
dhcp server ip-pool pool-name
Specifying a primary subnet and multiple address ranges in a DHCP address pool
About a primary subnet and multiple address ranges in a DHCP address pool
Some scenarios need to classify DHCP clients on the same subnet into different address groups. To meet this need, you can configure DHCP user classes and specify different address ranges for the classes. The clients matching a user class can then get the IP addresses of an address range. In addition, you can specify a common address range for the clients that do not match any user class. If no common address range is specified, such clients fail to obtain IP addresses.
If there is no need to classify clients, you do not need to configure DHCP user classes or their address ranges.
Restrictions and guidelines
· If you execute the network or address range command multiple times for the same address pool, the most recent configuration takes effect.
· If you execute the forbidden-ip command multiple times, you exclude multiple address ranges from dynamic allocation.
· IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.
· You can use class range to modify an existing address range, and the new address range can include IP addresses that are being used by clients. Upon receiving a lease extension request for such an IP address, the DHCP server allocates a new IP address to the requesting client. But the original lease continues aging in the address pool, and will be released when the lease duration is reached. To release such lease without waiting for its timeout, execute the reset dhcp server ip-in-use command.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the primary subnet in the address pool.
network network-address [ mask-length | mask mask ]
By default, no primary subnet is specified.
4. (Optional.) Specify the common address range.
address range start-ip-address end-ip-address
By default, no IP address range is specified.
5. (Optional.) Specify an IP address range for a DHCP user class.
class class-name range start-ip-address end-ip-address
By default, no IP address range is specified for a user class.
The DHCP user class must already be created by using the dhcp class command.
6. (Optional.) Set the address lease duration.
expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }
The default setting is 1 day.
7. (Optional.) Exclude the specified IP addresses in the address pool from dynamic allocation.
forbidden-ip ip-address&<1-8>
By default, all IP addresses in the DHCP address pool are assignable.
8. (Optional.) Exclude the specified IP addresses from automatic allocation in system view.
a. Return to system view.
quit
b. Exclude the specified IP addresses from automatic allocation globally.
dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
By default, except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable.
Specifying a primary subnet and multiple secondary subnets in a DHCP address pool
About a primary subnet and multiple secondary subnets in a DHCP address pool
If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.
Restrictions and guidelines
IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.
Specifying a primary subnet and multiple secondary subnets
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the primary subnet.
network network-address [ mask-length | mask mask ]
By default, no primary subnet is specified.
You can specify only one primary subnet in each address pool. If you execute the network command multiple times, the most recent configuration takes effect.
4. (Optional.) Specify a secondary subnet.
network network-address [ mask-length | mask mask ] secondary
By default, no secondary subnet is specified.
You can specify a maximum of 32 secondary subnets in one address pool.
5. (Optional.) Return to address pool view.
quit
Setting the lease duration for dynamically allocation IP addresses
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Set the address lease duration.
expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }
The default setting is 1 day.
Excluding IP addresses from dynamic allocation
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Exclude the specified IP addresses from dynamic allocation.
forbidden-ip ip-address&<1-8>
By default, all IP addresses in the DHCP address pool are assignable.
To exclude multiple address ranges from the address pool, repeat this step.
4. (Optional.) Exclude the specified IP addresses from dynamic allocation in system view.
a. Return to system view.
quit
b. Exclude the specified IP addresses from dynamic allocation globally.
dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
By default, except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable.
To exclude multiple address ranges globally, repeat this step.
Configuring a static binding in a DHCP address pool
About static binding in a DHCP address pool
Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.
Restrictions and guidelines
· The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, an IP address conflict occurs and the bound client cannot obtain an IP address correctly.
· Multiple interfaces on the same device might all use DHCP to request a static IP address. In this case, use client IDs rather than the device's MAC address to identify the interfaces. Otherwise, IP address allocation will fail.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Configure a static binding.
static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }
By default, no static binding is configured.
One IP address can be bound to only one client MAC or client ID. You cannot modify bindings that have been created. To change the binding for a DHCP client, you must delete the existing binding first.
4. (Optional.) Set the lease duration for the IP address.
expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }
By default, the lease duration is 1 day.
Specifying gateways for DHCP clients
About gateways for DHCP clients
DHCP clients send packets destined for other networks to a gateway. The DHCP server can assign the gateway address to the DHCP clients.
Restrictions and guidelines
You can specify gateway addresses in each address pool on the DHCP server. A maximum of 64 gateways can be specified in DHCP address pool view or secondary subnet view.
The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:
· If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.
· If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify gateways.
gateway-list ip-address&<1-64>
By default, no gateway is specified.
4. (Optional.) Specify gateways in secondary subnet view.
a. Enter secondary subnet view.
network network-address [ mask-length | mask mask ] secondary
b. Specify gateways.
gateway-list ip-address&<1-64>
By default, no gateway is specified.
Specifying a domain name suffix for DHCP clients
About domain name suffix for DHCP clients
You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring DNS."
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify a domain name suffix.
domain-name domain-name
By default, no domain name is specified.
Specifying DNS servers for DHCP clients
About DNS servers for DHCP clients
To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify DNS servers.
dns-list ip-address&<1-8>
By default, no DNS server is specified.
Specifying WINS servers and NetBIOS node type for DHCP clients
About WINS servers and NetBIOS node type for DHCP clients
A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution.
In addition, you must specify one of the following NetBIOS node types to approach name resolution:
· b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The destination returns its IP address to the client after receiving the message.
· p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the WINS server. The WINS server returns the destination IP address.
· m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it unicasts the destination name to the WINS server to get the destination IP address.
· h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it receives no response, it broadcasts the destination name to get the destination IP address.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
By default, no DHCP address pool exists.
3. Specify WINS servers.
nbns-list ip-address&<1-8>
By default, no WINS server is specified.
This step is optional for b-node. You can specify a maximum of eight WINS servers for such clients in one DHCP address pool.
4. Specify the NetBIOS node type.
netbios-type { b-node | h-node | m-node | p-node }
By default, no NetBIOS node type is specified.
Specifying BIMS server for DHCP clients
About BIMS server for DHCP clients
Perform this task to provide the BIMS server IP address, port number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files and perform software upgrade and backup.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the BIMS server IP address, port number, and shared key.
bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } string
By default, no BIMS server information is specified.
Specifying the configuration file for DHCP client automatic configuration
About configuration file for DHCP client automatic configuration
Automatic configuration enables a device to automatically obtain a set of configuration settings at startup. The server-based automatic configuration requires the cooperation of the DHCP server and file server (TFTP or HTTP server). The device uses the obtained parameters to contact the file server to get the configuration file. For more information about automatic configuration, see Fundamentals Configuration Guide.
Specifying the configuration file on a TFTP file server
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
By default, no DHCP address pool exists.
3. Specify the IP address or the name of a TFTP server.
¡ Specify the IP address of the TFTP server.
tftp-server ip-address ip-address
By default, no TFTP server IP address is specified.
¡ Specify the name of the TFTP server.
tftp-server domain-name domain-name
By default, no TFTP server name is specified.
4. Specify the configuration file name.
bootfile-name bootfile-name
By default, no configuration file name is specified.
Specifying the URL of the configuration file on an HTTP file server
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the URL of the configuration file.
bootfile-name url
By default, no configuration file URL is specified.
Specifying a server for DHCP clients
About a server for DHCP clients
Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the IP address of a server.
next-server ip-address
By default, no server is specified.
Configuring Option 184 parameters for DHCP clients
About Option 184 parameters for DHCP clients
To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184."
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Specify the IP address of the primary network calling processor.
voice-config ncp-ip ip-address
By default, no primary network calling processor is specified.
After you configure this command, the other Option 184 parameters take effect.
4. (Optional.) Specify the IP address of the backup server.
voice-config as-ip ip-address
By default, no backup network calling processor is specified.
5. (Optional.) Configure the voice VLAN.
voice-config voice-vlan vlan-id { disable | enable }
By default, no voice VLAN is configured.
6. (Optional.) Specify the failover IP address and dialer string.
voice-config fail-over ip-address dialer-string
By default, no failover IP address or dialer string is specified.
Customizing DHCP options
DHCP option customization applications
You can customize DHCP options for the following purposes:
· Add newly released options.
· Add options for which the vendor defines the contents, for example, Option 43.
· Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.
· Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS servers, you must use the option 6 command to define all DNS servers.
Common DHCP options
Table 1 lists common DHCP options and their parameters.
Option |
Option name |
Corresponding command |
Recommended parameter in the option command |
3 |
Router Option |
gateway-list |
ip-address |
6 |
Domain Name Server Option |
dns-list |
ip-address |
15 |
Domain Name |
domain-name |
ascii |
44 |
NetBIOS over TCP/IP Name Server Option |
nbns-list |
ip-address |
46 |
NetBIOS over TCP/IP Node Type Option |
netbios-type |
hex |
66 |
TFTP server name |
tftp-server |
ascii |
67 |
Boot file name |
bootfile-name |
ascii |
43 |
Vendor Specific Information |
N/A |
hex |
Restrictions and guidelines
Use caution when customizing DHCP options because the configuration might affect DHCP operation.
You can customize a DHCP option in a DHCP address pool
You can customize a DHCP option in a DHCP option group, and specify the option group for a user class in an address pool. A DHCP client in the user class will obtain the option configuration.
Customizing a DHCP option in a DHCP address pool
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Customize a DHCP option.
option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }
By default, no DHCP option is customized in a DHCP address pool.
DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.
Customizing a DHCP option in a DHCP option group
1. Enter system view.
system-view
2. Create a DHCP option group and enter DHCP option group view.
dhcp option-group option-group-number
3. Customize a DHCP option.
option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }
By default, no DHCP option is customized in a DHCP option group.
If multiple DHCP option groups have the same option, the server selects the option in the DHCP option group first matching the user class.
4. Return to system view.
quit
5. Enter DHCP address pool view.
dhcp server ip-pool pool-name
6. Specify the DHCP option group for the DHCP user class.
class class-name option-group option-group-number
By default, no DHCP option group is specified for a DHCP user class.
Applying a DHCP address pool to a VPN instance
About applying a DHCP address pool to a VPN instance
If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.
The DHCP server can obtain the VPN instance to which a DHCP client belongs from the following information:
· The client's VPN information stored in authentication modules.
· The VPN information of the DHCP server's interface that receives DHCP packets from the client.
If both VPN instances can be obtained, the VPN information from authentication modules takes priority over the VPN information of the receiving interface.
An MCE acting as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks. The IP address ranges of public and private networks or those of private networks on the DHCP server cannot overlap. For more information about MCE, see MPLS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Apply the address pool to a VPN instance.
vpn-instance vpn-instance-name
By default, the address pool is not applied to any VPN instance.
Configuring the DHCP user class whitelist
About DHCP user class whitelist
The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist.
Restrictions and guidelines
The whitelist does not take effect on clients who request static IP addresses, and the server always processes their requests.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. Enable the DHCP user class whitelist.
verify class
By default, the DHCP user class whitelist is disabled.
