04-Layer 3-IP Services Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C S6850 & S9850 Switch Series Configuration Guides-Release 655x-6W10204-Layer 3-IP Services Configuration Guide
03-DHCP configuration
Title Size Download
03-DHCP configuration 811.28 KB

Contents

DHCP overview·· 1

DHCP network model 1

DHCP address allocation· 1

Allocation mechanisms· 1

IP address allocation process· 2

IP address lease extension· 2

DHCP message format 3

DHCP options· 4

Common DHCP options· 4

Custom DHCP options· 4

Vendor-specific option (Option 43) 5

Relay agent option (Option 82) 6

Option 184· 6

Protocols and standards· 7

Configuring the DHCP server 8

About DHCP server 8

DHCP address assignment mechanisms· 8

Principles for selecting an address pool 9

IP address allocation sequence· 10

DHCP server tasks at a glance· 10

Creating a DHCP user class· 11

Configuring an address pool on the DHCP server 11

DHCP address pool tasks at a glance· 11

Creating a DHCP address pool 12

Specifying a primary subnet and multiple address ranges in a DHCP address pool 12

Specifying a primary subnet and multiple secondary subnets in a DHCP address pool 13

Configuring a static binding in a DHCP address pool 14

Specifying gateways for DHCP clients· 15

Specifying a domain name suffix for DHCP clients· 16

Specifying DNS servers for DHCP clients· 16

Specifying WINS servers and NetBIOS node type for DHCP clients· 16

Specifying BIMS server for DHCP clients· 17

Specifying the configuration file for DHCP client automatic configuration· 17

Specifying a server for DHCP clients· 18

Configuring Option 184 parameters for DHCP clients· 18

Customizing DHCP options· 19

Applying a DHCP address pool to a VPN instance· 21

Configuring the DHCP user class whitelist 21

Applying an address pool to an interface· 22

Configuring a DHCP policy for dynamic assignment 22

Enabling DHCP· 23

Enabling the DHCP server on an interface· 23

Configuring IP address conflict detection· 24

Enabling handling of Option 82· 24

Configuring the DHCP server security features· 24

Restrictions and guidelines· 24

Configuring DHCP flood attack protection· 25

Configuring DHCP starvation attack protection· 25

Configuring DHCP server compatibility· 26

Configuring the DHCP server to always broadcast responses· 26

Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses  26

Configuring the DHCP server to ignore BOOTP requests· 27

Configuring the DHCP server to send BOOTP responses in RFC 1048 format 27

Setting the DSCP value for DHCP packets sent by the DHCP server 28

Configuring DHCP binding auto backup· 28

Enabling client offline detection on the DHCP server 29

Configuring address pool usage alarming· 29

Enabling DHCP logging on the DHCP server 29

Display and maintenance commands for DHCP server 30

DHCP server configuration examples· 31

Example: Configuring static IP address assignment 31

Example: Configuring dynamic IP address assignment 32

Example: Configuring DHCP user class· 34

Example: Configuring DHCP user class whitelist 36

Example: Configuring primary and secondary subnets· 37

Example: Customizing DHCP option· 38

Troubleshooting DHCP server configuration· 40

Failure to obtain a non-conflicting IP address· 40

Configuring the DHCP relay agent 41

About DHCP relay agent 41

DHCP relay agent operation· 41

DHCP relay agent support for Option 82· 42

DHCP relay agent support for MCE· 42

DHCP relay agent tasks at a glance· 42

Enabling DHCP· 43

Enabling the DHCP relay agent on an interface· 43

Specifying DHCP servers· 44

Specifying DHCP servers on a relay agent 44

Specifying DHCP servers in a DHCP relay address pool 44

Specifying the DHCP server selecting algorithm·· 45

Specifying a DHCP relay address pool for DHCP clients· 46

Configuring the DHCP relay agent security features· 47

Restrictions and guidelines for DHCP relay agent security feature configuration· 47

Enabling the DHCP relay agent to record relay entries· 48

Enabling periodic refresh of dynamic relay entries· 48

Configuring DHCP flood attack protection· 49

Enabling DHCP starvation attack protection· 49

Enabling DHCP server proxy on the DHCP relay agent 50

Enabling client offline detection on the DHCP relay agent 50

Configuring the DHCP relay agent to release an IP address· 51

Configuring DHCP relay agent support for Option 82· 51

Enabling Option 60 insertion into DHCP requests· 52

Setting the DSCP value for DHCP packets sent by the DHCP relay agent 53

Specifying the DHCP relay agent address for the giaddr field· 53

Manually specifying the DHCP relay agent address for the giaddr field· 53

Configuring smart relay to specify the DHCP relay agent address for the giaddr field· 54

Specifying the source IP address for relayed DHCP requests· 54

Discarding DHCP requests that are delivered from VXLAN tunnels· 55

Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table· 55

Display and maintenance commands for DHCP relay agent 56

DHCP relay agent configuration examples· 57

Example: Configuring basic DHCP relay agent 57

Example: Configuring Option 82· 58

Example: Configuring DHCP server selection· 58

Troubleshooting DHCP relay agent configuration· 60

Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent 60

Configuring the DHCP client 61

About DHCP client 61

Restrictions and guidelines: DHCP client configuration· 61

DHCP client tasks at a glance· 61

Enabling the DHCP client on an interface· 61

Configuring a DHCP client ID for an interface· 62

Enabling duplicated address detection· 62

Setting the DSCP value for DHCP packets sent by the DHCP client 63

Display and maintenance commands for DHCP client 63

DHCP client configuration examples· 63

Example: Configuring DHCP client 63

Configuring DHCP snooping· 66

About DHCP snooping· 66

Application of trusted and untrusted ports· 66

DHCP snooping support for Option 82· 67

Restrictions and guidelines: DHCP snooping configuration· 68

DHCP snooping tasks at a glance· 68

Configuring basic DHCP snooping features· 69

Configuring basic DHCP snooping features in a common network· 69

Configuring basic DHCP snooping features in a VXLAN network· 70

Configuring DHCP snooping support for Option 82· 71

Configuring DHCP snooping entry auto backup· 73

Setting the maximum number of DHCP snooping entries· 73

Configuring DHCP packet rate limit 74

Configuring DHCP snooping security features· 74

Enabling DHCP starvation attack protection· 74

Enabling DHCP-REQUEST attack protection· 75

Configuring a DHCP packet blocking port 75

Enabling DHCP snooping logging· 76

Disabling DHCP snooping on an interface· 76

Display and maintenance commands for DHCP snooping· 76

DHCP snooping configuration examples· 77

Example: Configuring basic DHCP snooping features globally· 77

Example: Configuring basic DHCP snooping features for a VLAN· 78

Example: Configuring DHCP snooping support for Option 82· 79

Configuring the BOOTP client 81

About BOOTP client 81

BOOTP client application· 81

Obtaining an IP address dynamically· 81

Protocols and standards· 81

Configuring an interface to use BOOTP for IP address acquisition· 81

Display and maintenance commands for BOOTP client 82

BOOTP client configuration examples· 82

Example: Configuring BOOTP client 82


DHCP overview

DHCP network model

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

Figure 1 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."

Figure 1 A typical DHCP application

DHCP address allocation

Allocation mechanisms

DHCP supports the following allocation mechanisms:

·     Static allocation—The network administrator assigns an IP address to a client, such as a WWW server, and DHCP conveys the assigned address to the client.

·     Automatic allocation—DHCP assigns a permanent IP address to a client.

·     Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.

IP address allocation process

Figure 2 IP address allocation process

As shown in Figure 2, a DHCP server assigns an IP address to a DHCP client in the following process:

1.     The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2.     Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."

3.     If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)

4.     All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:

¡     Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.

¡     Returns a DHCP-NAK message to deny the IP address allocation.

After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address:

·     The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP packet. The assigned IP address is not in use if no response is received within the specified time.

·     The assigned IP address is not on the same subnet as any IP address in use on the client.

Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

IP address lease extension

A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.

When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages:

·     A DHCP-ACK unicast confirming that the client's lease duration has been extended.

·     A DHCP-NAK unicast denying the request.

If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.

DHCP message format

Figure 3 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.

Figure 3 DHCP message format

·     op—Message type defined in options field. 1 = REQUEST, 2 = REPLY

·     htype, hlen—Hardware address type and length of the DHCP client.

·     hops—Number of relay agents a request message traveled.

·     xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.

·     secs—Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. This field is reserved and set to 0.

·     flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.

·     ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)

·     yiaddr—Your IP address. It is an IP address assigned by the DHCP server to the DHCP client.

·     siaddr—Server IP address, from which the client obtained configuration parameters.

·     giaddr—Gateway IP address. It is the IP address of the first relay agent to which a request message travels.

·     chaddr—Client hardware address.

·     sname—Server host name, from which the client obtained configuration parameters.

·     file—Boot file (also called system software image) name and path information, defined by the server to the client.

·     options—Optional parameters field that is variable in length. Optional parameters include the message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.

DHCP options

DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

Figure 4 DHCP option format

Common DHCP options

The following are common DHCP options:

·     Option 3—Router option. It specifies the gateway address to be assigned to the clients.

·     Option 6—DNS server option. It specifies the DNS server IP address to be assigned to the clients.

·     Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

·     Option 51—IP address lease option.

·     Option 53—DHCP message type option. It identifies the type of the DHCP message.

·     Option 55—Parameter request list option. It is used by a DHCP client to request specified configuration parameters. The option includes values that correspond to the parameters requested by the client.

·     Option 60—Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.

·     Option 66—TFTP server name option. It specifies the TFTP server domain name to be assigned to the clients.

·     Option 67—Boot file name option. It specifies the boot file name to be assigned to the client.

·     Option 121—Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

·     Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the clients.

For more information about DHCP options, see RFC 2132 and RFC 3442.

Custom DHCP options

Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.

Vendor-specific option (Option 43)

Option 43 function

DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.

The DHCP client can obtain the following information through Option 43:

·     ACS parameters, including the ACS URL, username, and password.

·     Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.

·     PXE server address, which is used to obtain the boot file or other control information from the PXE server.

Option 43 format

Figure 5 Option 43 format

Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 5.

·     Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).

·     Sub-option length—Excludes the sub-option type and sub-option length fields.

·     Sub-option value—The value format varies by sub-option.

Sub-option value field format

·     ACS parameter sub-option value field—Includes the ACS URL, username, and password separated by spaces (hexadecimal number 20) as shown in Figure 6.

Figure 6 ACS parameter sub-option value field

·     Service provider identifier sub-option value field—Includes the service provider identifier.

·     PXE server address sub-option value field—Includes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 7.

Figure 7 PXE server address sub-option value field

Relay agent option (Option 82)

Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request and sends it to the server.

The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.

Option 82 can include a maximum of 255 sub-options and must include a minimum of one sub-option. Option 82 supports the following sub-options: sub-option 1 (Circuit ID), sub-option 2 (Remote ID), sub-option 5 (Link Selection), and sub-option 9 (Vendor-Specific). Option 82 has no standard definition. Its padding formats vary by vendor.

·     Circuit ID has the following padding modes:

¡     String padding mode—Includes a character string specified by the user.

¡     Normal padding mode—Includes the VLAN ID and interface number of the interface that receives the client's request.

¡     Verbose padding mode—Includes the access node identifier specified by the user, and the VLAN ID, interface number and interface type of the interface that receives the client's request.

·     Remote ID has the following padding modes:

¡     String padding mode—Includes a character string specified by the user.

¡     Normal padding mode—Includes the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that receives the client's request.

¡     Sysname padding mode—Includes the name of the device. To set the device name, use the sysname command in system view.

·     The Link Selection sub-option carries the IP address in the giaddr field or the IP address of a relay interface. If you use the dhcp relay source-address { ip-address | interface interface-type interface-number } command, you must enable the DHCP relay agent to support Option 82. This sub-option will then be included in Option 82.

·     The Vendor-Specific sub-option supports only the bas padding mode. The padding content includes the user-configured access node identifier and the VLAN ID, interface number, and interface type of the interface that receives the client's request. This sub-option is supported only on DHCP snooping devices.

Option 184

Option 184 is a reserved option. You can define the parameters in the option as needed. The device supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get voice parameters from the DHCP server.

Option 184 has the following sub-options:

·     Sub-option 1—Specifies the IP address of the primary network calling processor. The primary processor acts as the network calling control source and provides program download services. For Option 184, you must define sub-option 1 to make other sub-options take effect.

·     Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients contact the backup processor when the primary one is unreachable.

·     Sub-option 3—Specifies the voice VLAN ID and the result whether the DHCP client takes this VLAN as the voice VLAN.

·     Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable.

Protocols and standards

·     RFC 2131, Dynamic Host Configuration Protocol

·     RFC 2132, DHCP Options and BOOTP Vendor Extensions

·     RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

·     RFC 3046, DHCP Relay Agent Information Option

·     RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4

 


Configuring the DHCP server

About DHCP server

A DHCP server manages a pool of IP addresses and client configuration parameters. It selects an IP address and configuration parameters from the address pool and allocates them to a requesting DHCP client.

DHCP address assignment mechanisms

Configure the following address assignment mechanisms as needed:

·     Static address allocation—Manually bind the MAC address or ID of a client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

·     Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.

You can specify IP address ranges in an address pool by using either of the following methods:

·     Method 1A primary subnet being divided into multiple address ranges in an address pool

·     Method 2A primary subnet and multiple secondary subnets in an address pool

A primary subnet being divided into multiple address ranges in an address pool

An address range includes a common IP address range and IP address ranges for DHCP user classes.

Upon receiving a DHCP request, the DHCP server finds a user class matching the client and selects an IP address in the address range of the user class for the client. A user class can include multiple matching rules, and a client matches the user class as long as it matches any of the rules. In address pool view, you can specify different address ranges for different user classes.