4. Add DHCP user classes to the DHCP user class whitelist.
valid class class-name&<1-8>
By default, no DHCP user class is on the DHCP user class whitelist.
Applying an address pool to an interface
About applying an address pool to an interface
Perform this task to apply a DHCP address pool to an interface.
Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways:
· If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding.
· If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply an address pool to the interface.
dhcp server apply ip-pool pool-name
By default, no address pool is applied to an interface.
If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation.
Configuring a DHCP policy for dynamic assignment
About a DHCP policy for dynamic assignment
In a DHCP policy, each DHCP user class has a bound DHCP address pool. Clients matching different user classes obtain IP addresses and other parameters from different address pools. The DHCP policy must be applied to the interface that acts as the DHCP server. When receiving a DHCP request, the DHCP server compares the packet against the user classes in the order that they are configured.
· If a matching user class is found and the bound address pool has assignable IP addresses, the server assigns an IP address and other parameters from the address pool. If the address pool does not have assignable IP addresses, the address assignment fails.
· If no match is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.
For successful address assignment, make sure the applied DHCP policy and the bound address pools exist.
Restrictions and guidelines
A DHCP policy take effect only after it is applied to an interface.
Procedure
1. Enter system view.
system-view
2. Create a DHCP policy and enter DHCP policy view.
dhcp policy policy-name
3. Specify a DHCP address pool for a DHCP user class.
class class-name ip-pool pool-name
By default, no address pool is specified for a user class.
4. Specify the default DHCP address pool.
default ip-pool pool-name
By default, no default address pool is specified.
5. Return to system view.
quit
6. Enter interface view.
interface interface-type interface-number
7. Apply the DHCP policy to the interface.
dhcp apply-policy policy-name
By default, no DHCP policy is applied to an interface.
Enabling DHCP
Restrictions and guideline
You must enable DHCP to make other DHCP configurations take effect.
Procedure
1. Enter system view.
system-view
2. Enable DHCP.
dhcp enable
By default, DHCP is disabled.
Enabling the DHCP server on an interface
About enabling the DHCP server on an interface
Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the DHCP server on the interface.
dhcp select server
By default, the DHCP server is enabled on the interface.
Configuring IP address conflict detection
About IP address conflict detection
Before assigning an IP address, the DHCP server pings that IP address.
· If the server receives a response within the specified period, it selects and pings another IP address.
· If it receives no response, the server continues to ping the IP address until the maximum number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. The DHCP client uses gratuitous ARP to perform IP address conflict detection.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the maximum number of ping packets to be sent for conflict detection.
dhcp server ping packets number
The default setting is one.
To disable IP address conflict detection, set the value to 0.
3. (Optional.) Set the ping timeout time.
dhcp server ping timeout milliseconds
The default setting is 500 ms.
To disable IP address conflict detection, set the value to 0.
Enabling handling of Option 82
About handling of Option 82
Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.
If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.
You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82. For information about enabling handling of Option 82 on the DHCP relay agent, see "Configuring DHCP relay agent support for Option 82."
Procedure
1. Enter system view.
system-view
2. Enable the server to handle Option 82.
dhcp server relay information enable
By default, handling of Option 82 is enabled.
Configuring the DHCP server security features
Restrictions and guidelines
The DHCP server security features are not applicable if a DHCP relay agent exists in the network. This is because the MAC address of the DHCP relay agent is encapsulated as the source MAC address in the DHCP request received by the DHCP server. In this case, you must configure the DHCP relay agent security features. For more information, see "Configuring the DHCP relay agent security features."
Configuring DHCP flood attack protection
About DHCP flood attack protection
The DHCP flood attack protection enables the DHCP server to detect DHCP flood attacks according to the DHCP packet rate threshold on a per-MAC basis.
When the DHCP server receives a DHCP packet from a client (MAC address), it creates a DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration, the server determines that the client is launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the DHCP server discards the DHCP packets from that client. When the aging time of the entry is reached, the DHCP server deletes the entry. If a DHCP packet from the MAC address arrives later, the DHCP server will create a flood attack entry and count the number of incoming DHCP packets for that client again.
Configuring DHCP flood attack protection in a common network
1. Enter system view.
system-view
2. (Optional.) Set the DHCP packet rate threshold for DHCP flood attack detection.
dhcp flood-protection threshold packet-number milliseconds
By default, the device allows a maximum of 6 DHCP packets per 5000 milliseconds from each DHCP client.
3. (Optional.) Set the DHCP flood attack entry aging time.
dhcp flood-protection aging-time time
The default setting is 300 seconds.
4. Enter interface view.
interface interface-type interface-number
5. Enable DHCP flood attack protection.
dhcp flood-protection enable
By default, DHCP flood attack protection is disabled.
Configuring DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields in the DHCP messages, see "DHCP message format."
The following methods are available to relieve or prevent such attacks.
· To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, perform the following configuration on an interface:
¡ Execute the mac-address max-mac-count command to set the MAC learning limit. For more information about this command, see Layer 2—LAN Switching Command Reference.
¡ Disable unknown frame forwarding when the MAC learning limit is reached.
· To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP server. The DHCP server compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP server verifies this request as legal and processes it. If they are not the same, the server discards the DHCP request.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MAC address check.
dhcp server check mac-address
By default, MAC address check is disabled.
Configuring DHCP server compatibility
Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.
Configuring the DHCP server to always broadcast responses
About configuring the DHCP server to always broadcast responses
By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always broadcast a response. This feature is useful when some clients set the broadcast flag to 0 but do not accept unicast responses.
The DHCP server always unicasts a response in the following situations, regardless of whether this feature is configured or not:
· The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).
· The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).
Procedure
1. Enter system view.
system-view
2. Enable the DHCP server to always broadcast all responses.
dhcp server always-broadcast
By default, the DHCP server reads the broadcast flag to decide whether to broadcast or unicast a response.
Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses
About returning a DHCP-NAK message upon client notions of incorrect IP addresses
A DHCP client can send a DHCP-REQUEST message directly or upon receiving a DHCP-OFFER message. Upon receiving the request, the DHCP server will check if the client notion of its IP address is correct. If the requested IP address is different from the allocated one or has no matching lease record, the DHCP server remains silent by default. After the allocated IP address lease for the client expires, the DHCP server will make response to request from the client.
This feature enables the DHCP server to return DHCP-NAK messages if the client notions of their IP addresses are incorrect. After receiving the DHCP-NAK message, the DHCP client will request an IP address again.
Procedure
1. Enter system view.
system-view
2. Enable the DHCP server to return a DHCP-NAK message if the client notions of their IP addresses are incorrect.
dhcp server request-ip-address check
The DHCP server does not return a DHCP-NAK message if the client notions of their IP addresses are incorrect.
Configuring the DHCP server to ignore BOOTP requests
About configuring the DHCP server to ignore BOOTP requests
The lease duration of the IP addresses obtained by the BOOTP clients is unlimited. For some scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.
Procedure
1. Enter system view.
system-view
2. Configure the DHCP server to ignore BOOTP requests.
dhcp server bootp ignore
By default, the DHCP server processes BOOTP requests.
Configuring the DHCP server to send BOOTP responses in RFC 1048 format
About configuring the DHCP server to send BOOTP responses in RFC 1048 format
Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.
This feature enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.
Restrictions and guidelines
This feature is effective for the BOOTP clients that request statically bound addresses.
Procedure
1. Enter system view.
system-view
2. Enable the DHCP server to send BOOTP responses in RFC 1048 format to the RFC 1048-incompliant BOOTP requests.
dhcp server bootp reply-rfc-1048
By default, the DHCP server directly copies the Vend field of such requests into the responses.
Setting the DSCP value for DHCP packets sent by the DHCP server
About DSCP value for DHCP packets
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for DHCP packets sent by the DHCP server.
dhcp dscp dscp-value
By default, the DSCP value in DHCP packets sent by the DHCP server is 56.
Configuring DHCP binding auto backup
About DHCP binding auto backup
The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server.
The DHCP server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCP server to provide services without waiting for the connection to be repaired.
Procedure
1. Enter system view.
system-view
2. Configure the DHCP server to back up the bindings to a file.
dhcp server database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
By default, the DHCP server does not back up the DHCP bindings.
With this command executed, the DHCP server backs up its bindings immediately and runs auto backup.
3. (Optional.) Manually save the DHCP bindings to the backup file.
dhcp server database update now
4. (Optional.) Set the waiting time after a DHCP binding change for the DHCP server to update the backup file.
dhcp server database update interval interval
By default, the DHCP server waits 300 seconds to update the backup file after a DHCP binding change. If no DHCP binding changes, the backup file is not updated.
5. (Optional.) Terminate the download of DHCP bindings from the backup file.
dhcp server database update stop
This command only triggers one termination.
Enabling client offline detection on the DHCP server
About client offline detection on the DHCP server
The client offline detection feature reclaims an assigned IP address and deletes the binding entry when the ARP entry for the IP address ages out.
Restrictions and guidelines
The feature does not function if an ARP entry is manually deleted.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable client offline detection.
dhcp client-detect
By default, client offline detection is disabled on the DHCP server.
Configuring address pool usage alarming
About address pool usage alarming
Perform this task to set the threshold for address pool usage alarming. When the threshold is exceeded, the system sends notifications to the SNMP module. For DHCP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter DHCP address pool view.
dhcp server ip-pool pool-name
3. (Optional.) Set the threshold for address pool usage alarming.
ip-in-use threshold threshold-value
The default threshold is 100%.
Enabling DHCP logging on the DHCP server
About DHCP logging on the DHCP server
The DHCP logging feature enables the DHCP server to generate DHCP logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
As a best practice, disable this feature if the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.
Procedure
1. Enter system view.
system-view
2. Enable DHCP logging.
dhcp log enable
By default, DHCP logging is disabled.
Display and maintenance commands for DHCP server
IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again. |
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display information about IP address conflicts. |
display dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ] |
Display information about DHCP binding auto backup. |
display dhcp server database |
Display information about lease-expired IP addresses. |
display dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] |
Display information about assignable IP addresses. |
display dhcp server free-ip [ pool pool-name | vpn-instance vpn-instance-name ] |
Display information about assigned IP addresses. |
display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] |
Display information about DHCP address pools. |
display dhcp server pool [ pool-name | vpn-instance vpn-instance-name ] |
Display DHCP server statistics. |
display dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ] |
Clear information about IP address conflicts. |
reset dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ] |
Clear information about lease-expired IP addresses. |
reset dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] |
Clear information about assigned IP addresses. |
reset dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ] |
Clear DHCP server statistics. |
reset dhcp server statistics [ vpn-instance vpn-instance-name ] |
DHCP server configuration examples
Example: Configuring static IP address assignment
Network configuration
As shown in Figure 8, Switch B (DHCP client) and Switch C (BOOTP client) obtain the IP address, DNS server address, and gateway address from Switch A (DHCP server).
The client ID of VLAN-interface 2 on Switch B is 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574.
The MAC address of VLAN-interface 2 on Switch C is 000f-e200-01c0.