The DHCP server selects an IP address for a client by performing the following steps:

1.     DHCP server compares the client against DHCP user classes in the order they are configured.

2.     If the client matches a user class, the DHCP server selects an IP address from the address range of the user class.

3.     If the matching user class has no assignable addresses, the DHCP server compares the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range.

4.     If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails.

 

 

NOTE:

All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range.

A primary subnet and multiple secondary subnets in an address pool

The DHCP server selects an IP address from the primary subnet first. If there is no assignable IP address on the primary subnet, the DHCP server selects an IP address from secondary subnets in the order they are configured.

Principles for selecting an address pool

The DHCP server observes the following principles to select an address pool for a client:

1.     If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

2.     If the receiving interface has an address pool applied, the DHCP server selects an IP address and other configuration parameters from this address pool.

3.     If the receiving interface has a DHCP policy and the DHCP client matches a user class, the DHCP server selects the address pool that is bound to the matching user class. If no matching user class is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.

4.     If the above conditions are not met, the DHCP server selects an address pool depending on the client location.

¡     Client on the same subnet as the server—The DHCP server compares the IP address of the receiving interface with the primary subnets of all address pools.

-     If a match is found, the server selects the address pool with the longest-matching primary subnet.

-     If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

¡     Client on a different subnet than the server—The DHCP server compares the IP address in the giaddr field of the DHCP request with the primary subnets of all address pools.

-     If a match is found, the server selects the address pool with the longest-matching primary subnet.

-     If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

For example, two address pools 1.1.1.0/24 and 1.1.1.0/25 are configured but not applied to any DHCP server's interfaces.

·     If the IP address of the receiving interface is 1.1.1.1/25, the DHCP server selects the address pool 1.1.1.0/25. If the address pool has no available IP addresses, the DHCP server will not select the other pool and the address allocation will fail.

·     If the IP address of the receiving interface is 1.1.1.130/25, the DHCP server selects the address pool 1.1.1.0/24.

To ensure correct address allocation, keep the IP addresses used for dynamic allocation on one of the subnets:

·     Clients on the same subnet as the server—Subnet where the DHCP server receiving interface resides.

·     Clients on a different subnet than the serverSubnet where the first DHCP relay interface that faces the clients resides.

 

 

NOTE:

As a best practice, configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

IP address allocation sequence

The DHCP server selects an IP address for a client in the following sequence:

1.     IP address statically bound to the client's MAC address or ID.

2.     IP address that was ever assigned to the client.

3.     IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.

Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.

4.     First assignable IP address found in the way discussed in "DHCP address assignment mechanisms" and "Principles for selecting an address pool."

5.     IP address that was a conflict or passed its lease duration. If no IP address is assignable, the server does not respond.

 

 

NOTE:

·     If a client moves to another subnet, the DHCP server selects an IP address in the address pool matching the new subnet. It does not assign the IP address that was once assigned to the client.

·     Conflicted IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour.

DHCP server tasks at a glance

To configure the DHCP server, perform the following tasks:

1.     (Optional.) Creating a DHCP user class

2.     Configuring an address pool on the DHCP server

3.     (Optional.) Modifying the address pool selection method on the DHCP server

¡     Applying an address pool to an interface

¡     Configuring a DHCP policy for dynamic assignment

4.     Enabling DHCP

5.     Enabling the DHCP server on an interface

6.     (Optional.) Configuring advanced DHCP features

¡     Configuring IP address conflict detection

¡     Enabling handling of Option 82

¡     Configuring the DHCP server security features

¡     Configuring DHCP server compatibility

¡     Setting the DSCP value for DHCP packets sent by the DHCP server

¡     Configuring DHCP binding auto backup

¡     Enabling client offline detection on the DHCP server

7.     (Optional.) Configuring SNMP notification and logging

¡     Configuring address pool usage alarming

¡     Enabling DHCP logging on the DHCP server

Creating a DHCP user class

About DHCP user class

The DHCP server classifies DHCP users into different user classes according to the hardware address, option information, or the giaddr field in the received DHCP requests. The server allocates IP addresses and configuration parameters to DHCP clients in different user classes.

Procedure

1.     Enter system view.

system-view

2.     Create a DHCP user class and enter DHCP user class view.

dhcp class class-name

3.     Configure a match rule for the DHCP user class.

if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask | option option-code [ ascii ascii-string [ offset offset | partial ] | hex hex-string [ mask mask | offset offset length length | partial ] ] | relay-agent gateway-address }

By default, no match rule is configured for a DHCP user class.

Configuring an address pool on the DHCP server

DHCP address pool tasks at a glance

To configure a DHCP address pool, perform the following tasks:

1.     Creating a DHCP address pool

2.     Specifying IP address ranges in a DHCP address pool

In one DHCP address pool, the two dynamic allocation methods cannot be both configured, but static and dynamic address allocations can be both implemented.

¡     Specifying a primary subnet and multiple address ranges in a DHCP address pool

¡     Specifying a primary subnet and multiple secondary subnets in a DHCP address pool

¡     Configuring a static binding in a DHCP address pool

3.     Specifying other configuration parameters to be assigned to DHCP clients

¡     Specifying gateways for DHCP clients

¡     Specifying a domain name suffix for DHCP clients

¡     Specifying DNS servers for DHCP clients

¡     Specifying WINS servers and NetBIOS node type for DHCP clients

¡     Specifying BIMS server for DHCP clients

¡     Specifying the configuration file for DHCP client automatic configuration

¡     Specifying a server for DHCP clients

¡     Configuring Option 184 parameters for DHCP clients

¡     Customizing DHCP options

4.     (Optional.) Applying a DHCP address pool to a VPN instance

5.     (Optional.) Configuring the DHCP user class whitelist

Creating a DHCP address pool

1.     Enter system view.

system-view

2.     Create a DHCP address pool and enter its view.

dhcp server ip-pool pool-name

Specifying a primary subnet and multiple address ranges in a DHCP address pool

About a primary subnet and multiple address ranges in a DHCP address pool

Some scenarios need to classify DHCP clients on the same subnet into different address groups. To meet this need, you can configure DHCP user classes and specify different address ranges for the classes. The clients matching a user class can then get the IP addresses of an address range. In addition, you can specify a common address range for the clients that do not match any user class. If no common address range is specified, such clients fail to obtain IP addresses.

If there is no need to classify clients, you do not need to configure DHCP user classes or their address ranges.

Restrictions and guidelines

·     If you execute the network or address range command multiple times for the same address pool, the most recent configuration takes effect.

·     If you execute the forbidden-ip command multiple times, you exclude multiple address ranges from dynamic allocation.

·     IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

·     You can use class range to modify an existing address range, and the new address range can include IP addresses that are being used by clients. Upon receiving a lease extension request for such an IP address, the DHCP server allocates a new IP address to the requesting client. But the original lease continues aging in the address pool, and will be released when the lease duration is reached. To release such lease without waiting for its timeout, execute the reset dhcp server ip-in-use command.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the primary subnet in the address pool.

network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

4.     (Optional.) Specify the common address range.

address range start-ip-address end-ip-address

By default, no IP address range is specified.

5.     (Optional.) Specify an IP address range for a DHCP user class.

class class-name range start-ip-address end-ip-address

By default, no IP address range is specified for a user class.

The DHCP user class must already be created by using the dhcp class command.

6.     (Optional.) Set the address lease duration.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

7.     (Optional.) Exclude the specified IP addresses in the address pool from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all IP addresses in the DHCP address pool are assignable.

8.     (Optional.) Exclude the specified IP addresses from automatic allocation in system view.

a.     Return to system view.

quit

b.     Exclude the specified IP addresses from automatic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable.

Specifying a primary subnet and multiple secondary subnets in a DHCP address pool

About a primary subnet and multiple secondary subnets in a DHCP address pool

If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.

Restrictions and guidelines

IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

Specifying a primary subnet and multiple secondary subnets

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the primary subnet.

network network-address [ mask-length | mask mask ]

By default, no primary subnet is specified.

You can specify only one primary subnet in each address pool. If you execute the network command multiple times, the most recent configuration takes effect.

4.     (Optional.) Specify a secondary subnet.

network network-address [ mask-length | mask mask ] secondary

By default, no secondary subnet is specified.

You can specify a maximum of 32 secondary subnets in one address pool.

5.     (Optional.) Return to address pool view.

quit

Setting the lease duration for dynamically allocation IP addresses

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Set the address lease duration.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

The default setting is 1 day.

Excluding IP addresses from dynamic allocation

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Exclude the specified IP addresses from dynamic allocation.

forbidden-ip ip-address&<1-8>

By default, all IP addresses in the DHCP address pool are assignable.

To exclude multiple address ranges from the address pool, repeat this step.

4.     (Optional.) Exclude the specified IP addresses from dynamic allocation in system view.

a.     Return to system view.

quit

b.     Exclude the specified IP addresses from dynamic allocation globally.

dhcp server forbidden-ip start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

By default, except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable.

To exclude multiple address ranges globally, repeat this step.

Configuring a static binding in a DHCP address pool

About static binding in a DHCP address pool

Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

Restrictions and guidelines

·     The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, an IP address conflict occurs and the bound client cannot obtain an IP address correctly.

·     Multiple interfaces on the same device might all use DHCP to request a static IP address. In this case, use client IDs rather than the device's MAC address to identify the interfaces. Otherwise, IP address allocation will fail.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Configure a static binding.

static-bind ip-address ip-address [ mask-length | mask mask ] { client-identifier client-identifier | hardware-address hardware-address [ ethernet | token-ring ] }

By default, no static binding is configured.

One IP address can be bound to only one client MAC or client ID. You cannot modify bindings that have been created. To change the binding for a DHCP client, you must delete the existing binding first.

4.     (Optional.) Set the lease duration for the IP address.

expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited }

By default, the lease duration is 1 day.

Specifying gateways for DHCP clients

About gateways for DHCP clients

DHCP clients send packets destined for other networks to a gateway. The DHCP server can assign the gateway address to the DHCP clients.

Restrictions and guidelines

You can specify gateway addresses in each address pool on the DHCP server. A maximum of 64 gateways can be specified in DHCP address pool view or secondary subnet view.

The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:

·     If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.

·     If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify gateways.

gateway-list ip-address&<1-64>

By default, no gateway is specified.

4.     (Optional.) Specify gateways in secondary subnet view.

a.     Enter secondary subnet view.

network network-address [ mask-length | mask mask ] secondary

b.     Specify gateways.

gateway-list ip-address&<1-64>

By default, no gateway is specified.

Specifying a domain name suffix for DHCP clients

About domain name suffix for DHCP clients

You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring DNS."

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify a domain name suffix.

domain-name domain-name

By default, no domain name is specified.

Specifying DNS servers for DHCP clients

About DNS servers for DHCP clients

To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify DNS servers.

dns-list ip-address&<1-8>

By default, no DNS server is specified.

Specifying WINS servers and NetBIOS node type for DHCP clients

About WINS servers and NetBIOS node type for DHCP clients

A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution.

In addition, you must specify one of the following NetBIOS node types to approach name resolution:

·     b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The destination returns its IP address to the client after receiving the message.

·     p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the WINS server. The WINS server returns the destination IP address.

·     m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it unicasts the destination name to the WINS server to get the destination IP address.

·     h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it receives no response, it broadcasts the destination name to get the destination IP address.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.     Specify WINS servers.

nbns-list ip-address&<1-8>

By default, no WINS server is specified.

This step is optional for b-node. You can specify a maximum of eight WINS servers for such clients in one DHCP address pool.

4.     Specify the NetBIOS node type.

netbios-type { b-node | h-node | m-node | p-node }

By default, no NetBIOS node type is specified.

Specifying BIMS server for DHCP clients

About BIMS server for DHCP clients

Perform this task to provide the BIMS server IP address, port number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files and perform software upgrade and backup.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the BIMS server IP address, port number, and shared key.

bims-server ip ip-address [ port port-number ] sharekey { cipher | simple } string

By default, no BIMS server information is specified.

Specifying the configuration file for DHCP client automatic configuration

About configuration file for DHCP client automatic configuration

Automatic configuration enables a device to automatically obtain a set of configuration settings at startup. The server-based automatic configuration requires the cooperation of the DHCP server and file server (TFTP or HTTP server). The device uses the obtained parameters to contact the file server to get the configuration file. For more information about automatic configuration, see Fundamentals Configuration Guide.

Specifying the configuration file on a TFTP file server

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

By default, no DHCP address pool exists.

3.     Specify the IP address or the name of a TFTP server.

¡     Specify the IP address of the TFTP server.

tftp-server ip-address ip-address

By default, no TFTP server IP address is specified.

¡     Specify the name of the TFTP server.

tftp-server domain-name domain-name

By default, no TFTP server name is specified.

4.     Specify the configuration file name.

bootfile-name bootfile-name

By default, no configuration file name is specified.

Specifying the URL of the configuration file on an HTTP file server

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the URL of the configuration file.

bootfile-name url

By default, no configuration file URL is specified.

Specifying a server for DHCP clients

About a server for DHCP clients

Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the IP address of a server.

next-server ip-address

By default, no server is specified.

Configuring Option 184 parameters for DHCP clients

About Option 184 parameters for DHCP clients

To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184."

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Specify the IP address of the primary network calling processor.

voice-config ncp-ip ip-address

By default, no primary network calling processor is specified.

After you configure this command, the other Option 184 parameters take effect.

4.     (Optional.) Specify the IP address of the backup server.

voice-config as-ip ip-address

By default, no backup network calling processor is specified.

5.     (Optional.) Configure the voice VLAN.

voice-config voice-vlan vlan-id { disable | enable }

By default, no voice VLAN is configured.

6.     (Optional.) Specify the failover IP address and dialer string.

voice-config fail-over ip-address dialer-string

By default, no failover IP address or dialer string is specified.