Procedure
1. Specify an IP address for VLAN-interface 2 on Switch A.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 10.1.1.1 25
[SwitchA-Vlan-interface2] quit
2. Configure the DHCP server:
# Create DHCP address pool 0.
[SwitchA] dhcp server ip-pool 0
# Configure a static binding for Switch B.
[SwitchA-dhcp-pool-0] static-bind ip-address 10.1.1.5 25 client-identifier 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574
# Configure a static binding for Switch C.
[SwitchA-dhcp-pool-0] static-bind ip-address 10.1.1.6 25 hardware-address 000f-e200-01c0
# Specify the DNS server address and the gateway address.
[SwitchA-dhcp-pool-0] dns-list 10.1.1.2
[SwitchA-dhcp-pool-0] gateway-list 10.1.1.126
[SwitchA-dhcp-pool-0] quit
[SwitchA]
# Enable DHCP.
[SwitchA] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select server
[SwitchA-Vlan-interface2] quit
Verifying the configuration
# Verify that Switch B can obtain IP address 10.1.1.5 and all other network parameters from Switch A. (Details not shown.)
# Verify that Switch C can obtain IP address 10.1.1.6 and all other network parameters from Switch A. (Details not shown.)
# On the DHCP server, display the IP addresses assigned to the clients.
[SwitchA] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.1.1.5 0030-3030-662e-6532- Jan 21 14:27:27 2014 Static(C)
3030-2e30-3030-322d-
4574-6865-726e-6574
10.1.1.6 000f-e200-01c0 Unlimited Static(C)
Example: Configuring dynamic IP address assignment
Network configuration
As shown in Figure 9, the DHCP server (Switch A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.
Configure DHCP server on Switch A to implement the following assignment scheme.
Table 2 Assignment scheme
DHCP clients |
IP address |
Lease |
Other configuration parameters |
Clients connected to VLAN-interface 10 |
IP addresses on subnet 10.1.1.0/25 |
10 days and 12 hours |
· Gateway: 10.1.1.126/25 · DNS server: 10.1.1.2/25 · Domain name: aabbcc.com · WINS server: 10.1.1.4/25 |
Clients connected to VLAN-interface 20 |
IP addresses on subnet 10.1.1.128/25 |
Five days |
· Gateway: 10.1.1.254/25 · DNS server: 10.1.1.2/25 · Domain name: aabbcc.com |
Procedure
1. Specify IP addresses for the VLAN interfaces. (Details not shown.)
2. Configure the DHCP server:
# Exclude the DNS server address, WINS server address, and gateway addresses from dynamic allocation.
<SwitchA> system-view
[SwitchA] dhcp server forbidden-ip 10.1.1.2
[SwitchA] dhcp server forbidden-ip 10.1.1.4
[SwitchA] dhcp server forbidden-ip 10.1.1.126
[SwitchA] dhcp server forbidden-ip 10.1.1.254
# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.0/25.
[SwitchA] dhcp server ip-pool 1
[SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128
[SwitchA-dhcp-pool-1] expired day 10 hour 12
[SwitchA-dhcp-pool-1] domain-name aabbcc.com
[SwitchA-dhcp-pool-1] dns-list 10.1.1.2
[SwitchA-dhcp-pool-1] gateway-list 10.1.1.126
[SwitchA-dhcp-pool-1] nbns-list 10.1.1.4
[SwitchA-dhcp-pool-1] quit
# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25.
[SwitchA] dhcp server ip-pool 2
[SwitchA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128
[SwitchA-dhcp-pool-2] expired day 5
[SwitchA-dhcp-pool-2] domain-name aabbcc.com
[SwitchA-dhcp-pool-2] dns-list 10.1.1.2
[SwitchA-dhcp-pool-2] gateway-list 10.1.1.254
[SwitchA-dhcp-pool-2] quit
# Enable DHCP.
[SwitchA] dhcp enable
# Enable the DHCP server on VLAN-interface 10 and VLAN-interface 20.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] dhcp select server
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 20
[SwitchA-Vlan-interface20] dhcp select server
[SwitchA-Vlan-interface20] quit
Verifying the configuration
# Verify that clients on subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and all other network parameters from Switch A. (Details not shown.)
# On the DHCP server, display the IP addresses assigned to the clients.
[SwitchA] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.1.1.3 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C)
3363-2e30-3230-352d-
4745-302f-30
10.1.1.5 0031-fe65-4203-7e02- Jan 14 22:25:03 2015 Auto(C)
3063-5b30-3230-4702-
620e-712f-5e
10.1.1.130 3030-3030-2e30-3030- Jan 9 10:45:11 2015 Auto(C)
662e-3030-3033-2d45-
7568-6572-1e
10.1.1.131 3030-0020-fe02-3020- Jan 9 10:45:11 2015 Auto(C)
7052-0201-2013-1e02
0201-9068-23
10.1.1.132 2020-1220-1102-3021- Jan 9 10:45:11 2015 Auto(C)
7e52-0211-2025-3402
0201-9068-9a
10.1.1.133 2021-d012-0202-4221- Jan 9 10:45:11 2015 Auto(C)
8852-0203-2022-55e0
3921-0104-31
Example: Configuring DHCP user class
Network requirement
As shown in Figure 10, the DHCP relay agent (Switch A) forwards DHCP packets between DHCP clients and the DHCP server (Switch B). Enable switch A to support Option 82 so that switch A can add Option 82 in the DHCP requests sent by the DHCP clients.
Configure the address allocation scheme as follows:
Assign IP addresses |
To clients |
10.10.1.2 to 10.10.1.10 |
The DHCP request contains Option 82. |
10.10.1.11 to 10.10.1.26 |
The hardware address in the request is six bytes long and begins with aabb-aabb-aab. |
For clients on subnet 10.10.1.0/24, the DNS server address is 10.10.1.20/24 and the gateway address is 10.10.1.254/24.
Procedure
1. Specify IP addresses for interfaces on the DHCP server and the DHCP relay agent. (Details not shown.)
2. Configure DHCP services:
# Create DHCP user class tt and configure a match rule to match client requests with Option 82.
<SwitchB> system-view
[SwitchB] dhcp class tt
[SwitchB-dhcp-class-tt] if-match rule 1 option 82
[SwitchB-dhcp-class-tt] quit
# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.
[SwitchB] dhcp class ss
[SwitchB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-aab0 mask ffff-ffff-fff0
[SwitchB-dhcp-class-ss] quit
# Create DHCP address pool aa.
[SwitchB] dhcp server ip-pool aa
# Specify the subnet for dynamic allocation.
[SwitchB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0
# Specify the address range for dynamic allocation.
[SwitchB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100
# Specify the address range for user class tt.
[SwitchB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10
# Specify the address range for user class ss.
[SwitchB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26
# Specify the gateway address and the DNS server address.
[SwitchB-dhcp-pool-aa] gateway-list 10.10.1.254
[SwitchB-dhcp-pool-aa] dns-list 10.10.1.20
[SwitchB-dhcp-pool-aa] quit
# Enable DHCP and configure the DHCP server to handle Option 82.
[SwitchB] dhcp enable
[SwitchB] dhcp server relay information enable
# Enable DHCP server on VLAN-interface 10.
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] dhcp select server
[SwitchB-Vlan-interface10] quit
Verifying the configuration
# Verify that clients matching the user classes can obtain IP addresses in the specified ranges and all other configuration parameters from the DHCP server. (Details not shown.)
# Display the IP address assigned by the DHCP server.
[SwitchB] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.10.1.2 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C)
3363-2e30-3230-352d-
4745-302f-30
10.10.1.11 aabb-aabb-aab1 Jan 14 22:25:03 2015 Auto(C)
Example: Configuring DHCP user class whitelist
Network configuration
As shown in Figure 11, configure the DHCP user class whitelist to allow the DHCP server to assign IP addresses to clients whose hardware addresses are six bytes long and begin with aabb-aabb.
Procedure
1. Specify IP addresses for the interfaces on the DHCP server. (Details not shown.)
2. Configure DHCP:
# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.
<SwitchB> system-view
[SwitchB] dhcp class ss
[SwitchB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000
[SwitchB-dhcp-class-ss] quit
# Create DHCP address pool aa.
[SwitchB] dhcp server ip-pool aa
# Specify the subnet for dynamic allocation.
[SwitchB-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0
# Enable the DHCP user class whitelist.
[SwitchB-dhcp-pool-aa] verify class
# Add DHCP user class ss to the DHCP user class whitelist.
[SwitchB-dhcp-pool-aa] valid class ss
[SwitchB-dhcp-pool-aa] quit
# Enable DHCP.
[SwitchB] dhcp enable
# Enable DHCP server on VLAN-interface 2.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] dhcp select server
[SwitchB-Vlan-interface2] quit
Verifying the configuration
# Verify that clients matching the DHCP user class can obtain IP addresses on subnet 10.1.1.0/24 from the DHCP server. (Details not shown.)
# On the DHCP server, display the IP addresses assigned to the clients.
[SwitchB] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.1.1.2 aabb-aabb-ab01 Jan 14 22:25:03 2015 Auto(C)
Example: Configuring primary and secondary subnets
Network configuration
As shown in Figure 12, the DHCP server (Switch A) dynamically assigns IP addresses to clients in the LAN.
Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects IP addresses from the secondary subnet when the primary subnet has no assignable addresses.
Switch A assigns the following parameters:
· The default gateway 10.1.1.254/24 to clients on subnet 10.1.1.0/24.
· The default gateway 10.1.2.254/24 to clients on subnet 10.1.2.0/24.
Procedure
# Create DHCP address pool aa.
<SwitchA> system-view
[SwitchA] dhcp server ip-pool aa
# Specify the primary subnet and the gateway address for dynamic allocation.
[SwitchA-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-aa] gateway-list 10.1.1.254
# Specify the secondary subnet and the gateway address for dynamic allocation.
[SwitchA-dhcp-pool-aa] network 10.1.2.0 mask 255.255.255.0 secondary
[SwitchA-dhcp-pool-aa-secondary] gateway-list 10.1.2.254
[SwitchA-dhcp-pool-aa-secondary] quit
[SwitchA-dhcp-pool-aa] quit
# Enable DHCP.
[SwitchA] dhcp enable
# Configure the primary and secondary IP addresses of VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] ip address 10.1.1.1 24
[SwitchA-Vlan-interface10] ip address 10.1.2.1 24 sub
# Enable the DHCP server on VLAN-interface 10.
[SwitchA-Vlan-interface10] dhcp select server
[SwitchA-Vlan-interface10] quit
Verifying the configuration
# Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no address is available from the primary subnet. (Details not shown.)
# Display the primary and secondary subnet IP addresses the DHCP server has assigned. The following is part of the command output.
[SwitchA] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.1.1.2 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C)
3363-2e30-3230-352d-
4745-302f-30
10.1.2.2 3030-3030-2e30-3030- Jan 14 22:25:03 2015 Auto(C)
662e-3030-3033-2d45-
7568-6572-1e
Example: Customizing DHCP option
Network configuration
As shown in Figure 13, DHCP clients obtain IP addresses and PXE server addresses from the DHCP server (Switch A). The subnet for address allocation is 10.1.1.0/24.