Customizing DHCP options

DHCP option customization applications

You can customize DHCP options for the following purposes:

·     Add newly released options.

·     Add options for which the vendor defines the contents, for example, Option 43.

·     Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

·     Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS servers, you must use the option 6 command to define all DNS servers.

Common DHCP options

Table 1 lists common DHCP options and their parameters.

Table 1 Common DHCP options

Option

Option name

Corresponding command

Recommended parameter in the option command

3

Router Option

gateway-list

ip-address

6

Domain Name Server Option

dns-list

ip-address

15

Domain Name

domain-name

ascii

44

NetBIOS over TCP/IP Name Server Option

nbns-list

ip-address

46

NetBIOS over TCP/IP Node Type Option

netbios-type

hex

66

TFTP server name

tftp-server

ascii

67

Boot file name

bootfile-name

ascii

43

Vendor Specific Information

N/A

hex

Restrictions and guidelines

Use caution when customizing DHCP options because the configuration might affect DHCP operation.

You can customize a DHCP option in a DHCP address pool

You can customize a DHCP option in a DHCP option group, and specify the option group for a user class in an address pool. A DHCP client in the user class will obtain the option configuration.

Customizing a DHCP option in a DHCP address pool

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP address pool.

DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

Customizing a DHCP option in a DHCP option group

1.     Enter system view.

system-view

2.     Create a DHCP option group and enter DHCP option group view.

dhcp option-group option-group-number

3.     Customize a DHCP option.

option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> }

By default, no DHCP option is customized in a DHCP option group.

If multiple DHCP option groups have the same option, the server selects the option in the DHCP option group first matching the user class.

4.     Return to system view.

quit

5.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

6.     Specify the DHCP option group for the DHCP user class.

class class-name option-group option-group-number

By default, no DHCP option group is specified for a DHCP user class.

Applying a DHCP address pool to a VPN instance

About applying a DHCP address pool to a VPN instance

If a DHCP address pool is applied to a VPN instance, the DHCP server assigns IP addresses in this address pool to clients in the VPN instance. Addresses in this address pool will not be assigned to clients on the public network.

The DHCP server can obtain the VPN instance to which a DHCP client belongs from the following information:

·     The client's VPN information stored in authentication modules.

·     The VPN information of the DHCP server's interface that receives DHCP packets from the client.

If both VPN instances can be obtained, the VPN information from authentication modules takes priority over the VPN information of the receiving interface.

An MCE acting as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks. The IP address ranges of public and private networks or those of private networks on the DHCP server cannot overlap. For more information about MCE, see MPLS Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Apply the address pool to a VPN instance.

vpn-instance vpn-instance-name

By default, the address pool is not applied to any VPN instance.

Configuring the DHCP user class whitelist

About DHCP user class whitelist

The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist.

Restrictions and guidelines

The whitelist does not take effect on clients who request static IP addresses, and the server always processes their requests.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     Enable the DHCP user class whitelist.

verify class

By default, the DHCP user class whitelist is disabled.

4.     Add DHCP user classes to the DHCP user class whitelist.

valid class class-name&<1-8>

By default, no DHCP user class is on the DHCP user class whitelist.

Applying an address pool to an interface

About applying an address pool to an interface

Perform this task to apply a DHCP address pool to an interface.

Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways:

·     If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding.

·     If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Apply an address pool to the interface.

dhcp server apply ip-pool pool-name

By default, no address pool is applied to an interface.

If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation.

Configuring a DHCP policy for dynamic assignment

About a DHCP policy for dynamic assignment

In a DHCP policy, each DHCP user class has a bound DHCP address pool. Clients matching different user classes obtain IP addresses and other parameters from different address pools. The DHCP policy must be applied to the interface that acts as the DHCP server. When receiving a DHCP request, the DHCP server compares the packet against the user classes in the order that they are configured.

·     If a matching user class is found and the bound address pool has assignable IP addresses, the server assigns an IP address and other parameters from the address pool. If the address pool does not have assignable IP addresses, the address assignment fails.

·     If no match is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.

For successful address assignment, make sure the applied DHCP policy and the bound address pools exist.

Restrictions and guidelines

A DHCP policy take effect only after it is applied to an interface.

Procedure

1.     Enter system view.

system-view

2.     Create a DHCP policy and enter DHCP policy view.

dhcp policy policy-name

3.     Specify a DHCP address pool for a DHCP user class.

class class-name ip-pool pool-name

By default, no address pool is specified for a user class.

4.     Specify the default DHCP address pool.

default ip-pool pool-name

By default, no default address pool is specified.

5.     Return to system view.

quit

6.     Enter interface view.

interface interface-type interface-number

7.     Apply the DHCP policy to the interface.

dhcp apply-policy policy-name

By default, no DHCP policy is applied to an interface.

Enabling DHCP

Restrictions and guideline

You must enable DHCP to make other DHCP configurations take effect.

Procedure

1.     Enter system view.

system-view

2.     Enable DHCP.

dhcp enable

By default, DHCP is disabled.

Enabling the DHCP server on an interface

About enabling the DHCP server on an interface

Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the DHCP server on the interface.

dhcp select server

By default, the DHCP server is enabled on the interface.

Configuring IP address conflict detection

About IP address conflict detection

Before assigning an IP address, the DHCP server pings that IP address.

·     If the server receives a response within the specified period, it selects and pings another IP address.

·     If it receives no response, the server continues to ping the IP address until the maximum number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. The DHCP client uses gratuitous ARP to perform IP address conflict detection.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the maximum number of ping packets to be sent for conflict detection.

dhcp server ping packets number

The default setting is one.

To disable IP address conflict detection, set the value to 0.

3.     (Optional.) Set the ping timeout time.

dhcp server ping timeout milliseconds

The default setting is 500 ms.

To disable IP address conflict detection, set the value to 0.

Enabling handling of Option 82

About handling of Option 82

Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.

If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.

You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82. For information about enabling handling of Option 82 on the DHCP relay agent, see "Configuring DHCP relay agent support for Option 82."

Procedure

1.     Enter system view.

system-view

2.     Enable the server to handle Option 82.

dhcp server relay information enable

By default, handling of Option 82 is enabled.

Configuring the DHCP server security features

Restrictions and guidelines

The DHCP server security features are not applicable if a DHCP relay agent exists in the network. This is because the MAC address of the DHCP relay agent is encapsulated as the source MAC address in the DHCP request received by the DHCP server. In this case, you must configure the DHCP relay agent security features. For more information, see "Configuring the DHCP relay agent security features."

Configuring DHCP flood attack protection

About DHCP flood attack protection

The DHCP flood attack protection enables the DHCP server to detect DHCP flood attacks according to the DHCP packet rate threshold on a per-MAC basis.

When the DHCP server receives a DHCP packet from a client (MAC address), it creates a DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration, the server determines that the client is launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the DHCP server discards the DHCP packets from that client. When the aging time of the entry is reached, the DHCP server deletes the entry. If a DHCP packet from the MAC address arrives later, the DHCP server will create a flood attack entry and count the number of incoming DHCP packets for that client again.

Configuring DHCP flood attack protection in a common network

1.     Enter system view.

system-view

2.     (Optional.) Set the DHCP packet rate threshold for DHCP flood attack detection.

dhcp flood-protection threshold packet-number milliseconds

By default, the device allows a maximum of 6 DHCP packets per 5000 milliseconds from each DHCP client.

3.     (Optional.) Set the DHCP flood attack entry aging time.

dhcp flood-protection aging-time time

The default setting is 300 seconds.

4.     Enter interface view.

interface interface-type interface-number

5.     Enable DHCP flood attack protection.

dhcp flood-protection enable

By default, DHCP flood attack protection is disabled.

Configuring DHCP starvation attack protection

About DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields in the DHCP messages, see "DHCP message format."

The following methods are available to relieve or prevent such attacks.

·     To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, perform the following configuration on an interface:

¡     Execute the mac-address max-mac-count command to set the MAC learning limit. For more information about this command, see Layer 2—LAN Switching Command Reference.

¡     Disable unknown frame forwarding when the MAC learning limit is reached.

·     To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP server. The DHCP server compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP server verifies this request as legal and processes it. If they are not the same, the server discards the DHCP request.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable MAC address check.

dhcp server check mac-address

By default, MAC address check is disabled.

Configuring DHCP server compatibility

Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.

Configuring the DHCP server to always broadcast responses

About configuring the DHCP server to always broadcast responses

By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always broadcast a response. This feature is useful when some clients set the broadcast flag to 0 but do not accept unicast responses.

The DHCP server always unicasts a response in the following situations, regardless of whether this feature is configured or not:

·     The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).

·     The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).

Procedure

1.     Enter system view.

system-view

2.     Enable the DHCP server to always broadcast all responses.

dhcp server always-broadcast

By default, the DHCP server reads the broadcast flag to decide whether to broadcast or unicast a response.

Enabling the DHCP server to return a DHCP-NAK message upon client notions of incorrect IP addresses

About returning a DHCP-NAK message upon client notions of incorrect IP addresses

A DHCP client can send a DHCP-REQUEST message directly or upon receiving a DHCP-OFFER message. Upon receiving the request, the DHCP server will check if the client notion of its IP address is correct. If the requested IP address is different from the allocated one or has no matching lease record, the DHCP server remains silent by default. After the allocated IP address lease for the client expires, the DHCP server will make response to request from the client.

This feature enables the DHCP server to return DHCP-NAK messages if the client notions of their IP addresses are incorrect. After receiving the DHCP-NAK message, the DHCP client will request an IP address again.

Procedure

1.     Enter system view.

system-view

2.     Enable the DHCP server to return a DHCP-NAK message if the client notions of their IP addresses are incorrect.

dhcp server request-ip-address check

The DHCP server does not return a DHCP-NAK message if the client notions of their IP addresses are incorrect.

Configuring the DHCP server to ignore BOOTP requests

About configuring the DHCP server to ignore BOOTP requests

The lease duration of the IP addresses obtained by the BOOTP clients is unlimited. For some scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.

Procedure

1.     Enter system view.

system-view

2.     Configure the DHCP server to ignore BOOTP requests.

dhcp server bootp ignore

By default, the DHCP server processes BOOTP requests.

Configuring the DHCP server to send BOOTP responses in RFC 1048 format

About configuring the DHCP server to send BOOTP responses in RFC 1048 format

Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

This feature enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.

Restrictions and guidelines

This feature is effective for the BOOTP clients that request statically bound addresses.

Procedure

1.     Enter system view.

system-view

2.     Enable the DHCP server to send BOOTP responses in RFC 1048 format to the RFC 1048-incompliant BOOTP requests.

dhcp server bootp reply-rfc-1048

By default, the DHCP server directly copies the Vend field of such requests into the responses.

Setting the DSCP value for DHCP packets sent by the DHCP server

About DSCP value for DHCP packets

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1.     Enter system view.

system-view

2.     Set the DSCP value for DHCP packets sent by the DHCP server.

dhcp dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP server is 56.

Configuring DHCP binding auto backup

About DHCP binding auto backup

The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server.

The DHCP server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCP server to provide services without waiting for the connection to be repaired.

Procedure

1.     Enter system view.

system-view

2.     Configure the DHCP server to back up the bindings to a file.

dhcp server database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

By default, the DHCP server does not back up the DHCP bindings.

With this command executed, the DHCP server backs up its bindings immediately and runs auto backup.

3.     (Optional.) Manually save the DHCP bindings to the backup file.

dhcp server database update now

4.     (Optional.) Set the waiting time after a DHCP binding change for the DHCP server to update the backup file.

dhcp server database update interval interval

By default, the DHCP server waits 300 seconds to update the backup file after a DHCP binding change. If no DHCP binding changes, the backup file is not updated.

5.     (Optional.) Terminate the download of DHCP bindings from the backup file.

dhcp server database update stop

This command only triggers one termination.

Enabling client offline detection on the DHCP server

About client offline detection on the DHCP server

The client offline detection feature reclaims an assigned IP address and deletes the binding entry when the ARP entry for the IP address ages out.

Restrictions and guidelines

The feature does not function if an ARP entry is manually deleted.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable client offline detection.

dhcp client-detect

By default, client offline detection is disabled on the DHCP server.

Configuring address pool usage alarming

About address pool usage alarming

Perform this task to set the threshold for address pool usage alarming. When the threshold is exceeded, the system sends notifications to the SNMP module. For DHCP notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter DHCP address pool view.

dhcp server ip-pool pool-name

3.     (Optional.) Set the threshold for address pool usage alarming.

ip-in-use threshold threshold-value

The default threshold is 100%.

Enabling DHCP logging on the DHCP server

About DHCP logging on the DHCP server

The DHCP logging feature enables the DHCP server to generate DHCP logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature if the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

Procedure

1.     Enter system view.

system-view

2.     Enable DHCP logging.

dhcp log enable

By default, DHCP logging is disabled.

Display and maintenance commands for DHCP server

IMPORTANT

IMPORTANT:

A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again.

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about IP address conflicts.

display dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Display information about DHCP binding auto backup.

display dhcp server database

Display information about lease-expired IP addresses.

display dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about assignable IP addresses.

display dhcp server free-ip [ pool pool-name | vpn-instance vpn-instance-name ]

Display information about assigned IP addresses.

display dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Display information about DHCP address pools.

display dhcp server pool [ pool-name | vpn-instance vpn-instance-name ]

Display DHCP server statistics.

display dhcp server statistics [ pool pool-name | vpn-instance vpn-instance-name ]

Clear information about IP address conflicts.

reset dhcp server conflict [ ip ip-address ] [ vpn-instance vpn-instance-name ]

Clear information about lease-expired IP addresses.

reset dhcp server expired [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear information about assigned IP addresses.

reset dhcp server ip-in-use [ [ ip ip-address ] [ vpn-instance vpn-instance-name ] | pool pool-name ]

Clear DHCP server statistics.

reset dhcp server statistics [ vpn-instance vpn-instance-name ]

DHCP server configuration examples

Example: Configuring static IP address assignment

Network configuration

As shown in Figure 8, Switch B (DHCP client) and Switch C (BOOTP client) obtain the IP address, DNS server address, and gateway address from Switch A (DHCP server).

The client ID of VLAN-interface 2 on Switch B is 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574.

The MAC address of VLAN-interface 2 on Switch C is 000f-e200-01c0.

Figure 8 Network diagram

Procedure

1.     Specify an IP address for VLAN-interface 2 on Switch A.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 10.1.1.1 25

[SwitchA-Vlan-interface2] quit

2.     Configure the DHCP server:

# Create DHCP address pool 0.

[SwitchA] dhcp server ip-pool 0

# Configure a static binding for Switch B.

[SwitchA-dhcp-pool-0] static-bind ip-address 10.1.1.5 25 client-identifier 0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574

# Configure a static binding for Switch C.

[SwitchA-dhcp-pool-0] static-bind ip-address 10.1.1.6 25 hardware-address 000f-e200-01c0

# Specify the DNS server address and the gateway address.

[SwitchA-dhcp-pool-0] dns-list 10.1.1.2

[SwitchA-dhcp-pool-0] gateway-list 10.1.1.126

[SwitchA-dhcp-pool-0] quit

[SwitchA]

# Enable DHCP.

[SwitchA] dhcp enable

# Enable the DHCP server on VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] dhcp select server

[SwitchA-Vlan-interface2] quit

Verifying the configuration

# Verify that Switch B can obtain IP address 10.1.1.5 and all other network parameters from Switch A. (Details not shown.)

# Verify that Switch C can obtain IP address 10.1.1.6 and all other network parameters from Switch A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchA] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.1.1.5         0030-3030-662e-6532-  Jan 21 14:27:27 2014  Static(C)

                 3030-2e30-3030-322d-

                 4574-6865-726e-6574

10.1.1.6         000f-e200-01c0        Unlimited             Static(C)

Example: Configuring dynamic IP address assignment

Network configuration

As shown in Figure 9, the DHCP server (Switch A) assigns IP addresses to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.

Configure DHCP server on Switch A to implement the following assignment scheme.

Table 2 Assignment scheme

DHCP clients

IP address

Lease

Other configuration parameters

Clients connected to VLAN-interface 10

IP addresses on subnet 10.1.1.0/25

10 days and 12 hours

·     Gateway: 10.1.1.126/25

·     DNS server: 10.1.1.2/25

·     Domain name: aabbcc.com

·     WINS server: 10.1.1.4/25

Clients connected to VLAN-interface 20

IP addresses on subnet 10.1.1.128/25

Five days

·     Gateway: 10.1.1.254/25

·     DNS server: 10.1.1.2/25

·     Domain name: aabbcc.com

Figure 9 Network diagram

Procedure

1.     Specify IP addresses for the VLAN interfaces. (Details not shown.)

2.     Configure the DHCP server:

# Exclude the DNS server address, WINS server address, and gateway addresses from dynamic allocation.

<SwitchA> system-view

[SwitchA] dhcp server forbidden-ip 10.1.1.2

[SwitchA] dhcp server forbidden-ip 10.1.1.4

[SwitchA] dhcp server forbidden-ip 10.1.1.126

[SwitchA] dhcp server forbidden-ip 10.1.1.254

# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.0/25.

[SwitchA] dhcp server ip-pool 1

[SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[SwitchA-dhcp-pool-1] expired day 10 hour 12

[SwitchA-dhcp-pool-1] domain-name aabbcc.com

[SwitchA-dhcp-pool-1] dns-list 10.1.1.2

[SwitchA-dhcp-pool-1] gateway-list 10.1.1.126

[SwitchA-dhcp-pool-1] nbns-list 10.1.1.4

[SwitchA-dhcp-pool-1] quit

# Configure DHCP address pool 2 to assign IP addresses and other configuration parameters to clients on subnet 10.1.1.128/25.

[SwitchA] dhcp server ip-pool 2

[SwitchA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128

[SwitchA-dhcp-pool-2] expired day 5

[SwitchA-dhcp-pool-2] domain-name aabbcc.com

[SwitchA-dhcp-pool-2] dns-list 10.1.1.2

[SwitchA-dhcp-pool-2] gateway-list 10.1.1.254

[SwitchA-dhcp-pool-2] quit

# Enable DHCP.

[SwitchA] dhcp enable

# Enable the DHCP server on VLAN-interface 10 and VLAN-interface 20.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select server

[SwitchA-Vlan-interface10] quit

[SwitchA] interface vlan-interface 20

[SwitchA-Vlan-interface20] dhcp select server

[SwitchA-Vlan-interface20] quit

Verifying the configuration

# Verify that clients on subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and all other network parameters from Switch A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchA] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.1.1.3         0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.1.1.5         0031-fe65-4203-7e02-  Jan 14 22:25:03 2015  Auto(C)

                 3063-5b30-3230-4702-

                 620e-712f-5e

10.1.1.130       3030-3030-2e30-3030-  Jan 9 10:45:11 2015   Auto(C)

                 662e-3030-3033-2d45-

                 7568-6572-1e

10.1.1.131       3030-0020-fe02-3020-  Jan 9 10:45:11 2015   Auto(C)

                 7052-0201-2013-1e02

                 0201-9068-23

10.1.1.132       2020-1220-1102-3021-  Jan 9 10:45:11 2015   Auto(C)

                 7e52-0211-2025-3402

                 0201-9068-9a

10.1.1.133       2021-d012-0202-4221-  Jan 9 10:45:11 2015   Auto(C)

                 8852-0203-2022-55e0

                 3921-0104-31

Example: Configuring DHCP user class

Network requirement

As shown in Figure 10, the DHCP relay agent (Switch A) forwards DHCP packets between DHCP clients and the DHCP server (Switch B). Enable switch A to support Option 82 so that switch A can add Option 82 in the DHCP requests sent by the DHCP clients.

Configure the address allocation scheme as follows:

 

Assign IP addresses

To clients

10.10.1.2 to 10.10.1.10

The DHCP request contains Option 82.

10.10.1.11 to 10.10.1.26

The hardware address in the request is six bytes long and begins with aabb-aabb-aab.

For clients on subnet 10.10.1.0/24, the DNS server address is 10.10.1.20/24 and the gateway address is 10.10.1.254/24.

Figure 10 Network diagram

Procedure

1.     Specify IP addresses for interfaces on the DHCP server and the DHCP relay agent. (Details not shown.)

2.     Configure DHCP services:

# Create DHCP user class tt and configure a match rule to match client requests with Option 82.

<SwitchB> system-view

[SwitchB] dhcp class tt

[SwitchB-dhcp-class-tt] if-match rule 1 option 82

[SwitchB-dhcp-class-tt] quit

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.

[SwitchB] dhcp class ss

[SwitchB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-aab0 mask ffff-ffff-fff0

[SwitchB-dhcp-class-ss] quit

# Create DHCP address pool aa.

[SwitchB] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation.

[SwitchB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0

# Specify the address range for dynamic allocation.

[SwitchB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100

# Specify the address range for user class tt.

[SwitchB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10

# Specify the address range for user class ss.

[SwitchB-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26

# Specify the gateway address and the DNS server address.

[SwitchB-dhcp-pool-aa] gateway-list 10.10.1.254

[SwitchB-dhcp-pool-aa] dns-list 10.10.1.20

[SwitchB-dhcp-pool-aa] quit

# Enable DHCP and configure the DHCP server to handle Option 82.

[SwitchB] dhcp enable

[SwitchB] dhcp server relay information enable

# Enable DHCP server on VLAN-interface 10.

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] dhcp select server

[SwitchB-Vlan-interface10] quit

Verifying the configuration

# Verify that clients matching the user classes can obtain IP addresses in the specified ranges and all other configuration parameters from the DHCP server. (Details not shown.)

# Display the IP address assigned by the DHCP server.

[SwitchB] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.10.1.2        0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.10.1.11       aabb-aabb-aab1        Jan 14 22:25:03 2015  Auto(C)

Example: Configuring DHCP user class whitelist

Network configuration

As shown in Figure 11, configure the DHCP user class whitelist to allow the DHCP server to assign IP addresses to clients whose hardware addresses are six bytes long and begin with aabb-aabb.

Figure 11 Network diagram

Procedure

1.     Specify IP addresses for the interfaces on the DHCP server. (Details not shown.)

2.     Configure DHCP:

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.

<SwitchB> system-view

[SwitchB] dhcp class ss

[SwitchB-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[SwitchB-dhcp-class-ss] quit

# Create DHCP address pool aa.

[SwitchB] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation.

[SwitchB-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

# Enable the DHCP user class whitelist.

[SwitchB-dhcp-pool-aa] verify class

# Add DHCP user class ss to the DHCP user class whitelist.

[SwitchB-dhcp-pool-aa] valid class ss

[SwitchB-dhcp-pool-aa] quit

# Enable DHCP.

[SwitchB] dhcp enable

# Enable DHCP server on VLAN-interface 2.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] dhcp select server

[SwitchB-Vlan-interface2] quit

Verifying the configuration

# Verify that clients matching the DHCP user class can obtain IP addresses on subnet 10.1.1.0/24 from the DHCP server. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchB] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.1.1.2         aabb-aabb-ab01        Jan 14 22:25:03 2015  Auto(C)

Example: Configuring primary and secondary subnets

Network configuration

As shown in Figure 12, the DHCP server (Switch A) dynamically assigns IP addresses to clients in the LAN.

Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects IP addresses from the secondary subnet when the primary subnet has no assignable addresses.

Switch A assigns the following parameters:

·     The default gateway 10.1.1.254/24 to clients on subnet 10.1.1.0/24.

·     The default gateway 10.1.2.254/24 to clients on subnet 10.1.2.0/24.

Figure 12 Network diagram

 

Procedure

# Create DHCP address pool aa.

<SwitchA> system-view

[SwitchA] dhcp server ip-pool aa

# Specify the primary subnet and the gateway address for dynamic allocation.

[SwitchA-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

[SwitchA-dhcp-pool-aa] gateway-list 10.1.1.254

# Specify the secondary subnet and the gateway address for dynamic allocation.

[SwitchA-dhcp-pool-aa] network 10.1.2.0 mask 255.255.255.0 secondary

[SwitchA-dhcp-pool-aa-secondary] gateway-list 10.1.2.254

[SwitchA-dhcp-pool-aa-secondary] quit

[SwitchA-dhcp-pool-aa] quit

# Enable DHCP.

[SwitchA] dhcp enable

# Configure the primary and secondary IP addresses of VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] ip address 10.1.1.1 24

[SwitchA-Vlan-interface10] ip address 10.1.2.1 24 sub

# Enable the DHCP server on VLAN-interface 10.

[SwitchA-Vlan-interface10] dhcp select server

[SwitchA-Vlan-interface10] quit

Verifying the configuration

# Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no address is available from the primary subnet. (Details not shown.)

# Display the primary and secondary subnet IP addresses the DHCP server has assigned. The following is part of the command output.

[SwitchA] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.1.1.2         0031-3865-392e-6262-  Jan 14 22:25:03 2015  Auto(C)

                 3363-2e30-3230-352d-

                 4745-302f-30

10.1.2.2         3030-3030-2e30-3030-  Jan 14 22:25:03 2015  Auto(C)

                 662e-3030-3033-2d45-

                 7568-6572-1e

Example: Customizing DHCP option

Network configuration

As shown in Figure 13, DHCP clients obtain IP addresses and PXE server addresses from the DHCP server (Switch A). The subnet for address allocation is 10.1.1.0/24.

Configure the address allocation scheme as follows:

 

Assign PXE addresses

To clients

2.3.4.5 and 3.3.3.3

The hardware address in the request is six bytes long and begins with aabb-aabb.

1.2.3.4 and 2.2.2.2.

Other clients.

The DHCP server assigns PXE server addresses to DHCP clients through Option 43, a customized option. The format of Option 43 and that of the PXE server address sub-option are shown in Figure 5 and Figure 7. For example, the value of Option 43 configured in the DHCP address pool is 80 0B 00 00 02 01 02 03 04 02 02 02 02.

·     The number 80 is the value of the sub-option type.

·     The number 0B is the value of the sub-option length.

·     The numbers 00 00 are the value of the PXE server type.

·     The number 02 indicates the number of servers.

·     The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and 2.2.2.2.

Figure 13 Network diagram

Procedure

1.     Specify IP addresses for the interfaces. (Details not shown.)

2.     Configure the DHCP server:

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.

<SwitchA> system-view

[SwitchA] dhcp class ss

[SwitchA-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[SwitchA-dhcp-class-ss] quit

# Create DHCP option group 1 and customize Option 43.

[SwitchA] dhcp option-group 1

[SwitchA-dhcp-option-group-1] option 43 hex 800B0000020203040503030303

# Enable the DHCP server on VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] dhcp select server

[SwitchA-Vlan-interface2] quit

# Create DHCP address pool 0.

[SwitchA] dhcp server ip-pool 0

# Specify the subnet for dynamic address allocation.

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

# Customize Option 43.

[SwitchA-dhcp-pool-0] option 43 hex 800B0000020102030402020202

# Associate DHCP user class ss with option group 1.

[SwitchA-dhcp-pool-0] class ss option-group 1

[SwitchA-dhcp-pool-0] quit

# Enable DHCP.

[SwitchA] dhcp enable

Verifying the configuration

# Verify that Switch B can obtain an IP address on subnet 10.1.1.0/24 and the corresponding PXE server addresses from Switch A. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[SwitchA] display dhcp server ip-in-use

IP address       Client-identifier/    Lease expiration      Type

                 Hardware address

10.1.1.2         aabb-aabb-ab01        Jan 14 22:25:03 2015  Auto(C)

Troubleshooting DHCP server configuration

Failure to obtain a non-conflicting IP address

Symptom

A client's IP address obtained from the DHCP server conflicts with an IP address of another host.