Configure the address allocation scheme as follows:
Assign PXE addresses |
To clients |
2.3.4.5 and 3.3.3.3 |
The hardware address in the request is six bytes long and begins with aabb-aabb. |
1.2.3.4 and 2.2.2.2. |
Other clients. |
The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a customized option. The format of Option 43 and that of the PXE server address sub-option are shown in Figure 5 and Figure 7. For example, the value of Option 43 configured in the DHCP address pool is 80 0B 00 00 02 01 02 03 04 02 02 02 02.
· The number 80 is the value of the sub-option type.
· The number 0B is the value of the sub-option length.
· The numbers 00 00 are the value of the PXE server type.
· The number 02 indicates the number of servers.
· The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and 2.2.2.2.
Procedure
1. Specify IP addresses for the interfaces. (Details not shown.)
2. Configure the DHCP server:
# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.
<SwitchA> system-view
[SwitchA] dhcp class ss
[SwitchA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000
[SwitchA-dhcp-class-ss] quit
# Create DHCP option group 1 and customize Option 43.
[SwitchA] dhcp option-group 1
[SwitchA-dhcp-option-group-1] option 43 hex 800B0000020203040503030303
# Enable the DHCP server on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select server
[SwitchA-Vlan-interface2] quit
# Create DHCP address pool 0.
[SwitchA] dhcp server ip-pool 0
# Specify the subnet for dynamic address allocation.
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
# Customize Option 43.
[SwitchA-dhcp-pool-0] option 43 hex 800B0000020102030402020202
# Associate DHCP user class ss with option group 1.
[SwitchA-dhcp-pool-0] class ss option-group 1
[SwitchA-dhcp-pool-0] quit
# Enable DHCP.
[SwitchA] dhcp enable
Verifying the configuration
# Verify that Switch B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Switch A. (Details not shown.)
# On the DHCP server, display the IP addresses assigned to the clients.
[SwitchA] display dhcp server ip-in-use
IP address Client-identifier/ Lease expiration Type
Hardware address
10.1.1.2 aabb-aabb-ab01 Jan 14 22:25:03 2015 Auto(C)
Troubleshooting DHCP server configuration
Failure to obtain a non-conflicting IP address
Symptom
A client's IP address obtained from the DHCP server conflicts with an IP address of another host.
Solution
Another host on the subnet might have the same IP address.
To resolve the problem:
1. Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address.
2. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.
3. Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client:
a. In Windows environment, execute the cmd command to enter the DOS environment.
b. Enter ipconfig /release to relinquish the IP address.
c. Enter ipconfig /renew to obtain another IP address.
Configuring the DHCP relay agent
About DHCP relay agent
The DHCP relay agent enables clients to get IP addresses and configuration parameters from a DHCP server on another subnet.
Figure 14 shows a typical application of the DHCP relay agent.
Figure 14 DHCP relay agent application
DHCP relay agent operation
The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists. For the interaction details, see "IP address allocation process." The following only describes steps related to the DHCP relay agent:
1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent processes the message as follows:
a. Fills the giaddr field of the message with its IP address.
b. Unicasts the message to the designated DHCP server.
2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response.
3. The relay agent conveys the response to the client.
Figure 15 DHCP relay agent operation
DHCP relay agent support for Option 82
Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks:
· Locate the DHCP client for security and accounting purposes.
· Assign IP addresses in a specific range to clients.
For more information about Option 82, see "Relay agent option (Option 82)."
If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 3.
If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82 before forwarding the response to the client.
Table 3 Handling strategies of the DHCP relay agent
If a DHCP request has… |
Handling strategy |
The DHCP relay agent… |
Option 82 |
Drop |
Drops the message. |
Keep |
Forwards the message without changing Option 82. |
|
Replace |
Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type. |
|
No Option 82 |
N/A |
Forwards the message after adding Option 82 padded according to the configured padding format, padding content, and code type. |
DHCP relay agent support for MCE
An MCE device acting as the DHCP relay agent can forward DHCP packets between a DHCP server and clients on either a public network or a private network. For more information about MCE, see MPLS Configuration Guide.
DHCP relay agent tasks at a glance
To configure a DHCP relay agent, perform the following tasks:
2. Enabling the DHCP relay agent on an interface
4. (Optional.) Configuring advanced features:
¡ Specifying a DHCP relay address pool for DHCP clients
¡ Configuring the DHCP relay agent security features
¡ Configuring the DHCP relay agent to release an IP address
¡ Configuring DHCP relay agent support for Option 82
¡ Enabling Option 60 insertion into DHCP requests
¡ Setting the DSCP value for DHCP packets sent by the DHCP relay agent
¡ Specifying the DHCP relay agent address for the giaddr field
¡ Specifying the source IP address for relayed DHCP requests
¡ Discarding DHCP requests that are delivered from VXLAN tunnels
¡ Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table
Enabling DHCP
Restrictions and guidelines
You must enable DHCP to make other DHCP relay agent settings take effect.
Procedure
1. Enter system view.
system-view
2. Enable DHCP.
dhcp enable
By default, DHCP is disabled.
Enabling the DHCP relay agent on an interface
About enabling the DHCP relay agent on an interface
With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server.
An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the DHCP relay agent.
dhcp select relay
By default, when DHCP is enabled, an interface operates in the DHCP server mode.
Specifying DHCP servers
Specifying DHCP servers on a relay agent
About specifying DHCP servers on a relay agent
To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.
Restrictions and guidelines
The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify a DHCP server address on the relay agent.
dhcp relay server-address ip-address [ class class-name ] [ public | vpn-instance vpn-instance-name ]
By default, no DHCP server address is specified on the relay agent.
To specify multiple DHCP server addresses, repeat this step. You can specify a maximum of eight DHCP servers.
Specifying DHCP servers in a DHCP relay address pool
About specifying DHCP servers in a DHCP relay address pool
DHCP address pools created on a DHCP relay agent are called DHCP relay address pools. You can create a relay address pool and specify DHCP servers in this address pool. This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching DHCP relay address pool.
It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify gateway addresses for clients matching the same DHCP relay address pool and bind the gateway addresses to the device's MAC address.
Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a DHCP relay address pool, the relay agent processes the packet as follows:
· Fills the giaddr field of the packet with a specified gateway address.
· Forwards the packet to all DHCP servers in the matching DHCP relay address pool.
The DHCP servers select a DHCP relay address pool according to the gateway address.
Procedure
1. Enter system view.
system-view
2. Create a DHCP relay address pool and enter its view.
dhcp server ip-pool pool-name
3. Specify gateways in the DHCP relay address pool.
gateway-list ip-address&<1-64>
By default, no gateway address is specified.
4. Specify DHCP servers in the DHCP relay address pool.
remote-server ip-address&<1-8> [ public | vpn-instance vpn-instance-name ]
By default, no DHCP server is specified in the DHCP relay address pool.
You can specify a maximum of eight DHCP servers in one DHCP relay address pool for high availability.
Specifying the DHCP server selecting algorithm
About DHCP server selecting algorithm
The DHCP relay agent supports the polling and master-backup DHCP server selecting algorithms.
By default, the DHCP relay agent uses the polling algorithm. It forwards DHCP requests to all DHCP servers. The DHCP clients select the DHCP server from which the first received DHCP reply comes.
If the DHCP relay agent uses the master-backup algorithm, it forwards DHCP requests to the master DHCP server first. If the master DHCP server is not available, the relay agent forwards the subsequent DHCP requests to a backup DHCP server. If the backup DHCP server is not available, the relay agent selects the next backup DHCP server, and so on. If no backup DHCP server is available, it repeats the process starting from the master DHCP server.
The master DHCP server is determined in one of the following ways:
· In a common network where multiple DHCP server addresses are specified on the DHCP relay interface, the first specified DHCP server is the master. The other DHCP servers are backup.
· In a network where DHCP relay address pools are configured on the DHCP relay agent, the first specified DHCP server in a DHCP relay address pool is the master. The other DHCP servers in the DHCP relay address pool are backup.
DHCP server selection supports the following functions:
· DHCP server response timeout time—The DHCP relay agent determines that a DHCP server is not available if it does not receive any response from the server within the DHCP server response timeout time. The DHCP server response timeout time is configurable and the default is 30 seconds.
· DHCP server switchback—If the DHCP relay agent selects a backup DHCP server, it does not switch back to the master DHCP server by default. You can configure the DHCP relay agent to switch back to the master DHCP server after a delay. If the master DHCP server is available, the DHCP relay agent forwards DHCP requests to the master DHCP server. If the master DHCP server is not available, the DHCP relay agent still uses the backup DHCP server.
Specifying the DHCP server selecting algorithm in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify the DHCP server selecting algorithm.
dhcp relay server-address algorithm { master-backup | polling }
By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers.
4. (Optional.) Set the DHCP server response timeout time for DHCP server switchover.
dhcp relay dhcp-server timeout time
By default, the DHCP server response timeout time is 30 seconds.
5. (Optional.) Enable the switchback to the master DHCP server and set the delay time.
dhcp relay master-server switch-delay delay-time
By default, the DHCP relay agent does not switch back to the master DHCP server.
Specifying the DHCP server selecting algorithm in DHCP relay address pool view
1. Enter system view.
system-view
2. Enter DHCP relay address pool view.
dhcp server ip-pool pool-name
3. Specify the DHCP server selecting algorithm.
dhcp relay server-address algorithm { master-backup | polling }
By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers.
4. (Optional.) Set the DHCP server response timeout time for DHCP server switchover.
dhcp-server timeout time
By default, the DHCP server response timeout time is 30 seconds.
5. (Optional.) Enable the switchback to the master DHCP server and set the delay time.
master-server switch-delay delay-time
By default, the DHCP relay agent does not switch back to the master DHCP server.
Specifying a DHCP relay address pool for DHCP clients
About specifying a DHCP relay address pool for DHCP clients
After you configure multiple DHCP relay address pools on a DHCP relay agent, you can specify these pools on an interface. To match DHCP clients based on options, you can define option settings when you specify the relay address pools.
If you specify multiple DHCP relay address pools on an interface, the relay agent selects a DHCP relay address pool for a DHCP client as follows:
1. Compares option values in the DHCP request in descending order against option values in DHCP relay address pools.
¡ If a match (other than 60) is found, the matching process stops and the relay agent selects that matching relay address pool.
¡ If the matching option value is 60, the relay agent continues to compare the Option 60 content in the request and the Option 60 string in the relay address pool:
- If the Option 60 content matches the string, the relay address pool is selected.
- If the Option 60 content does not match the string, the relay address pool is not selected. If another relay address pool is specified to match Option 60 but has no Option 60 string defined, the relay agent selects that relay address pool.
2. If still no DHCP relay address pool is matched, the relay agent selects the DHCP relay address pool with no options specified.
Restrictions and guidelines
If you specify DHCP servers by configuring both of the following methods on an interface, the DHCP relay address pool setting takes effect.
· Specify DHCP relay address pools by using the dhcp relay pool command.
· Specify DHCP servers directly on an interface by using the dhcp relay server-address command.