Solution

Another host on the subnet might have the same IP address.

To resolve the problem:

1.     Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address.

2.     If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.

3.     Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client:

a.     In Windows environment, execute the cmd command to enter the DOS environment.

b.     Enter ipconfig /release to relinquish the IP address.

c.     Enter ipconfig /renew to obtain another IP address.


Configuring the DHCP relay agent

About DHCP relay agent

The DHCP relay agent enables clients to get IP addresses and configuration parameters from a DHCP server on another subnet.

Figure 14 shows a typical application of the DHCP relay agent.

Figure 14 DHCP relay agent application

DHCP relay agent operation

The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists. For the interaction details, see "IP address allocation process." The following only describes steps related to the DHCP relay agent:

1.     After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent processes the message as follows:

a.     Fills the giaddr field of the message with its IP address.

b.     Unicasts the message to the designated DHCP server.

2.     Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response.

3.     The relay agent conveys the response to the client.

Figure 15 DHCP relay agent operation

DHCP relay agent support for Option 82

Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks:

·     Locate the DHCP client for security and accounting purposes.

·     Assign IP addresses in a specific range to clients.

For more information about Option 82, see "Relay agent option (Option 82)."

If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 3.

If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82 before forwarding the response to the client.

Table 3 Handling strategies of the DHCP relay agent

If a DHCP request has…

Handling strategy

The DHCP relay agent…

Option 82

Drop

Drops the message.

Keep

Forwards the message without changing Option 82.

Replace

Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82

N/A

Forwards the message after adding Option 82 padded according to the configured padding format, padding content, and code type.

DHCP relay agent support for MCE

An MCE device acting as the DHCP relay agent can forward DHCP packets between a DHCP server and clients on either a public network or a private network. For more information about MCE, see MPLS Configuration Guide.

DHCP relay agent tasks at a glance

To configure a DHCP relay agent, perform the following tasks:

1.     Enabling DHCP

2.     Enabling the DHCP relay agent on an interface

3.     Specifying DHCP servers

4.     (Optional.) Configuring advanced features:

¡     Specifying a DHCP relay address pool for DHCP clients

¡     Configuring the DHCP relay agent security features

¡     Configuring the DHCP relay agent to release an IP address

¡     Configuring DHCP relay agent support for Option 82

¡     Enabling Option 60 insertion into DHCP requests

¡     Setting the DSCP value for DHCP packets sent by the DHCP relay agent

¡     Specifying the DHCP relay agent address for the giaddr field

¡     Specifying the source IP address for relayed DHCP requests

¡     Discarding DHCP requests that are delivered from VXLAN tunnels

¡     Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table

Enabling DHCP

Restrictions and guidelines

You must enable DHCP to make other DHCP relay agent settings take effect.

Procedure

1.     Enter system view.

system-view

2.     Enable DHCP.

dhcp enable

By default, DHCP is disabled.

Enabling the DHCP relay agent on an interface

About enabling the DHCP relay agent on an interface

With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server.

An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the DHCP relay agent.

dhcp select relay

By default, when DHCP is enabled, an interface operates in the DHCP server mode.

Specifying DHCP servers

Specifying DHCP servers on a relay agent

About specifying DHCP servers on a relay agent

To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.

Restrictions and guidelines

The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify a DHCP server address on the relay agent.

dhcp relay server-address ip-address [ class class-name ] [ public | vpn-instance vpn-instance-name ]

By default, no DHCP server address is specified on the relay agent.

To specify multiple DHCP server addresses, repeat this step. You can specify a maximum of eight DHCP servers.

Specifying DHCP servers in a DHCP relay address pool

About specifying DHCP servers in a DHCP relay address pool

DHCP address pools created on a DHCP relay agent are called DHCP relay address pools. You can create a relay address pool and specify DHCP servers in this address pool. This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching DHCP relay address pool.

It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify gateway addresses for clients matching the same DHCP relay address pool and bind the gateway addresses to the device's MAC address.

Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a DHCP relay address pool, the relay agent processes the packet as follows:

·     Fills the giaddr field of the packet with a specified gateway address.

·     Forwards the packet to all DHCP servers in the matching DHCP relay address pool.

The DHCP servers select a DHCP relay address pool according to the gateway address.

Procedure

1.     Enter system view.

system-view

2.     Create a DHCP relay address pool and enter its view.

dhcp server ip-pool pool-name

3.     Specify gateways in the DHCP relay address pool.

gateway-list ip-address&<1-64>

By default, no gateway address is specified.

4.     Specify DHCP servers in the DHCP relay address pool.

remote-server ip-address&<1-8> [ public | vpn-instance vpn-instance-name ]

By default, no DHCP server is specified in the DHCP relay address pool.

You can specify a maximum of eight DHCP servers in one DHCP relay address pool for high availability.

Specifying the DHCP server selecting algorithm

About DHCP server selecting algorithm

The DHCP relay agent supports the polling and master-backup DHCP server selecting algorithms.

By default, the DHCP relay agent uses the polling algorithm. It forwards DHCP requests to all DHCP servers. The DHCP clients select the DHCP server from which the first received DHCP reply comes.

If the DHCP relay agent uses the master-backup algorithm, it forwards DHCP requests to the master DHCP server first. If the master DHCP server is not available, the relay agent forwards the subsequent DHCP requests to a backup DHCP server. If the backup DHCP server is not available, the relay agent selects the next backup DHCP server, and so on. If no backup DHCP server is available, it repeats the process starting from the master DHCP server.

The master DHCP server is determined in one of the following ways:

·     In a common network where multiple DHCP server addresses are specified on the DHCP relay interface, the first specified DHCP server is the master. The other DHCP servers are backup.

·     In a network where DHCP relay address pools are configured on the DHCP relay agent, the first specified DHCP server in a DHCP relay address pool is the master. The other DHCP servers in the DHCP relay address pool are backup.

DHCP server selection supports the following functions:

·     DHCP server response timeout time—The DHCP relay agent determines that a DHCP server is not available if it does not receive any response from the server within the DHCP server response timeout time. The DHCP server response timeout time is configurable and the default is 30 seconds.

·     DHCP server switchback—If the DHCP relay agent selects a backup DHCP server, it does not switch back to the master DHCP server by default. You can configure the DHCP relay agent to switch back to the master DHCP server after a delay. If the master DHCP server is available, the DHCP relay agent forwards DHCP requests to the master DHCP server. If the master DHCP server is not available, the DHCP relay agent still uses the backup DHCP server.

Specifying the DHCP server selecting algorithm in interface view

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the DHCP server selecting algorithm.

dhcp relay server-address algorithm { master-backup | polling }

By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers.

4.     (Optional.) Set the DHCP server response timeout time for DHCP server switchover.

dhcp relay dhcp-server timeout time

By default, the DHCP server response timeout time is 30 seconds.

5.     (Optional.) Enable the switchback to the master DHCP server and set the delay time.

dhcp relay master-server switch-delay delay-time

By default, the DHCP relay agent does not switch back to the master DHCP server.

Specifying the DHCP server selecting algorithm in DHCP relay address pool view

1.     Enter system view.

system-view

2.     Enter DHCP relay address pool view.

dhcp server ip-pool pool-name

3.     Specify the DHCP server selecting algorithm.

dhcp relay server-address algorithm { master-backup | polling }

By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers.

4.     (Optional.) Set the DHCP server response timeout time for DHCP server switchover.

dhcp-server timeout time

By default, the DHCP server response timeout time is 30 seconds.

5.     (Optional.) Enable the switchback to the master DHCP server and set the delay time.

master-server switch-delay delay-time

By default, the DHCP relay agent does not switch back to the master DHCP server.

Specifying a DHCP relay address pool for DHCP clients

About specifying a DHCP relay address pool for DHCP clients

After you configure multiple DHCP relay address pools on a DHCP relay agent, you can specify these pools on an interface. To match DHCP clients based on options, you can define option settings when you specify the relay address pools.

If you specify multiple DHCP relay address pools on an interface, the relay agent selects a DHCP relay address pool for a DHCP client as follows:

1.     Compares option values in the DHCP request in descending order against option values in DHCP relay address pools.

¡     If a match (other than 60) is found, the matching process stops and the relay agent selects that matching relay address pool.

¡     If the matching option value is 60, the relay agent continues to compare the Option 60 content in the request and the Option 60 string in the relay address pool:

-     If the Option 60 content matches the string, the relay address pool is selected.

-     If the Option 60 content does not match the string, the relay address pool is not selected. If another relay address pool is specified to match Option 60 but has no Option 60 string defined, the relay agent selects that relay address pool.

2.     If still no DHCP relay address pool is matched, the relay agent selects the DHCP relay address pool with no options specified.

Restrictions and guidelines

If you specify DHCP servers by configuring both of the following methods on an interface, the DHCP relay address pool setting takes effect.

·     Specify DHCP relay address pools by using the dhcp relay pool command.

·     Specify DHCP servers directly on an interface by using the dhcp relay server-address command.

When you specify a DHCP relay address pool on an interface to define the DHCP servers, make sure the remote-server command is configured in the DHCP relay address pool. Otherwise, the relay agent drops DHCP requests. The DHCP requests are not forwarded to any DHCP server even if the dhcp relay server-address command is configured.

Procedure

1.     Enter system view.

system-view

2.     Create a DHCP relay address pool and enter its view.

dhcp server ip-pool pool-name

By default, no DHCP relay address pools exist.

3.     Specify DHCP servers in the DHCP relay address pool.

remote-server ip-address&<1-8> [ public | vpn-instance vpn-instance-name ]

By default, no DHCP server is specified in the DHCP relay address pool.

4.     Specify gateway addresses for the clients matching the DHCP relay address pool.

gateway-list ip-address&<1-64>

By default, no gateway address is specified.

5.     Specify the DHCP server selecting algorithm.

remote-server algorithm { master-backup | polling }

By default, the polling algorithm is used. The DHCP relay agent forwards DHCP requests to all DHCP servers at the same time.

6.     Return to system view.

quit

7.     Enter interface view.

interface interface-type interface-number

8.     Specify a DHCP relay address pool for DHCP clients.

dhcp relay pool pool-name [ option { 60 [ option-text ] | code } ]

By default, no DHCP relay address pool is specified for DHCP clients.

Configuring the DHCP relay agent security features

Restrictions and guidelines for DHCP relay agent security feature configuration

If the DHCP relay agent is an EVPN distributed gateway, it cannot receive replies from the DHCP server when recording relay entries and periodic refresh of dynamic relay entries are enabled. As a result, the relay agent cannot record dynamic relay entries or might delete them mistakenly. If the relay agent must record and refresh relay entries, enable the DHCP server proxy on the relay agent. When DHCP requests pass through the DHCP server proxy, it records or refreshes the client's IP-to-MAC bindings.

Enabling the DHCP relay agent to record relay entries

About enabling the DHCP relay agent to record relay entries

Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.

Some security features use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security features are ARP address check, authorized ARP, and IP source guard.

Restrictions and guidelines

The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on synchronous/asynchronous serial interfaces.

Procedure

1.     Enter system view.

system-view

2.     Enable the relay agent to record relay entries.

dhcp relay client-information record

By default, the relay agent does not record relay entries.

Enabling periodic refresh of dynamic relay entries

About enabling periodic refresh of dynamic relay entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the IP address of a relay entry to periodically send a DHCP-REQUEST message to the DHCP server.

The relay agent maintains the relay entries depending on what it receives from the DHCP server:

·     If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.

·     If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.

Procedure

1.     Enter system view.

system-view

2.     Enable periodic refresh of dynamic relay entries.

dhcp relay client-information refresh enable

By default, periodic refresh of dynamic relay entries is enabled.

3.     (Optional.) Set the refresh interval.

dhcp relay client-information refresh [ auto | interval interval ]

By default, the refresh interval is auto, which is calculated based on the number of total relay entries.

Configuring DHCP flood attack protection

About DHCP flood attack protection

The DHCP flood attack protection enables the DHCP relay agent to detect DHCP flood attacks according to the DHCP packet rate threshold on a per-MAC basis.

When the DHCP relay agent receives a DHCP packet from a client (MAC address), it creates a DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address reaches the upper limit in the detection duration, the relay agent determines that the client is launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the DHCP relay agent discards the DHCP packets from that client. When the aging time of the entry is reached, the DHCP relay agent deletes the entry. If a DHCP packet from the MAC address arrives later, the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP packets for that client again.

Configuring DHCP flood attack protection in a common network

1.     Enter system view.

system-view

2.     (Optional) Set the DHCP packet rate threshold for DHCP flood attack detection.

dhcp flood-protection threshold packet-number milliseconds

By default, the device allows a maximum of 6 DHCP packets per 5000 milliseconds from each DHCP client.

3.     (Optional) Set the DHCP flood attack entry aging time.

dhcp flood-protection aging-time time

The default setting is 300 seconds.

4.     Enter interface view.

interface interface-type interface-number

5.     Enable DHCP flood attack protection.

dhcp flood-protection enable

By default, DHCP flood attack protection is disabled.

Enabling DHCP starvation attack protection

About DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.

·     To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can use one of the following methods:

¡     Limit the number of ARP entries that a Layer 3 interface can learn.

¡     Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached.

·     To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.

A MAC address check entry has an aging time. When the aging time expires, both of the following occur:

·     The entry ages out.

·     The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.

Procedure

1.     Enter system view.

system-view

2.     Set the aging time for MAC address check entries.

dhcp relay check mac-address aging-time time

The default aging time is 30 seconds.

This command takes effect only after you execute the dhcp relay check mac-address command.