When you specify a DHCP relay address pool on an interface to define the DHCP servers, make sure the remote-server command is configured in the DHCP relay address pool. Otherwise, the relay agent drops DHCP requests. The DHCP requests are not forwarded to any DHCP server even if the dhcp relay server-address command is configured.
Procedure
1. Enter system view.
system-view
2. Create a DHCP relay address pool and enter its view.
dhcp server ip-pool pool-name
By default, no DHCP relay address pools exist.
3. Specify DHCP servers in the DHCP relay address pool.
remote-server ip-address&<1-8> [ public | vpn-instance vpn-instance-name ]
By default, no DHCP server is specified in the DHCP relay address pool.
4. Specify gateway addresses for the clients matching the DHCP relay address pool.
gateway-list ip-address&<1-64>
By default, no gateway address is specified.
5. Specify the DHCP server selecting algorithm.
remote-server algorithm { master-backup | polling }
By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers at the same time.
6. Return to system view.
quit
7. Enter interface view.
interface interface-type interface-number
8. Specify a DHCP relay address pool for DHCP clients.
dhcp relay pool pool-name [ option { 60 [ option-text ] | code } ]
By default, no DHCP relay address pool is specified for DHCP clients.
Configuring the DHCP relay agent security features
Restrictions and guidelines for DHCP relay agent security feature configuration
If the DHCP relay agent is an EVPN distributed gateway, it cannot receive replies from the DHCP server when recording relay entries and periodic refresh of dynamic relay entries are enabled. As a result, the relay agent cannot record dynamic relay entries or might delete them mistakenly. If the relay agent must record and refresh relay entries, enable the DHCP server proxy on the relay agent. When DHCP requests pass through the DHCP server proxy, it records or refreshes the client's IP-to-MAC bindings.
Enabling the DHCP relay agent to record relay entries
About enabling the DHCP relay agent to record relay entries
Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.
Some security features use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security features are ARP address check, authorized ARP, and IP source guard.
Restrictions and guidelines
The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on synchronous/asynchronous serial interfaces.
Procedure
1. Enter system view.
system-view
2. Enable the relay agent to record relay entries.
dhcp relay client-information record
By default, the relay agent does not record relay entries.
Enabling periodic refresh of dynamic relay entries
About enabling periodic refresh of dynamic relay entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.
With this feature, the DHCP relay agent uses the IP address of a relay entry to periodically send a DHCP-REQUEST message to the DHCP server.
The relay agent maintains the relay entries depending on what it receives from the DHCP server:
· If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.
· If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.
Procedure
1. Enter system view.
system-view
2. Enable periodic refresh of dynamic relay entries.
dhcp relay client-information refresh enable
By default, periodic refresh of dynamic relay entries is enabled.
3. (Optional.) Set the refresh interval.
dhcp relay client-information refresh [ auto | interval interval ]
By default, the refresh interval is auto, which is calculated based on the number of total relay entries.
Configuring DHCP flood attack protection
About DHCP flood attack protection
The DHCP flood attack protection enables the DHCP relay agent to detect DHCP flood attacks according to the DHCP packet rate threshold on a per-MAC basis.
When the DHCP relay agent receives a DHCP packet from a client (MAC address), it creates a DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration, the relay agent determines that the client is launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the DHCP relay agent discards the DHCP packets from that client. When the aging time of the entry is reached, the DHCP relay agent deletes the entry. If a DHCP packet from the MAC address arrives later, the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP packets for that client again.
Configuring DHCP flood attack protection in a common network
1. Enter system view.
system-view
2. (Optional) Set the DHCP packet rate threshold for DHCP flood attack detection.
dhcp flood-protection threshold packet-number milliseconds
By default, the device allows a maximum of 6 DHCP packets per 5000 milliseconds from each DHCP client.
3. (Optional) Set the DHCP flood attack entry aging time.
dhcp flood-protection aging-time time
The default setting is 300 seconds.
4. Enter interface view.
interface interface-type interface-number
5. Enable DHCP flood attack protection.
dhcp flood-protection enable
By default, DHCP flood attack protection is disabled.
Enabling DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.
· To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can use one of the following methods:
¡ Limit the number of ARP entries that a Layer 3 interface can learn.
¡ Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached.
· To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.
Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.
A MAC address check entry has an aging time. When the aging time expires, both of the following occur:
· The entry ages out.
· The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.
Procedure
1. Enter system view.
system-view
2. Set the aging time for MAC address check entries.
dhcp relay check mac-address aging-time time
The default aging time is 30 seconds.
This command takes effect only after you execute the dhcp relay check mac-address command.
3. Enter the interface view.
interface interface-type interface-number
4. Enable MAC address check.
dhcp relay check mac-address
By default, MAC address check is disabled.
Enabling DHCP server proxy on the DHCP relay agent
About enabling DHCP server proxy on the DHCP relay agent
The DHCP server proxy feature isolates DHCP servers from DHCP clients and protects DHCP servers against attacks.
Upon receiving a response from the server, the DHCP server proxy modifies the server's IP address as the relay interface's IP address before sending out the response. The DHCP client takes the DHCP relay agent as the DHCP server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP relay agent and DHCP server proxy on the interface.
dhcp select relay proxy
By default, the interface operates in DHCP server mode after DHCP is enabled.
Enabling client offline detection on the DHCP relay agent
About client offline detection on the DHCP relay agent
The client offline detection on the DHCP relay agent detects the user online status based on the ARP entry aging. When an ARP entry ages out, the DHCP client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server.
If DHCP relay agent and DHCP snooping are configured on the same device, the DHCP snooping module deletes its DHCP snooping entries after it obtains the RELEASE messages from the relay agent module.
Restrictions and guidelines
The feature does not function if an ARP entry is manually deleted.
Procedure
1. Enter system view.
system-view
2. Enable the relay agent to record relay entries.
dhcp relay client-information record
By default, the relay agent does not record relay entries.
Without relay entries, client offline detection cannot function correctly.
3. Enter interface view.
interface interface-type interface-number
4. Enable the DHCP relay agent.
dhcp select relay
By default, when DHCP is enabled, an interface operates in the DHCP server mode.
5. Enable client offline detection.
dhcp client-detect
By default, client offline detection is disabled on the DHCP relay agent.
Configuring the DHCP relay agent to release an IP address
About configuring the DHCP relay agent to release an IP address
Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.
This command can release only the IP addresses in the recorded relay entries.
Procedure
1. Enter system view.
system-view
2. Configure the DHCP relay agent to release an IP address.
dhcp relay release ip ip-address [ vpn-instance vpn-instance-name ]
Configuring DHCP relay agent support for Option 82
To support Option 82, you must perform related configuration on both the DHCP server and relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the relay agent to handle Option 82.
dhcp relay information enable
By default, handling of Option 82 is disabled.
4. (Optional.) Configure the strategy for handling DHCP requests that contain Option 82.
dhcp relay information strategy { drop | keep | replace }
By default, the handling strategy is replace.
If the handling strategy is replace, configure a padding mode and a padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure a padding mode or padding format for Option 82.
5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.
dhcp relay information circuit-id { bas | string circuit-id | vxlan-port | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ format { ascii | hex } ] }
By default, the padding mode for Circuit ID sub-option is normal, and the padding format is hex.
The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP relay agent will fail to add or replace Option 82.
6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.
dhcp relay information remote-id { normal [ format { ascii | hex } ] | string remote-id | sysname }
By default, the padding mode for the Remote ID sub-option is normal, and the padding format is hex.
Enabling Option 60 insertion into DHCP requests
About enabling Option 60 insertion into DHCP requests
Option 60 records vendor class identifier information of DHCP clients. It allows the clients to obtain IP addresses from different address ranges. After receiving a DHCP request with Option 60 encapsulated, the DHCP server follows the procedure to assign an IP address:
1. Uses Option 60 to determine a user class for the client.
2. Selects an IP address from the address range that matches the user class and assigns the address to the client.
After you enable Option 60 insertion on the DHCP relay agent, the relay agent first examines whether the received DHCP request contains Option 60.
· If the request does not contain Option 60, the relay agent inserts the option string into the request before forwarding the request to the DHCP server.
· If the request contains Option 60, the relay agent forwards the request to the DHCP server without processing this option.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable Option 60 insertion into DHCP requests on the DHCP relay agent.
dhcp relay insert option60 option-text
By default, the DHCP relay agent does not insert Option 60 into DHCP requests.
Setting the DSCP value for DHCP packets sent by the DHCP relay agent
About the DSCP value for DHCP packets sent by the DHCP relay agent
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for DHCP packets sent by the DHCP relay agent.
dhcp dscp dscp-value
By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.
Specifying the DHCP relay agent address for the giaddr field
Manually specifying the DHCP relay agent address for the giaddr field
About manually specifying the DHCP relay agent address for the giaddr field
This task allows you to specify the IP addresses to be encapsulated to the giaddr field of the DHCP requests. If you do not specify any DHCP relay agent address, the primary IP address of the DHCP relay interface is encapsulated to the giaddr field of DHCP requests.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify the DHCP relay agent address to be encapsulated in relayed DHCP requests.
dhcp relay gateway ip-address
By default, the primary IP address of the DHCP relay interface is encapsulated in the relayed DHCP requests.
Configuring smart relay to specify the DHCP relay agent address for the giaddr field
About smart relay
By default, the relay agent only encapsulates the primary IP address to the giaddr field of all requests before relaying them to the DHCP server. The DHCP server then selects an IP address on the same subnet as the address in the giaddr filed. If no assignable addresses on the subnet are available, the DHCP server does not assign any IP address. The DHCP smart relay feature is introduced to allow the DHCP relay agent to encapsulate secondary IP addresses when the DHCP server does not send back a DHCP-OFFER message.
The relay agent initially encapsulates its primary IP address to the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address. If the DHCP server still does not respond, the next secondary IP address is used. After the secondary IP addresses are all tried and the DHCP server does not respond, the relay agent repeats the process by starting from the primary IP address.
Procedure
1. Enter system view.
system-view
2. Enable the DHCP smart relay feature.
dhcp smart-relay enable
By default, the DHCP smart relay feature is disabled.
Specifying the source IP address for relayed DHCP requests
About specifying the source IP address for relayed DHCP requests
This task is required if multiple relay interfaces share the same IP address or if a relay interface does not have routes to DHCP servers. You can specify an IP address or the IP address of another interface, typically the loopback interface, on the DHCP relay agent as the source IP address for DHCP requests. The relay interface inserts the source IP address in the source IP address field as well as the giaddr field in DHCP requests.
If multiple relay interfaces share the same IP address, you must also configure the relay interface to support Option 82. Upon receiving a DHCP request, the relay interface inserts the subnet information in sub-option 5 in Option 82. The DHCP server assigns an IP address according to sub-option 5. The DHCP relay agent looks up the output interface in the MAC address table to forward the DHCP reply.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Specify the source IP address for DHCP requests.
dhcp relay source-address { ip-address | interface interface-type interface-number }
By default, the DHCP relay agent uses the primary IP address of the interface that connects to the DHCP server as the source IP address for relayed DHCP requests. If this interface does not have an IP address, the DHCP relay agent uses an IP address that shares the same subnet with the DHCP server.
You can specify only one source IP address for DHCP requests on an interface.
Discarding DHCP requests that are delivered from VXLAN tunnels
About discarding DHCP requests that are delivered from VXLAN tunnels
In a VXLAN network, the DHCP relay agent feature can be configured on the VSI interface of a VTEP.
When the DHCP relay agent receives a DHCP request from an AC mapped to the VSI interface, the relay agent forwards this request to the DHCP servers and broadcasts this request to other VTEPs. If those VTEPs also function as the DHCP relay agents, each will forward the DHCP request to the DHCP servers they are connecting to. To prevent a DHCP server from receiving the same DHCP request from different VTEPs, you can configure this command on the VSI interface of the VTEPs that are not directly connecting to DHCP clients.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface vsi-interface vsi-number
3. Configure the DHCP relay agent to discard the DHCP requests that are delivered from VXLAN tunnels.
dhcp relay request-from-tunnel discard
By default, the DHCP relay agent can forward the DHCP requests that are delivered from VXLAN tunnels.
If you configure this command on a device that acts as both the distributed and centralized VXLAN IP gateways, make sure the gateways do not use the same VSI interface to provide the gateway services.
Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table
About configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table
In a distributed EVPN gateway network, VSI interfaces of all distributed EVPN gateways have the same IP address, and the DHCP relay agent is enabled on EVPN gateways. When a DHCP client sends a request to its connected EVPN gateway, the gateway records the request forwarding information for the client before relaying the request to the DHCP server. The request forwarding information contains the MAC address of the DHCP client and output interface of the request packet. If the reply for this request is received by another EVPN gateway, the reply is discarded by default because it does not have the matching request forwarding information on the gateway. As a result, the client cannot obtain the IP address.
To solve this problem, configure the support for forwarding replies based on MAC address table on the relay agent connected to the DHCP server. This feature allows the relay agent to look up the MAC address table for the output interface for the reply if the agent does not have the request forwarding information. This feature ensures that DHCP clients receive DHCP reply packets.
If the broadcast keyword is specified, the DHCP relay agent broadcasts the DHCP reply. When the DHCP relay agent connecting to the requesting DHCP client receives the reply, it sends the reply to its CPU before forwarding the reply to the DHCP client. If recording relay entries is enabled on this relay agent, a relay entry is generated for the DHCP client.
If the broadcast keyword is not specified, the DHCP relay agent connecting to the requesting client will directly forward the reply based on the MAC address instead of delivering it up to the CPU. In this case, the DHCP relay agent cannot be aware that the packet is a DHCP reply, thus no relay entry is generated for the client even if the recording of relay entries is enabled.
Procedure
1. Enter system view.
system-view
2. Configure the DHCP relay agent to perform a MAC address table lookup for a DHCP reply if the agent does not have the request forwarding information for the reply.
dhcp relay mac-forward enable [ broadcast ]
By default, the DHCP relay agent discards a DHCP reply if the relay agent does not have the request forwarding information for the reply.
Display and maintenance commands for DHCP relay agent
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display MAC address check entries on the DHCP relay agent. |
display dhcp relay check mac-address |
Display relay entries on the DHCP relay agent. |
display dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ] |
Display Option 82 configuration information on the DHCP relay agent. |
display dhcp relay information [ interface interface-type interface-number ] |
Display information about DHCP servers on an interface. |
display dhcp relay server-address [ interface interface-type interface-number ] |
Display packet statistics on the DHCP relay agent. |
display dhcp relay statistics [ interface interface-type interface-number ] |
Clear relay entries on the DHCP relay agent. |
reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ] |
Clear packet statistics on the DHCP relay agent. |
reset dhcp relay statistics [ interface interface-type interface-number ] |
DHCP relay agent configuration examples
Example: Configuring basic DHCP relay agent
Network configuration
As shown in Figure 16, configure the DHCP relay agent on Switch A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.
The DHCP relay agent and server are on different subnets. Configure static or dynamic routing to make them reachable to each other.
Perform the configuration on the DHCP server to guarantee the client-server communication. For DHCP server configuration information, see "DHCP server configuration examples."
Procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
<SwitchA> system-view
[SwitchA] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] dhcp select relay
# Specify the IP address of the DHCP server on the relay agent.
[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1
Verifying the configuration
# Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent. (Details not shown.)
# Display the statistics of DHCP packets forwarded by the DHCP relay agent.
[SwitchA] display dhcp relay statistics
# Display relay entries if you have enabled relay entry recording on the DHCP relay agent.
[SwitchA] display dhcp relay client-information
Example: Configuring Option 82
Network configuration
As shown in Figure 16, the DHCP relay agent (Switch A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch B).
· The Circuit ID sub-option is company001.
· The Remote ID sub-option is device001.
To use Option 82, you must also enable the DHCP server to handle Option 82.
Procedure
# Specify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
<SwitchA> system-view
[SwitchA] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 10.
[SwitchA] interface vlan-interface 10
[SwitchA-Vlan-interface10] dhcp select relay
# Specify the IP address of the DHCP server.
[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1
# Configure the handling strategies and padding content of Option 82.
[SwitchA-Vlan-interface10] dhcp relay information enable
[SwitchA-Vlan-interface10] dhcp relay information strategy replace
[SwitchA-Vlan-interface10] dhcp relay information circuit-id string company001
[SwitchA-Vlan-interface10] dhcp relay information remote-id string device001
Example: Configuring DHCP server selection
Network configuration
As shown in Figure 17, the DHCP client and the DHCP servers are in different subnets. DHCP server 1 and DHCP server 2 both have a DHCP address pool that contains IP addresses in subnet 22.22.22.0/24, but neither has DHCP enabled.
Configure the DHCP relay agent for the DHCP client to obtain an IP address in subnet 22.22.22.0/24 and other configuration parameters from a DHCP server. The DHCP relay agent is connected to the DHCP client through VLAN-interface 2, to DHCP server 1 through VLAN-interface 3, and to DHCP server 2 through VLAN-interface 4.
Procedure
1. Assign IP addresses to interfaces on the switches. (Details not shown.)
2. Configure Switch B and Switch C as DHCP servers. (Details not shown.)
3. Configure the DHCP relay agent on Switch A:
# Enable DHCP.
<SwitchA> system-view
[SwitchA] dhcp enable
# Enable the DHCP relay agent on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select relay
# Specify the IP addresses of the DHCP servers.
[SwitchA-Vlan-interface2] dhcp relay server-address 1.1.1.1
[SwitchA-Vlan-interface2] dhcp relay server-address 2.2.2.2
# Specify the DHCP server selecting algorithm as master-backup.
[SwitchA-Vlan-interface2] dhcp relay server-address algorithm master-backup
# Configure the DHCP relay agent to switch back to the master DHCP server 3 minutes after it switches to the backup DHCP server.
[SwitchA-Vlan-interface2] dhcp relay master-server switch-delay 3
Verifying the configuration
# Verify that the DHCP client cannot obtain an IP address and that the following log is output in about 30 seconds.
DHCPR/3/DHCPR_SERVERCHANGE:
Switched to the server at 2.2.2.2 because the current server did not respond.
# Enable DHCP on the DHCP server at 1.1.1.1. (Details not shown.)
# Verify that the DHCP client cannot obtain an IP address and that the following log is output in about 3 minutes.
DHCPR/3/DHCPR_SWITCHMASTER:
Switched to the master DHCP server at 1.1.1.1.
# Verify that the DHCP client obtains an IP address. (Details not shown.)
Troubleshooting DHCP relay agent configuration
Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent
Symptom
DHCP clients cannot obtain configuration parameters through the DHCP relay agent.
Solution
Some problems might occur with the DHCP relay agent or server configuration.
To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.
Check that:
· DHCP is enabled on the DHCP server and relay agent.
· The DHCP server has an address pool on the same subnet as the DHCP clients.
· The DHCP server and DHCP relay agent can reach each other.
· The DHCP server address specified on the DHCP relay interface connected to the DHCP clients is correct.
Configuring the DHCP client
About DHCP client
With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address.
Restrictions and guidelines: DHCP client configuration
The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.
DHCP client tasks at a glance
To configure a DHCP client, perform the following tasks:
1. Enabling the DHCP client on an interface
2. Configuring a DHCP client ID for an interface
Perform this task if the DHCP client uses the client ID to obtain IP addresses.
3. (Optional.) Enabling duplicated address detection
4. (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP client
Enabling the DHCP client on an interface
Restrictions and guidelines
· If the number of IP address request failures reaches the system-defined amount, the DHCP client-enabled interface uses a default IP address.
· An interface can be configured to acquire an IP address in multiple ways. The new configuration overwrites the old.
· Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client.
· If the interface obtains an IP address on the same segment as another interface on the device, the interface does not use the assigned address. Instead, it requests a new IP address from the DHCP server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure an interface to use DHCP for IP address acquisition.
ip address dhcp-alloc
By default, an interface does not use DHCP for IP address acquisition.
Configuring a DHCP client ID for an interface
About DHCP client ID
A DHCP client ID is added to the DHCP option 61 to uniquely identify a DHCP client. A DHCP server can assign IP addresses to clients based on their DHCP client IDs.
DHCP client ID includes an ID type and a type value. Each ID type has a fixed type value. You can specify a DHCP client ID by using one of the following methods:
· Use an ASCII string as the client ID. If an ASCII string is used, the type value is 00.
· Use a hexadecimal number as the client ID. If a hexadecimal number is used, the type value is the first two characters in the number.
· Use the MAC address of an interface to generate a client ID. If this method is used, the type value is 01.
The type value of a DHCP client ID can be displayed by the display dhcp server ip-in-use or display dhcp client command.
Restrictions and guidelines
Make sure the ID for each DHCP client is unique.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure a DHCP client ID for the interface.
dhcp client identifier { ascii ascii-string | hex hex-string | mac interface-type interface-number }
By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.
Enabling duplicated address detection
About duplicated address detection
DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. The spoofing attack makes the client unable to use the IP address assigned by the server. As a best practice, disable duplicate address detection when ARP attacks exist on the network.
Procedure
1. Enter system view.
system-view
2. Enable duplicate address detection.
dhcp client dad enable
By default, the duplicate address detection feature is enabled on an interface.
Setting the DSCP value for DHCP packets sent by the DHCP client
About setting the DSCP value for DHCP packets sent by the DHCP client
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for DHCP packets sent by the DHCP client.
dhcp client dscp dscp-value
By default, the DSCP value in DHCP packets sent by the DHCP client is 56.
Display and maintenance commands for DHCP client
Execute display command in any view.
Task |
Command |
Display DHCP client information. |
display dhcp client [ verbose ] [ interface interface-type interface-number ] |
DHCP client configuration examples
Example: Configuring DHCP client
Network configuration
As shown in Figure 19, on a LAN, Switch B contacts the DHCP server through VLAN-interface 2 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to subnet 20.1.1.0/24 is 10.1.1.2.