3.     Enter the interface view.

interface interface-type interface-number

4.     Enable MAC address check.

dhcp relay check mac-address

By default, MAC address check is disabled.

Enabling DHCP server proxy on the DHCP relay agent

About enabling DHCP server proxy on the DHCP relay agent

The DHCP server proxy feature isolates DHCP servers from DHCP clients and protects DHCP servers against attacks.

Upon receiving a response from the server, the DHCP server proxy modifies the server's IP address as the relay interface's IP address before sending out the response. The DHCP client takes the DHCP relay agent as the DHCP server.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable DHCP relay agent and DHCP server proxy on the interface.

dhcp select relay proxy

By default, the interface operates in DHCP server mode after DHCP is enabled.

Enabling client offline detection on the DHCP relay agent

About client offline detection on the DHCP relay agent

The client offline detection on the DHCP relay agent detects the user online status based on the ARP entry aging. When an ARP entry ages out, the DHCP client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server.

If DHCP relay agent and DHCP snooping are configured on the same device, the DHCP snooping module deletes its DHCP snooping entries after it obtains the RELEASE messages from the relay agent module.

Restrictions and guidelines

The feature does not function if an ARP entry is manually deleted.

Procedure

1.     Enter system view.

system-view

2.     Enable the relay agent to record relay entries.

dhcp relay client-information record

By default, the relay agent does not record relay entries.

Without relay entries, client offline detection cannot function correctly.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable the DHCP relay agent.

dhcp select relay

By default, when DHCP is enabled, an interface operates in the DHCP server mode.

5.     Enable client offline detection.

dhcp client-detect

By default, client offline detection is disabled on the DHCP relay agent.

Configuring the DHCP relay agent to release an IP address

About configuring the DHCP relay agent to release an IP address

Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.

This command can release only the IP addresses in the recorded relay entries.

Procedure

1.     Enter system view.

system-view

2.     Configure the DHCP relay agent to release an IP address.

dhcp relay release ip ip-address [ vpn-instance vpn-instance-name ]

Configuring DHCP relay agent support for Option 82

To support Option 82, you must perform related configuration on both the DHCP server and relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the relay agent to handle Option 82.

dhcp relay information enable

By default, handling of Option 82 is disabled.

4.     (Optional.) Configure the strategy for handling DHCP requests that contain Option 82.

dhcp relay information strategy { drop | keep | replace }

By default, the handling strategy is replace.

If the handling strategy is replace, configure a padding mode and a padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure a padding mode or padding format for Option 82.

5.     (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp relay information circuit-id { bas | string circuit-id | vxlan-port | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] [ interface ] } [ format { ascii | hex } ] }

By default, the padding mode for Circuit ID sub-option is normal, and the padding format is hex.

The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP relay agent will fail to add or replace Option 82.

6.     (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp relay information remote-id { normal [ format { ascii | hex } ] | string remote-id | sysname }

By default, the padding mode for the Remote ID sub-option is normal, and the padding format is hex.

Enabling Option 60 insertion into DHCP requests

About enabling Option 60 insertion into DHCP requests

Option 60 records vendor class identifier information of DHCP clients. It allows the clients to obtain IP addresses from different address ranges. After receiving a DHCP request with Option 60 encapsulated, the DHCP server follows the procedure to assign an IP address:

1.     Uses Option 60 to determine a user class for the client.

2.     Selects an IP address from the address range that matches the user class and assigns the address to the client.

After you enable Option 60 insertion on the DHCP relay agent, the relay agent first examines whether the received DHCP request contains Option 60.

·     If the request does not contain Option 60, the relay agent inserts the option string into the request before forwarding the request to the DHCP server.

·     If the request contains Option 60, the relay agent forwards the request to the DHCP server without processing this option.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable Option 60 insertion into DHCP requests on the DHCP relay agent.

dhcp relay insert option60 option-text

By default, the DHCP relay agent does not insert Option 60 into DHCP requests.

Setting the DSCP value for DHCP packets sent by the DHCP relay agent

About the DSCP value for DHCP packets sent by the DHCP relay agent

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1.     Enter system view.

system-view

2.     Set the DSCP value for DHCP packets sent by the DHCP relay agent.

dhcp dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.

Specifying the DHCP relay agent address for the giaddr field

Manually specifying the DHCP relay agent address for the giaddr field

About manually specifying the DHCP relay agent address for the giaddr field

This task allows you to specify the IP addresses to be encapsulated to the giaddr field of the DHCP requests. If you do not specify any DHCP relay agent address, the primary IP address of the DHCP relay interface is encapsulated to the giaddr field of DHCP requests.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the DHCP relay agent address to be encapsulated in relayed DHCP requests.

dhcp relay gateway ip-address

By default, the primary IP address of the DHCP relay interface is encapsulated in the relayed DHCP requests.

Configuring smart relay to specify the DHCP relay agent address for the giaddr field

About smart relay

By default, the relay agent only encapsulates the primary IP address to the giaddr field of all requests before relaying them to the DHCP server. The DHCP server then selects an IP address on the same subnet as the address in the giaddr filed. If no assignable addresses on the subnet are available, the DHCP server does not assign any IP address. The DHCP smart relay feature is introduced to allow the DHCP relay agent to encapsulate secondary IP addresses when the DHCP server does not send back a DHCP-OFFER message.

The relay agent initially encapsulates its primary IP address to the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address. If the DHCP server still does not respond, the next secondary IP address is used. After the secondary IP addresses are all tried and the DHCP server does not respond, the relay agent repeats the process by starting from the primary IP address.

Procedure

1.     Enter system view.

system-view

2.     Enable the DHCP smart relay feature.

dhcp smart-relay enable

By default, the DHCP smart relay feature is disabled.

Specifying the source IP address for relayed DHCP requests

About specifying the source IP address for relayed DHCP requests

This task is required if multiple relay interfaces share the same IP address or if a relay interface does not have routes to DHCP servers. You can specify an IP address or the IP address of another interface, typically the loopback interface, on the DHCP relay agent as the source IP address for DHCP requests. The relay interface inserts the source IP address in the source IP address field as well as the giaddr field in DHCP requests.

If multiple relay interfaces share the same IP address, you must also configure the relay interface to support Option 82. Upon receiving a DHCP request, the relay interface inserts the subnet information in sub-option 5 in Option 82. The DHCP server assigns an IP address according to sub-option 5. The DHCP relay agent looks up the output interface in the MAC address table to forward the DHCP reply.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the source IP address for DHCP requests.

dhcp relay source-address { ip-address | interface interface-type interface-number }

By default, the DHCP relay agent uses the primary IP address of the interface that connects to the DHCP server as the source IP address for relayed DHCP requests. If this interface does not have an IP address, the DHCP relay agent uses an IP address that shares the same subnet with the DHCP server.

You can specify only one source IP address for DHCP requests on an interface.

Discarding DHCP requests that are delivered from VXLAN tunnels

About discarding DHCP requests that are delivered from VXLAN tunnels

In a VXLAN network, the DHCP relay agent feature can be configured on the VSI interface of a VTEP.

When the DHCP relay agent receives a DHCP request from an AC mapped to the VSI interface, the relay agent forwards this request to the DHCP servers and broadcasts this request to other VTEPs. If those VTEPs also function as the DHCP relay agents, each will forward the DHCP request to the DHCP servers they are connecting to. To prevent a DHCP server from receiving the same DHCP request from different VTEPs, you can configure this command on the VSI interface of the VTEPs that are not directly connecting to DHCP clients.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface vsi-interface vsi-number

3.     Configure the DHCP relay agent to discard the DHCP requests that are delivered from VXLAN tunnels.

dhcp relay request-from-tunnel discard

By default, the DHCP relay agent can forward the DHCP requests that are delivered from VXLAN tunnels.

If you configure this command on a device that acts as both the distributed and centralized VXLAN IP gateways, make sure the gateways do not use the same VSI interface to provide the gateway services.

Configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table

About configuring DHCP relay agent support for forwarding DHCP replies based on MAC address table

In a distributed EVPN gateway network, VSI interfaces of all distributed EVPN gateways have the same IP address, and the DHCP relay agent is enabled on EVPN gateways. When a DHCP client sends a request to its connected EVPN gateway, the gateway records the request forwarding information for the client before relaying the request to the DHCP server. The request forwarding information contains the MAC address of the DHCP client and output interface of the request packet. If the reply for this request is received by another EVPN gateway, the reply is discarded by default because it does not have the matching request forwarding information on the gateway. As a result, the client cannot obtain the IP address.

To solve this problem, configure the support for forwarding replies based on MAC address table on the relay agent connected to the DHCP server. This feature allows the relay agent to look up the MAC address table for the output interface for the reply if the agent does not have the request forwarding information. This feature ensures that DHCP clients receive DHCP reply packets.

If the broadcast keyword is specified, the DHCP relay agent broadcasts the DHCP reply. When the DHCP relay agent connecting to the requesting DHCP client receives the reply, it sends the reply to its CPU before forwarding the reply to the DHCP client. If recording relay entries is enabled on this relay agent, a relay entry is generated for the DHCP client.

If the broadcast keyword is not specified, the DHCP relay agent connecting to the requesting client will directly forward the reply based on the MAC address instead of delivering it up to the CPU. In this case, the DHCP relay agent cannot be aware that the packet is a DHCP reply, thus no relay entry is generated for the client even if the recording of relay entries is enabled.

Procedure

 

1.     Enter system view.

system-view

2.     Configure the DHCP relay agent to perform a MAC address table lookup for a DHCP reply if the agent does not have the request forwarding information for the reply.

dhcp relay mac-forward enable [ broadcast ]

By default, the DHCP relay agent discards a DHCP reply if the relay agent does not have the request forwarding information for the reply.

Display and maintenance commands for DHCP relay agent

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display MAC address check entries on the DHCP relay agent.

display dhcp relay check mac-address

Display relay entries on the DHCP relay agent.

display dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Display Option 82 configuration information on the DHCP relay agent.

display dhcp relay information [ interface interface-type interface-number ]

Display information about DHCP servers on an interface.

display dhcp relay server-address [ interface interface-type interface-number ]

Display packet statistics on the DHCP relay agent.

display dhcp relay statistics [ interface interface-type interface-number ]

Clear relay entries on the DHCP relay agent.

reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ]

Clear packet statistics on the DHCP relay agent.

reset dhcp relay statistics [ interface interface-type interface-number ]

DHCP relay agent configuration examples

Example: Configuring basic DHCP relay agent

Network configuration

As shown in Figure 16, configure the DHCP relay agent on Switch A. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.

The DHCP relay agent and server are on different subnets. Configure static or dynamic routing to make them reachable to each other.

Perform the configuration on the DHCP server to guarantee the client-server communication. For DHCP server configuration information, see "DHCP server configuration examples."

Figure 16 Network diagram

Procedure

# Specify IP addresses for the interfaces. (Details not shown.)

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select relay

# Specify the IP address of the DHCP server on the relay agent.

[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1

Verifying the configuration

# Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent. (Details not shown.)

# Display the statistics of DHCP packets forwarded by the DHCP relay agent.

[SwitchA] display dhcp relay statistics

# Display relay entries if you have enabled relay entry recording on the DHCP relay agent.

[SwitchA] display dhcp relay client-information

Example: Configuring Option 82

Network configuration

As shown in Figure 16, the DHCP relay agent (Switch A) replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch B).

·     The Circuit ID sub-option is company001.

·     The Remote ID sub-option is device001.

To use Option 82, you must also enable the DHCP server to handle Option 82.

Procedure

# Specify IP addresses for the interfaces. (Details not shown.)

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 10.

[SwitchA] interface vlan-interface 10

[SwitchA-Vlan-interface10] dhcp select relay

# Specify the IP address of the DHCP server.

[SwitchA-Vlan-interface10] dhcp relay server-address 10.1.1.1

# Configure the handling strategies and padding content of Option 82.

[SwitchA-Vlan-interface10] dhcp relay information enable

[SwitchA-Vlan-interface10] dhcp relay information strategy replace

[SwitchA-Vlan-interface10] dhcp relay information circuit-id string company001

[SwitchA-Vlan-interface10] dhcp relay information remote-id string device001

Example: Configuring DHCP server selection

Network configuration

As shown in Figure 17, the DHCP client and the DHCP servers are in different subnets. DHCP server 1 and DHCP server 2 both have a DHCP address pool that contains IP addresses in subnet 22.22.22.0/24, but neither has DHCP enabled.

Configure the DHCP relay agent for the DHCP client to obtain an IP address in subnet 22.22.22.0/24 and other configuration parameters from a DHCP server. The DHCP relay agent is connected to the DHCP client through VLAN-interface 2, to DHCP server 1 through VLAN-interface 3, and to DHCP server 2 through VLAN-interface 4.

Figure 17 Network diagram

Procedure

1.     Assign IP addresses to interfaces on the switches. (Details not shown.)

2.     Configure Switch B and Switch C as DHCP servers. (Details not shown.)

3.     Configure the DHCP relay agent on Switch A:

# Enable DHCP.

<SwitchA> system-view

[SwitchA] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] dhcp select relay

# Specify the IP addresses of the DHCP servers.

[SwitchA-Vlan-interface2] dhcp relay server-address 1.1.1.1

[SwitchA-Vlan-interface2] dhcp relay server-address 2.2.2.2

# Specify the DHCP server selecting algorithm as master-backup.

[SwitchA-Vlan-interface2] dhcp relay server-address algorithm master-backup

# Configure the DHCP relay agent to switch back to the master DHCP server 3 minutes after it switches to the backup DHCP server.

[SwitchA-Vlan-interface2] dhcp relay master-server switch-delay 3

Verifying the configuration

# Verify that the DHCP client cannot obtain an IP address and that the following log is output in about 30 seconds.

DHCPR/3/DHCPR_SERVERCHANGE:

 Switched to the server at 2.2.2.2 because the current server did not respond.

# Enable DHCP on the DHCP server at 1.1.1.1. (Details not shown.)

# Verify that the DHCP client cannot obtain an IP address and that the following log is output in about 3 minutes.

DHCPR/3/DHCPR_SWITCHMASTER:

 Switched to the master DHCP server at 1.1.1.1.

# Verify that the DHCP client obtains an IP address. (Details not shown.)

Troubleshooting DHCP relay agent configuration

Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent

Symptom

DHCP clients cannot obtain configuration parameters through the DHCP relay agent.

Solution

Some problems might occur with the DHCP relay agent or server configuration.

To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.

Check that:

·     DHCP is enabled on the DHCP server and relay agent.

·     The DHCP server has an address pool on the same subnet as the DHCP clients.

·     The DHCP server and DHCP relay agent can reach each other.

·     The DHCP server address specified on the DHCP relay interface connected to the DHCP clients is correct.


Configuring the DHCP client

About DHCP client

With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address.

Restrictions and guidelines: DHCP client configuration

The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.

DHCP client tasks at a glance

To configure a DHCP client, perform the following tasks:

1.     Enabling the DHCP client on an interface

2.     Configuring a DHCP client ID for an interface

Perform this task if the DHCP client uses the client ID to obtain IP addresses.

3.     (Optional.) Enabling duplicated address detection

4.     (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP client

Enabling the DHCP client on an interface

Restrictions and guidelines

·     If the number of IP address request failures reaches the system-defined amount, the DHCP client-enabled interface uses a default IP address.

·     An interface can be configured to acquire an IP address in multiple ways. The new configuration overwrites the old.

·     Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client.

·     If the interface obtains an IP address on the same segment as another interface on the device, the interface does not use the assigned address. Instead, it requests a new IP address from the DHCP server.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure an interface to use DHCP for IP address acquisition.

ip address dhcp-alloc

By default, an interface does not use DHCP for IP address acquisition.

Configuring a DHCP client ID for an interface

About DHCP client ID

A DHCP client ID is added to the DHCP option 61 to uniquely identify a DHCP client. A DHCP server can assign IP addresses to clients based on their DHCP client IDs.

DHCP client ID includes an ID type and a type value. Each ID type has a fixed type value. You can specify a DHCP client ID by using one of the following methods:

·     Use an ASCII string as the client ID. If an ASCII string is used, the type value is 00.

·     Use a hexadecimal number as the client ID. If a hexadecimal number is used, the type value is the first two characters in the number.

·     Use the MAC address of an interface to generate a client ID. If this method is used, the type value is 01.

The type value of a DHCP client ID can be displayed by the display dhcp server ip-in-use or display dhcp client command.

Restrictions and guidelines

Make sure the ID for each DHCP client is unique.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure a DHCP client ID for the interface.

dhcp client identifier { ascii ascii-string | hex hex-string | mac interface-type interface-number }

By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.

Enabling duplicated address detection

About duplicated address detection

DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. The spoofing attack makes the client unable to use the IP address assigned by the server. As a best practice, disable duplicate address detection when ARP attacks exist on the network.

Procedure

1.     Enter system view.

system-view

2.     Enable duplicate address detection.

dhcp client dad enable

By default, the duplicate address detection feature is enabled on an interface.

Setting the DSCP value for DHCP packets sent by the DHCP client

About setting the DSCP value for DHCP packets sent by the DHCP client

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

Procedure

1.     Enter system view.

system-view

2.     Set the DSCP value for DHCP packets sent by the DHCP client.

dhcp client dscp dscp-value

By default, the DSCP value in DHCP packets sent by the DHCP client is 56.

Display and maintenance commands for DHCP client

Execute display command in any view.

 

Task

Command

Display DHCP client information.

display dhcp client [ verbose ] [ interface interface-type interface-number ]

DHCP client configuration examples

Example: Configuring DHCP client

Network configuration

As shown in Figure 19, on a LAN, Switch B contacts the DHCP server through VLAN-interface 2 to obtain an IP address, a DNS server address, and static route information. The DHCP client's IP address resides on subnet 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to subnet 20.1.1.0/24 is 10.1.1.2.

The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 18 shows the Option 121 format. The destination descriptor field contains the following parts: subnet mask length and destination network address, both in hexadecimal notation. In this example, the destination descriptor is 18 14 01 01 (the subnet mask length is 24 and the network address is 20.1.1.0 in dotted decimal notation). The next hop address is 0A 01 01 02 (10.1.1.2 in dotted decimal notation).

Figure 18 Option 121 format

 

Figure 19 Network diagram

Procedure

1.     Configure Switch A:

# Specify an IP address for VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 10.1.1.1 24

[SwitchA-Vlan-interface2] quit

# Exclude an IP address from dynamic allocation.

[SwitchA] dhcp server forbidden-ip 10.1.1.2

# Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.

[SwitchA] dhcp server ip-pool 0

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

[SwitchA-dhcp-pool-0] expired day 10

[SwitchA-dhcp-pool-0] dns-list 20.1.1.1

[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02

[SwitchA-dhcp-pool-0] quit

# Enable DHCP.

[SwitchA] dhcp enable

2.     Configure Switch B:

# Configure VLAN-interface 2 to use DHCP for IP address acquisition.

<SwitchB> system-view

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address dhcp-alloc

[SwitchB-Vlan-interface2] quit

Verifying the configuration

# Display the IP address and other network parameters assigned to Switch B.

[SwitchB-Vlan-interface2] display dhcp client verbose

Vlan-interface2 DHCP client information:

 Current state: BOUND

 Allocated IP: 10.1.1.3 255.255.255.0

 Allocated lease: 864000 seconds, T1: 331858 seconds, T2: 756000 seconds

 Lease from May 21 19:00:29 2012   to   May 31 19:00:29 2012

 DHCP server: 10.1.1.1

 Transaction ID: 0xcde72232

 Classless static routes:

   Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2

 DNS servers: 20.1.1.1

 Client ID type: acsii(type value=00)

 Client ID value: 000c.29d3.8659-Vlan2

 Client ID (with type) hex: 0030-3030-632e-3239-

                            6433-2e38-3635-392d-

                            4574-6830-2f30-2f32

 T1 will timeout in 3 days 19 hours 48 minutes 43 seconds

# Display the route information on Switch B. The output shows that a static route to subnet 20.1.1.0/24 is added to the routing table.

[SwitchB] display ip routing-table

Destinations : 11        Routes : 11

Destination/Mask    Proto  Pre  Cost         NextHop         Interface

10.1.1.0/24         Direct 0    0            10.1.1.3        Vlan2

10.1.1.3/32         Direct 0    0            127.0.0.1       InLoop0

20.1.1.0/24         Static 70   0            10.1.1.2        Vlan2

10.1.1.255/32       Direct 0    0            10.1.1.3        Vlan2

127.0.0.0/8         Direct 0    0            127.0.0.1       InLoop0

127.0.0.0/32        Direct 0    0            127.0.0.1       InLoop0

127.0.0.1/32        Direct 0    0            127.0.0.1       InLoop0

127.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

224.0.0.0/4         Direct 0    0            0.0.0.0         NULL0

224.0.0.0/24        Direct 0    0            0.0.0.0         NULL0

255.255.255.255/32  Direct 0    0            127.0.0.1       InLoop0

 


Configuring DHCP snooping

About DHCP snooping

DHCP snooping is a security feature for DHCP.

DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.

·     Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP addresses from authorized DHCP servers.

·     Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN.

The following features need to use DHCP snooping entries:

·     ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information, see "Configuring ARP fast-reply."

·     ARP attack detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide.

·     MAC-forced forwarding (MFF)—Auto-mode MFF performs the following tasks:

¡     Intercepts ARP requests from clients.

¡     Uses DHCP snooping entries to find the gateway address.

¡     Returns the gateway MAC address to the clients.

This feature forces the client to send all traffic to the gateway so that the gateway can monitor client traffic to prevent malicious attacks among clients. For more information, see Security Configuration Guide.

·     IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide.

·     VLAN mapping—Uses DHCP snooping entries to replace service provider VLAN in packets with customer VLAN before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide.

Application of trusted and untrusted ports

Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 20, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.

Figure 20 Trusted and untrusted ports

In a cascaded network as shown in Figure 21, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries.

Figure 21 Trusted and untrusted ports in a cascaded network

 

DHCP snooping support for Option 82

Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."

Sub-option 9 (Vendor-Specific) in Option 82 is supported only on DHCP snooping devices. Each DHCP snooping device with the append Option 82 handling strategy adds the following information to the sub-option in the received DHCP request:

·     Node identifier of the current DHCP snooping device.

·     Information about the client-side interface.

·     VLAN of the DHCP client.

After the management device receives the DHCP request, it can determine the network topology that the request has travelled and locate the DHCP client.

DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages, as shown in Table 4. If a response returned by the DHCP server contains Option 82, DHCP snooping removes Option 82 before forwarding the response to the client. If the response contains no Option 82, DHCP snooping forwards it directly.

Table 4 Handling strategies

If a DHCP request has…

Handling strategy

DHCP snooping…

Option 82

Append

·     Forwards the message after padding the Vendor-Specific sub-option with the content specified in the dhcp snooping information vendor-specific command.

·     Forwards the message without changing Option 82 if the dhcp snooping information vendor-specific command is not configured.

Drop

Drops the message.

Keep

Forwards the message without changing Option 82.

Replace

Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.

No Option 82

N/A

Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.

Restrictions and guidelines: DHCP snooping configuration

·     The DHCP snooping configuration does not take effect on a Layer 2 Ethernet interface that is an aggregation member port. The configuration takes effect when the interface leaves the aggregation group.

·     Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

·     You can specify the following interfaces as trusted ports: Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, Layer 3 Ethernet interfaces, and Layer 3 aggregate interfaces. For more information about aggregate interfaces, see Ethernet link aggregation in Layer 2—LAN Switching Configuration Guide.

·     In a VXLAN network, an Ethernet service instance uses the DHCP snooping configuration (except the trusted port configuration) of the Layer 2 Ethernet interface where the Ethernet service instance is on. For more information about Ethernet service instances, see VXLAN Configuration Guide.

DHCP snooping tasks at a glance

To configure DHCP snooping, perform the following tasks:

1.     Configuring basic DHCP snooping features

2.     (Optional.) Configuring DHCP snooping support for Option 82

3.     (Optional.) Configuring DHCP snooping entry auto backup

4.     (Optional.) Setting the maximum number of DHCP snooping entries

5.     (Optional.) Configuring DHCP packet rate limit

6.     (Optional.) Configuring DHCP snooping security features

7.     (Optional.) Enabling DHCP snooping logging

8.     (Optional.) Disabling DHCP snooping on an interface

Configuring basic DHCP snooping features

Configuring basic DHCP snooping features in a common network

About basic DHCP snooping features in a common network

Basic DHCP snooping features refer to the following:

·     Enabling DHCP snooping.

·     Configuring DHCP snooping trusted ports.

·     Enabling recording client information in DHCP snooping entries.

If you enable DHCP snooping globally, DHCP snooping is enabled on all interfaces on the device.

You can also enable DHCP snooping for specific VLANs. After enabling DHCP snooping for a VLAN, you can configure the other basic DHCP snooping features in the VLAN.

Restrictions and guidelines

If the basic DHCP snooping features are configured globally, you can only use the undo form of the global configuration commands to disable the settings globally. The VLAN-specific configuration commands cannot disable the settings.

If the basic DHCP snooping features are configured in a VLAN, you can only use the undo form of the VLAN-specific configuration commands to disable the settings in the VLAN. The global configuration command cannot disable the settings.

Configuring basic DHCP snooping features globally

1.     Enter system view.

system-view

2.     Enable DHCP snooping globally.

dhcp snooping enable

By default, DHCP snooping is disabled globally.

3.     Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCP server.

4.     Specify the port as a trusted port.

dhcp snooping trust

By default, all ports are untrusted ports after DHCP snooping is enabled.

5.     (Optional.) Enable the recording of DHCP snooping entries.

a.     Return to system view.

quit

b.     Enter interface view.

interface interface-type interface-number

This interface must connect to the DHCP client.

c.     Enable the recording of DHCP snooping entries.

dhcp snooping binding record

By default, the recording of DHCP snooping entries is disabled.

Configuring basic DHCP snooping features for VLANs

1.     Enter system view.

system-view

2.     Enable DHCP snooping for VLANs.

dhcp snooping enable vlan vlan-id-list

By default, DHCP snooping is disabled for all VLANs.

3.     Enter VLAN view

vlan vlan-id

Make sure DHCP snooping is enabled for the VLAN.

4.     Configure an interface in the VLAN as a trusted port.

dhcp snooping trust interface interface-type interface-number

By default, all interfaces in the VLAN are untrusted ports.

5.     (Optional.) Enable recording of client information in DHCP snooping entries.

dhcp snooping binding record

By default, recording of client information in DHCP snooping entries is disabled.

Configuring basic DHCP snooping features in a VXLAN network

About basic DHCP snooping features in a VXLAN network

In a VXLAN network, you can configure the following interfaces as DHCP snooping trusted interfaces:

·     ACs that are mapped to a VSI.

·     VXLAN tunnel interfaces that are assigned to a VSI.

When the VTEP with DHCP snooping configured receives a DHCP request, the VTEP forwards this request through the trusted ACs or VXLAN tunnel interfaces.

Restrictions and guidelines

If the DHCP server is in the local site, configure the AC that connects to the DHCP server as trusted. If the DHCP server is in a remote site, configure the VXLAN tunnel interface as trusted.