The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 18 shows the Option 121 format. The destination descriptor field contains the following parts: subnet mask length and destination network address, both in hexadecimal notation. In this example, the destination descriptor is 18 14 01 01 (the subnet mask length is 24 and the network address is 20.1.1.0 in dotted decimal notation). The next hop address is 0A 01 01 02 (10.1.1.2 in dotted decimal notation).
Procedure
1. Configure Switch A:
# Specify an IP address for VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 10.1.1.1 24
[SwitchA-Vlan-interface2] quit
# Exclude an IP address from dynamic allocation.
[SwitchA] dhcp server forbidden-ip 10.1.1.2
# Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] expired day 10
[SwitchA-dhcp-pool-0] dns-list 20.1.1.1
[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02
[SwitchA-dhcp-pool-0] quit
# Enable DHCP.
[SwitchA] dhcp enable
2. Configure Switch B:
# Configure VLAN-interface 2 to use DHCP for IP address acquisition.
<SwitchB> system-view
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address dhcp-alloc
[SwitchB-Vlan-interface2] quit
Verifying the configuration
# Display the IP address and other network parameters assigned to Switch B.
[SwitchB-Vlan-interface2] display dhcp client verbose
Vlan-interface2 DHCP client information:
Current state: BOUND
Allocated IP: 10.1.1.3 255.255.255.0
Allocated lease: 864000 seconds, T1: 331858 seconds, T2: 756000 seconds
Lease from May 21 19:00:29 2012 to May 31 19:00:29 2012
DHCP server: 10.1.1.1
Transaction ID: 0xcde72232
Classless static routes:
Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2
DNS servers: 20.1.1.1
Client ID type: acsii(type value=00)
Client ID value: 000c.29d3.8659-Vlan2
Client ID (with type) hex: 0030-3030-632e-3239-
6433-2e38-3635-392d-
4574-6830-2f30-2f32
T1 will timeout in 3 days 19 hours 48 minutes 43 seconds
# Display the route information on Switch B. The output shows that a static route to subnet 20.1.1.0/24 is added to the routing table.
[SwitchB] display ip routing-table
Destinations : 11 Routes : 11
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.3 Vlan2
10.1.1.3/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.0/24 Static 70 0 10.1.1.2 Vlan2
10.1.1.255/32 Direct 0 0 10.1.1.3 Vlan2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0
224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0
255.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0
Configuring DHCP snooping
About DHCP snooping
DHCP snooping is a security feature for DHCP.
DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.
DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.
· Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP addresses from authorized DHCP servers.
· Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses.
DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN.
The following features need to use DHCP snooping entries:
· ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information, see "Configuring ARP fast-reply."
· ARP attack detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide.
· MAC-forced forwarding (MFF)—Auto-mode MFF performs the following tasks:
¡ Intercepts ARP requests from clients.
¡ Uses DHCP snooping entries to find the gateway address.
¡ Returns the gateway MAC address to the clients.
This feature forces the client to send all traffic to the gateway so that the gateway can monitor client traffic to prevent malicious attacks among clients. For more information, see Security Configuration Guide.
· IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide.
· VLAN mapping—Uses DHCP snooping entries to replace service provider VLAN in packets with customer VLAN before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide.
Application of trusted and untrusted ports
Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.
As shown in Figure 20, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.
Figure 20 Trusted and untrusted ports
In a cascaded network as shown in Figure 21, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries.
Figure 21 Trusted and untrusted ports in a cascaded network
DHCP snooping support for Option 82
Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."
Sub-option 9 (Vendor-Specific) in Option 82 is supported only on DHCP snooping devices. Each DHCP snooping device with the append Option 82 handling strategy adds the following information to the sub-option in the received DHCP request:
· Node identifier of the current DHCP snooping device.
· Information about the client-side interface.
· VLAN of the DHCP client.
After the management device receives the DHCP request, it can determine the network topology that the request has travelled and locate the DHCP client.
DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages, as shown in Table 4. If a response returned by the DHCP server contains Option 82, DHCP snooping removes Option 82 before forwarding the response to the client. If the response contains no Option 82, DHCP snooping forwards it directly.
If a DHCP request has… |
Handling strategy |
DHCP snooping… |
Option 82 |
Append |
· Forwards the message after padding the Vendor-Specific sub-option with the content specified in the dhcp snooping information vendor-specific command. · Forwards the message without changing Option 82 if the dhcp snooping information vendor-specific command is not configured. |
Drop |
Drops the message. |
|
Keep |
Forwards the message without changing Option 82. |
|
Replace |
Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type. |
|
No Option 82 |
N/A |
Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type. |
Restrictions and guidelines: DHCP snooping configuration
· The DHCP snooping configuration does not take effect on a Layer 2 Ethernet interface that is an aggregation member port. The configuration takes effect when the interface leaves the aggregation group.
· Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.
· You can specify the following interfaces as trusted ports: Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, Layer 3 Ethernet interfaces, and Layer 3 aggregate interfaces. For more information about aggregate interfaces, see Ethernet link aggregation in Layer 2—LAN Switching Configuration Guide.
· In a VXLAN network, an Ethernet service instance uses the DHCP snooping configuration (except the trusted port configuration) of the Layer 2 Ethernet interface where the Ethernet service instance is on. For more information about Ethernet service instances, see VXLAN Configuration Guide.
DHCP snooping tasks at a glance
To configure DHCP snooping, perform the following tasks:
1. Configuring basic DHCP snooping features
2. (Optional.) Configuring DHCP snooping support for Option 82
3. (Optional.) Configuring DHCP snooping entry auto backup
4. (Optional.) Setting the maximum number of DHCP snooping entries
5. (Optional.) Configuring DHCP packet rate limit
6. (Optional.) Configuring DHCP snooping security features
7. (Optional.) Enabling DHCP snooping logging
8. (Optional.) Disabling DHCP snooping on an interface
Configuring basic DHCP snooping features
Configuring basic DHCP snooping features in a common network
About basic DHCP snooping features in a common network
Basic DHCP snooping features refer to the following:
· Enabling DHCP snooping.
· Configuring DHCP snooping trusted ports.
· Enabling recording client information in DHCP snooping entries.
If you enable DHCP snooping globally, DHCP snooping is enabled on all interfaces on the device.
You can also enable DHCP snooping for specific VLANs. After enabling DHCP snooping for a VLAN, you can configure the other basic DHCP snooping features in the VLAN.
Restrictions and guidelines
If the basic DHCP snooping features are configured globally, you can only use the undo form of the global configuration commands to disable the settings globally. The VLAN-specific configuration commands cannot disable the settings.
If the basic DHCP snooping features are configured in a VLAN, you can only use the undo form of the VLAN-specific configuration commands to disable the settings in the VLAN. The global configuration command cannot disable the settings.
Configuring basic DHCP snooping features globally
1. Enter system view.
system-view
2. Enable DHCP snooping globally.
dhcp snooping enable
By default, DHCP snooping is disabled globally.
3. Enter interface view.
interface interface-type interface-number
This interface must connect to the DHCP server.
4. Specify the port as a trusted port.
dhcp snooping trust
By default, all ports are untrusted ports after DHCP snooping is enabled.
5. (Optional.) Enable the recording of DHCP snooping entries.
a. Return to system view.
quit
b. Enter interface view.
interface interface-type interface-number
This interface must connect to the DHCP client.
c. Enable the recording of DHCP snooping entries.
dhcp snooping binding record
By default, the recording of DHCP snooping entries is disabled.
Configuring basic DHCP snooping features for VLANs
1. Enter system view.
system-view
2. Enable DHCP snooping for VLANs.
dhcp snooping enable vlan vlan-id-list
By default, DHCP snooping is disabled for all VLANs.
3. Enter VLAN view
vlan vlan-id
Make sure DHCP snooping is enabled for the VLAN.
4. Configure an interface in the VLAN as a trusted port.
dhcp snooping trust interface interface-type interface-number
By default, all interfaces in the VLAN are untrusted ports.
5. (Optional.) Enable recording of client information in DHCP snooping entries.
dhcp snooping binding record
By default, recording of client information in DHCP snooping entries is disabled.
Configuring basic DHCP snooping features in a VXLAN network
About basic DHCP snooping features in a VXLAN network
In a VXLAN network, you can configure the following interfaces as DHCP snooping trusted interfaces:
· ACs that are mapped to a VSI.
· VXLAN tunnel interfaces that are assigned to a VSI.
When the VTEP with DHCP snooping configured receives a DHCP request, the VTEP forwards this request through the trusted ACs or VXLAN tunnel interfaces.
Restrictions and guidelines
If the DHCP server is in the local site, configure the AC that connects to the DHCP server as trusted. If the DHCP server is in a remote site, configure the VXLAN tunnel interface as trusted.
Configuring basic DHCP snooping features in a VXLAN network (DHCP server at the local site)
1. Enter system view.
system-view
2. Enable DHCP snooping globally.
dhcp snooping enable
3. By default, DHCP snooping is disabled globally.
4. Enter interface view.
interface interface-type interface-number
5. Enter Ethernet service instance view.
service-instance instance-id
6. Configure the AC as the DHCP snooping trusted interface.
dhcp snooping trust
By default, all ports are untrusted after DHCP snooping is enabled.
7. (Optional.) Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.
a. Exit to interface view.
quit
b. Exit to the system view.
quit
c. Enter VSI view.
vsi vsi-name
d. Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.
dhcp snooping binding record
By default, the recording of DHCP snooping entries is disabled.
Configuring basic DHCP snooping features in a VXLAN network (DHCP server at a remote site)
1. Enter system view.
system-view
2. Enable DHCP snooping globally.
dhcp snooping enable
3. By default, DHCP snooping is disabled globally.
4. Enter VSI view.
vsi vsi-name
5. Configure the VXLAN tunnel interfaces as the DHCP snooping trusted interface.
dhcp snooping trust tunnel
By default, all ports are untrusted after DHCP snooping is enabled.
This command sets all VXLAN tunnel interfaces in the VSI as DHCP snooping trusted interfaces.
6. (Optional.) Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.
dhcp snooping binding record
By default, the recording of DHCP snooping entries is disabled.
Configuring DHCP snooping support for Option 82
Restrictions and guidelines
· The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.
· To support Option 82, you must configure Option 82 on both the DHCP server and the DHCP snooping device. For information about configuring Option 82 on the DHCP server, see "Enabling handling of Option 82."
· If Option 82 contains the device name, the device name must contain no spaces. Otherwise, DHCP snooping drops the message. You can use the sysname command to specify the device name. For more information about this command, see Fundamentals Command Reference.
· DHCP snooping uses "outer VLAN tag.inner VLAN tag" to fill the VLAN ID field of sub-option 1 in verbose padding format if either of the following conditions exists:
¡ DHCP snooping and QinQ work together.
¡ DHCP snooping receives a DHCP packet with two VLAN tags.
For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP snooping to support Option 82.
dhcp snooping information enable
By default, DHCP snooping does not support Option 82.
4. (Optional.) Configure a handling strategy for DHCP requests that contain Option 82.
dhcp snooping information strategy { append | drop | keep | replace }
By default, the handling strategy is replace.
If the handling strategy is append or replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82.