Configuring basic DHCP snooping features in a VXLAN network (DHCP server at the local site)

1.     Enter system view.

system-view

2.     Enable DHCP snooping globally.

dhcp snooping enable

3.     By default, DHCP snooping is disabled globally.

4.     Enter interface view.

interface interface-type interface-number

5.     Enter Ethernet service instance view.

service-instance instance-id

6.     Configure the AC as the DHCP snooping trusted interface.

dhcp snooping trust

By default, all ports are untrusted after DHCP snooping is enabled.

7.     (Optional.) Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.

a.     Exit to interface view.

quit

b.     Exit to the system view.

quit

c.     Enter VSI view.

vsi vsi-name

d.     Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.

dhcp snooping binding record

By default, the recording of DHCP snooping entries is disabled.

Configuring basic DHCP snooping features in a VXLAN network (DHCP server at a remote site)

1.     Enter system view.

system-view

2.     Enable DHCP snooping globally.

dhcp snooping enable

3.     By default, DHCP snooping is disabled globally.

4.     Enter VSI view.

vsi vsi-name

5.     Configure the VXLAN tunnel interfaces as the DHCP snooping trusted interface.

dhcp snooping trust tunnel

By default, all ports are untrusted after DHCP snooping is enabled.

This command sets all VXLAN tunnel interfaces in the VSI as DHCP snooping trusted interfaces.

6.     (Optional.) Enable recording of client information in DHCP snooping entries on the ACs mapped to the VSI and VXLAN tunnel interfaces assigned to the VSI.

dhcp snooping binding record

By default, the recording of DHCP snooping entries is disabled.

Configuring DHCP snooping support for Option 82

Restrictions and guidelines

·     The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

·     To support Option 82, you must configure Option 82 on both the DHCP server and the DHCP snooping device. For information about configuring Option 82 on the DHCP server, see "Enabling handling of Option 82."

·     If Option 82 contains the device name, the device name must contain no spaces. Otherwise, DHCP snooping drops the message. You can use the sysname command to specify the device name. For more information about this command, see Fundamentals Command Reference.

·     DHCP snooping uses "outer VLAN tag.inner VLAN tag" to fill the VLAN ID field of sub-option 1 in verbose padding format if either of the following conditions exists:

¡     DHCP snooping and QinQ work together.

¡     DHCP snooping receives a DHCP packet with two VLAN tags.

For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable DHCP snooping to support Option 82.

dhcp snooping information enable

By default, DHCP snooping does not support Option 82.

4.     (Optional.) Configure a handling strategy for DHCP requests that contain Option 82.

dhcp snooping information strategy { append | drop | keep | replace }

By default, the handling strategy is replace.

If the handling strategy is append or replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82.

5.     (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.

dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

By default, the padding mode is normal and the padding format is hex for the Circuit ID sub-option.

If the device name (sysname) is configured as the padding content for sub-option 1, make sure the device name does not include spaces. Otherwise, the DHCP snooping device will fail to add or replace Option 82.

6.     (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] string remote-id | sysname }

By default, the padding mode is normal and the padding format is hex for the Remote ID sub-option.

7.     (Optional.) Configure the padding mode for the Vendor-Specific sub-option.

dhcp snooping information vendor-specific [ vlan vlan-id ] bas [ node-identifier { mac | sysname | user-defined string } ]

By default, the device does not pad the Vendor-Specific sub-option.

Configuring DHCP snooping entry auto backup

About DHCP snooping entry auto backup

The auto backup feature saves DHCP snooping entries to a backup file, and allows the DHCP snooping device to download the entries from the backup file at device reboot. The entries on the DHCP snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCP snooping entries for user authentication.

Restrictions and guidelines

If you disable DHCP snooping with the undo dhcp snooping enable command, the device deletes all DHCP snooping entries, but entries stored in the backup file still exist. They are deleted next time the device updates the backup file.

Procedure

1.     Enter system view.

system-view

2.     Configure the DHCP snooping device to back up DHCP snooping entries to a file.

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

By default, the DHCP snooping device does not back up DHCP snooping entries.

With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup.

This command automatically creates the file if you specify a non-existent file.

3.     (Optional.) Manually save DHCP snooping entries to the backup file.

dhcp snooping binding database update now

4.     (Optional.) Set the waiting time after a DHCP snooping entry change for the DHCP snooping device to update the backup file.

dhcp snooping binding database update interval interval

By default, the DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.

Setting the maximum number of DHCP snooping entries

About setting the maximum number of DHCP snooping entries

Perform this task to prevent the system resources from being overused.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the maximum number of DHCP snooping entries for the interface to learn.

dhcp snooping max-learning-num max-number

By default, the number of DHCP snooping entries for an interface to learn is unlimited.

Configuring DHCP packet rate limit

About DHCP packet rate limit

Perform this task to set the maximum rate at which an interface can receive DHCP packets. This feature discards exceeding DHCP packets to prevent attacks that send large number of DHCP packets.

Restrictions and guidelines

The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable DHCP snooping packet rate limit on an interface and set the limit value.

dhcp snooping rate-limit rate

By default, the DHCP snooping packet rate limit is disabled on an interface.

Configuring DHCP snooping security features

Enabling DHCP starvation attack protection

About DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."

You can prevent DHCP starvation attacks in the following ways:

·     If the forged DHCP requests contain different sender MAC addresses, use the mac-address max-mac-count command to set the MAC learning limit on a Layer 2 port. For more information about the command, see Layer 2—LAN Switching Command Reference.

·     If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This feature compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address check is disabled.

Enabling DHCP-REQUEST attack protection

About DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.

To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.

·     If a matching entry is found for a message, this feature compares the entry with the message information.

¡     If they are consistent, the message is considered as valid and forwarded to the DHCP server.

¡     If they are different, the message is considered as a forged message and is discarded.

·     If no matching entry is found, the message is considered valid and forwarded to the DHCP server.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable DHCP-REQUEST check.

dhcp snooping check request-message

By default, DHCP-REQUEST check is disabled.

Configuring a DHCP packet blocking port

About DHCP packet blocking port

Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all incoming DHCP requests.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the port to block DHCP requests.

dhcp snooping deny

By default, the port does not block DHCP requests.

 

CAUTION

CAUTION:

To avoid IP address acquisition failure, configure a port to block DHCP packets only if no DHCP clients are attached to it.

Enabling DHCP snooping logging

About DHCP snooping logging

The DHCP snooping logging feature enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature if the log generation affects the device performance.

Procedure

1.     Enter system view.

system-view

2.     Enable DHCP snooping logging.

dhcp snooping log enable

By default, DHCP snooping logging is disabled.

Disabling DHCP snooping on an interface

About disabling DHCP snooping on an interface

This feature allows you to narrow down the interface range where DHCP snooping takes effect. For example, to enable DHCP snooping globally except for a specific interface, you can enable DHCP snooping globally and disable DHCP snooping on the target interface.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Disable DHCP snooping on the interface.

dhcp snooping disable

By default:

¡     If you enable DHCP snooping globally or for a VLAN, DHCP snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.

¡     If you do not enable DHCP snooping globally or for a VLAN, DHCP snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.

Display and maintenance commands for DHCP snooping

Execute display commands in any view, and reset commands in user view.

 

Task

Command

Display DHCP snooping entries.

display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ] [ verbose ]

Display information about the file that stores DHCP snooping entries.

display dhcp snooping binding database

Display Option 82 configuration information on the DHCP snooping device.

display dhcp snooping information { all | interface interface-type interface-number }

Display DHCP packet statistics on the DHCP snooping device.

display dhcp snooping packet statistics [ slot slot-number ]

Display information about trusted ports.

display dhcp snooping trust

Clear DHCP snooping entries.

reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Clear DHCP packet statistics on the DHCP snooping device.

reset dhcp snooping packet statistics [ slot slot-number ]

DHCP snooping configuration examples

Example: Configuring basic DHCP snooping features globally

Network configuration

As shown in Figure 22, Switch B is connected to the authorized DHCP server through Twenty-FiveGigE 1/0/1, to the unauthorized DHCP server through Twenty-FiveGigE 1/0/3, and to the DHCP client through Twenty-FiveGigE 1/0/2.

Configure only the port connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the DHCP snooping device to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.

Figure 22 Network diagram

Procedure

# Enable DHCP snooping globally.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

# Configure Twenty-FiveGigE 1/0/1 as a trusted port.

[SwitchB] interface twenty-fivegige 1/0/1

[SwitchB-Twenty-FiveGigE1/0/1] dhcp snooping trust

[SwitchB-Twenty-FiveGigE1/0/1] quit

# Enable recording clients' IP-to-MAC bindings on Twenty-FiveGigE 1/0/2.

[SwitchB] interface twenty-fivegige 1/0/2

[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping binding record

[SwitchB-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client.

[SwitchB] display dhcp snooping binding

Example: Configuring basic DHCP snooping features for a VLAN

Network configuration

As shown in Figure 23, Switch B is connected to the authorized DHCP server through Twenty-FiveGigE 1/0/1, to the unauthorized DHCP server through Twenty-FiveGigE 1/0/3, and to the DHCP client through Twenty-FiveGigE 1/0/2.

Configure only the port in VLAN 100 connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the port in VLAN 100 to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.

Figure 23 Network diagram

Procedure

# Assign Twenty-FiveGigE 1/0/1, Twenty-FiveGigE 1/0/2, and Twenty-FiveGigE 1/0/3 to VLAN 100.

<SwitchB> system-view

[SwitchB] vlan 100

[SwitchB-vlan100] port twenty-fivegige 1/0/1 to twenty-fivegige 1/0/3

[SwitchB-vlan100] quit

# Enable DHCP snooping for VLAN 100.

[SwitchB] dhcp snooping enable vlan 100

# Configure Twenty-FiveGigE 1/0/1 as DHCP snooping trusted port.

[SwitchB] vlan 100

[SwitchB-vlan100] dhcp snooping trust twenty-fivegige 1/0/1

# Enable recording clients' IP-to-MAC bindings in VLAN 100.

[SwitchB-vlan100] dhcp snooping binding record

[SwitchB-vlan100] quit

Verifying the configuration

# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client.

[SwitchB] display dhcp snooping binding

Example: Configuring DHCP snooping support for Option 82

Network configuration

As shown in Figure 24, enable DHCP snooping and configure Option 82 on Switch B as follows:

·     Configure the handling strategy for DHCP requests that contain Option 82 as replace.

·     On Twenty-FiveGigE 1/0/2, configure the padding content for the Circuit ID sub-option as company001 and for the Remote ID sub-option as device001.

·     On Twenty-FiveGigE 1/0/3, configure the padding mode for the Circuit ID sub-option as verbose, access node identifier as sysname, and padding format as ascii. Configure the padding content for the Remote ID sub-option as device001.

Figure 24 Network diagram

Procedure

# Enable DHCP snooping.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

# Configure Twenty-FiveGigE 1/0/1 as a trusted port.

[SwitchB] interface twenty-fivegige 1/0/1

[SwitchB-Twenty-FiveGigE1/0/1] dhcp snooping trust

[SwitchB-Twenty-FiveGigE1/0/1] quit

# Configure Option 82 on Twenty-FiveGigE 1/0/2.

[SwitchB] interface twenty-fivegige 1/0/2

[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information enable

[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information strategy replace

[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information circuit-id string company001

[SwitchB-Twenty-FiveGigE1/0/2] dhcp snooping information remote-id string device001

[SwitchB-Twenty-FiveGigE1/0/2] quit

# Configure Option 82 on Twenty-FiveGigE 1/0/3.

[SwitchB] interface twenty-fivegige 1/0/3

[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information enable

[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information strategy replace

[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

[SwitchB-Twenty-FiveGigE1/0/3] dhcp snooping information remote-id string device001

Verifying the configuration

# Display Option 82 configuration information on Twenty-FiveGigE 1/0/2 and Twenty-FiveGigE 1/0/3 on the DHCP snooping device.

[SwitchB] display dhcp snooping information


Configuring the BOOTP client

About BOOTP client

BOOTP client application

An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.

To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches for the BOOTP parameter file and returns the corresponding configuration information.

BOOTP is usually used in relatively stable environments. In network environments that change frequently, DHCP is more suitable.

Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client. You do not need to configure a BOOTP server.

Obtaining an IP address dynamically

A BOOTP client dynamically obtains an IP address from a BOOTP server as follows:

1.     The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.

2.     Upon receiving the request, the BOOTP server searches the configuration file for the IP address and other information according to the BOOTP client's MAC address.

3.     The BOOTP server returns a BOOTP response to the BOOTP client.

4.     The BOOTP client obtains the IP address from the received response.

A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

Protocols and standards

·     RFC 951, Bootstrap Protocol (BOOTP)

·     RFC 2132, DHCP Options and BOOTP Vendor Extensions

·     RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

Configuring an interface to use BOOTP for IP address acquisition

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

BOOTP client configuration applies only to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces, and VLAN interfaces.

3.     Configure an interface to use BOOTP for IP address acquisition.

ip address bootp-alloc

By default, an interface does not use BOOTP for IP address acquisition.

Display and maintenance commands for BOOTP client

Execute display command in any view.

 

Task

Command

Display BOOTP client information.

display bootp client [ interface interface-type interface-number ]

BOOTP client configuration examples

Example: Configuring BOOTP client

Network configuration

As shown in Figure 9, Switch B's port belonging to VLAN 10 is connected to the LAN. VLAN-interface 10 obtains an IP address from the DHCP server by using BOOTP.

To make the BOOTP client obtain an IP address from the DHCP server, you must perform configuration on the DHCP server. For more information, see "DHCP server configuration examples."

Procedure

The following describes the configuration on Switch B, which acts as a client.

# Configure VLAN-interface 10 to dynamically obtain an IP address from the DHCP server.

<SwitchB> system-view

[SwitchB] interface vlan-interface 10

[SwitchB-Vlan-interface10] ip address bootp-alloc

Verifying the configuration

# Display the IP address assigned to the BOOTP client.

[SwitchB] display bootp client

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网