5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.
dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }
By default, the padding mode is normal and the padding format is hex for the Circuit ID sub-option.
If the device name (sysname) is configured as the padding content for sub-option 1, make sure the device name does not include spaces. Otherwise, the DHCP snooping device will fail to add or replace Option 82.
6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.
dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] string remote-id | sysname }
By default, the padding mode is normal and the padding format is hex for the Remote ID sub-option.
7. (Optional.) Configure the padding mode for the Vendor-Specific sub-option.
dhcp snooping information vendor-specific [ vlan vlan-id ] bas [ node-identifier { mac | sysname | user-defined string } ]
By default, the device does not pad the Vendor-Specific sub-option.
Configuring DHCP snooping entry auto backup
About DHCP snooping entry auto backup
The auto backup feature saves DHCP snooping entries to a backup file, and allows the DHCP snooping device to download the entries from the backup file at device reboot. The entries on the DHCP snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCP snooping entries for user authentication.
Restrictions and guidelines
If you disable DHCP snooping with the undo dhcp snooping enable command, the device deletes all DHCP snooping entries, but entries stored in the backup file still exist. They are deleted next time the device updates the backup file.
Procedure
1. Enter system view.
system-view
2. Configure the DHCP snooping device to back up DHCP snooping entries to a file.
dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }
By default, the DHCP snooping device does not back up DHCP snooping entries.
With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup.
This command automatically creates the file if you specify a non-existent file.
3. (Optional.) Manually save DHCP snooping entries to the backup file.
dhcp snooping binding database update now
4. (Optional.) Set the waiting time after a DHCP snooping entry change for the DHCP snooping device to update the backup file.
dhcp snooping binding database update interval interval
By default, the DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.
Setting the maximum number of DHCP snooping entries
About setting the maximum number of DHCP snooping entries
Perform this task to prevent the system resources from being overused.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of DHCP snooping entries for the interface to learn.
dhcp snooping max-learning-num max-number
By default, the number of DHCP snooping entries for an interface to learn is unlimited.
Configuring DHCP packet rate limit
About DHCP packet rate limit
Perform this task to set the maximum rate at which an interface can receive DHCP packets. This feature discards exceeding DHCP packets to prevent attacks that send large number of DHCP packets.
Restrictions and guidelines
The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP snooping packet rate limit on an interface and set the limit value.
dhcp snooping rate-limit rate
By default, the DHCP snooping packet rate limit is disabled on an interface.
Configuring DHCP snooping security features
Enabling DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."
You can prevent DHCP starvation attacks in the following ways:
· If the forged DHCP requests contain different sender MAC addresses, use the mac-address max-mac-count command to set the MAC learning limit on a Layer 2 port. For more information about the command, see Layer 2—LAN Switching Command Reference.
· If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This feature compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MAC address check.
dhcp snooping check mac-address
By default, MAC address check is disabled.
Enabling DHCP-REQUEST attack protection
About DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
· If a matching entry is found for a message, this feature compares the entry with the message information.
¡ If they are consistent, the message is considered as valid and forwarded to the DHCP server.
¡ If they are different, the message is considered as a forged message and is discarded.
· If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP-REQUEST check.
dhcp snooping check request-message
By default, DHCP-REQUEST check is disabled.
Configuring a DHCP packet blocking port
About DHCP packet blocking port
Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all incoming DHCP requests.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port to block DHCP requests.
dhcp snooping deny
By default, the port does not block DHCP requests.
CAUTION: To avoid IP address acquisition failure, configure a port to block DHCP packets only if no DHCP clients are attached to it. |
Enabling DHCP snooping logging
About DHCP snooping logging
The DHCP snooping logging feature enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
As a best practice, disable this feature if the log generation affects the device performance.
Procedure
1. Enter system view.
system-view
2. Enable DHCP snooping logging.
dhcp snooping log enable
By default, DHCP snooping logging is disabled.
Disabling DHCP snooping on an interface
About disabling DHCP snooping on an interface
This feature allows you to narrow down the interface range where DHCP snooping takes effect. For example, to enable DHCP snooping globally except for a specific interface, you can enable DHCP snooping globally and disable DHCP snooping on the target interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Disable DHCP snooping on the interface.
dhcp snooping disable
By default:
¡ If you enable DHCP snooping globally or for a VLAN, DHCP snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.
¡ If you do not enable DHCP snooping globally or for a VLAN, DHCP snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.
Display and maintenance commands for DHCP snooping
Execute display commands in any view, and reset commands in user view.
Task |
Command |
Display DHCP snooping entries. |
display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ] [ verbose ] |
Display information about the file that stores DHCP snooping entries. |
display dhcp snooping binding database |
Display Option 82 configuration information on the DHCP snooping device. |
display dhcp snooping information { all | interface interface-type interface-number } |
Display DHCP packet statistics on the DHCP snooping device. |
display dhcp snooping packet statistics [ slot slot-number ] |
Display information about trusted ports. |
display dhcp snooping trust |
Clear DHCP snooping entries. |
reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] } |
Clear DHCP packet statistics on the DHCP snooping device. |
reset dhcp snooping packet statistics [ slot slot-number ] |
DHCP snooping configuration examples
Example: Configuring basic DHCP snooping features globally
Network configuration
As shown in Figure 22, Switch B is connected to the authorized DHCP server through Twenty-FiveGigE 1/0/1, to the unauthorized DHCP server through Twenty-FiveGigE 1/0/3, and to the DHCP client through Twenty-FiveGigE 1/0/2.
Configure only the port connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the DHCP snooping device to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.
Procedure
# Enable DHCP snooping globally.
<SwitchB> system-view
[SwitchB] dhcp snooping enable
# Configure Twenty-FiveGigE 1/0/1 as a trusted port.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] dhcp snooping trust
[SwitchB-Twenty-FiveGigE1/0/1] quit
# Enable recording clients' IP-to-MAC bindings on Twenty-FiveGigE 1/0/2.
[SwitchB] interface twenty-fivegige 1/0/2
[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping binding record
[SwitchB-Twenty-FiveGigE1/0/2] quit
Verifying the configuration
# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)
# Display the DHCP snooping entry recorded for the client.
[SwitchB] display dhcp snooping binding
Example: Configuring basic DHCP snooping features for a VLAN
Network configuration
As shown in Figure 23, Switch B is connected to the authorized DHCP server through Twenty-FiveGigE 1/0/1, to the unauthorized DHCP server through Twenty-FiveGigE 1/0/3, and to the DHCP client through Twenty-FiveGigE 1/0/2.
Configure only the port in VLAN 100 connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the port in VLAN 100 to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.
Procedure
# Assign Twenty-FiveGigE 1/0/1, Twenty-FiveGigE 1/0/2, and Twenty-FiveGigE 1/0/3 to VLAN 100.
<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] port twenty-fivegige 1/0/1 to twenty-fivegige 1/0/3
[SwitchB-vlan100] quit
# Enable DHCP snooping for VLAN 100.
[SwitchB] dhcp snooping enable vlan 100
# Configure Twenty-FiveGigE 1/0/1 as DHCP snooping trusted port.
[SwitchB] vlan 100
[SwitchB-vlan100] dhcp snooping trust twenty-fivegige 1/0/1
# Enable recording clients' IP-to-MAC bindings in VLAN 100.
[SwitchB-vlan100] dhcp snooping binding record
[SwitchB-vlan100] quit
Verifying the configuration
# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)
# Display the DHCP snooping entry recorded for the client.
[SwitchB] display dhcp snooping binding
Example: Configuring DHCP snooping support for Option 82
Network configuration
As shown in Figure 24, enable DHCP snooping and configure Option 82 on Switch B as follows:
· Configure the handling strategy for DHCP requests that contain Option 82 as replace.
· On Twenty-FiveGigE 1/0/2, configure the padding content for the Circuit ID sub-option as company001 and for the Remote ID sub-option as device001.
· On Twenty-FiveGigE 1/0/3, configure the padding mode for the Circuit ID sub-option as verbose, access node identifier as sysname, and padding format as ascii. Configure the padding content for the Remote ID sub-option as device001.
Procedure
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp snooping enable
# Configure Twenty-FiveGigE 1/0/1 as a trusted port.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] dhcp snooping trust
[SwitchB-Twenty-FiveGigE1/0/1] quit
# Configure Option 82 on Twenty-FiveGigE 1/0/2.
[SwitchB] interface twenty-fivegige 1/0/2
[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information enable
[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information strategy replace
[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information circuit-id string company001
[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information remote-id string device001
[SwitchB-Twenty-FiveGigE1/0/2] quit
# Configure Option 82 on Twenty-FiveGigE 1/0/3.
[SwitchB] interface twenty-fivegige 1/0/3
[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information enable
[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information strategy replace
[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii
[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information remote-id string device001
Verifying the configuration
# Display Option 82 configuration information on Twenty-FiveGigE 1/0/2 and Twenty-FiveGigE 1/0/3 on the DHCP snooping device.
[SwitchB] display dhcp snooping information
Configuring the BOOTP client
About BOOTP client
BOOTP client application
An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches for the BOOTP parameter file and returns the corresponding configuration information.
BOOTP is usually used in relatively stable environments. In network environments that change frequently, DHCP is more suitable.
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client. You do not need to configure a BOOTP server.
Obtaining an IP address dynamically
A BOOTP client dynamically obtains an IP address from a BOOTP server as follows:
1. The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.
2. Upon receiving the request, the BOOTP server searches the configuration file for the IP address and other information according to the BOOTP client's MAC address.
3. The BOOTP server returns a BOOTP response to the BOOTP client.
4. The BOOTP client obtains the IP address from the received response.
A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.
Protocols and standards
· RFC 951, Bootstrap Protocol (BOOTP)
· RFC 2132, DHCP Options and BOOTP Vendor Extensions
· RFC 1542, Clarifications and Extensions for the Bootstrap Protocol
Configuring an interface to use BOOTP for IP address acquisition
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
BOOTP client configuration applies only to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces, and VLAN interfaces.
3. Configure an interface to use BOOTP for IP address acquisition.
ip address bootp-alloc
By default, an interface does not use BOOTP for IP address acquisition.
Display and maintenance commands for BOOTP client
Execute display command in any view.
Task |
Command |
Display BOOTP client information. |
display bootp client [ interface interface-type interface-number ] |
BOOTP client configuration examples
Example: Configuring BOOTP client
Network configuration
As shown in Figure 9, Switch B's port belonging to VLAN 10 is connected to the LAN. VLAN-interface 10 obtains an IP address from the DHCP server by using BOOTP.
To make the BOOTP client obtain an IP address from the DHCP server, you must perform configuration on the DHCP server. For more information, see "DHCP server configuration examples."
Procedure
The following describes the configuration on Switch B, which acts as a client.
# Configure VLAN-interface 10 to dynamically obtain an IP address from the DHCP server.
<SwitchB> system-view
[SwitchB] interface vlan-interface 10
[SwitchB-Vlan-interface10] ip address bootp-alloc
Verifying the configuration
# Display the IP address assigned to the BOOTP client.
[SwitchB] display bootp client