With networks getting larger in size and
more complicated in structure, lack of available IP addresses becomes the common
situation the network administrators have to face, and network configuration
becomes a tough task for the network administrators. With the emerging of
wireless networks and the using of laptops, the position change of hosts and
frequent change of IP addresses also require new technology. Dynamic host
configuration protocol (DHCP) is developed in this background.
DHCP adopts a client/server model, where
DHCP clients send requests to DHCP servers for configuration parameters; and
the DHCP servers return the corresponding configuration information such as IP
addresses to configure IP addresses dynamically.
A typical DHCP application includes one
DHCP server and multiple clients (such as PCs and laptops), as shown in Figure 1-1.
Figure 1-1
Typical DHCP application
Currently, DHCP provides the following
three IP address assignment policies to meet the requirements of different
clients:
l
Manual assignment. The administrator statically
binds IP addresses to few clients with special uses (such as WWW server). Then
the DHCP server assigns these fixed IP addresses to the clients.
l
Automatic assignment. The DHCP server assigns IP
addresses to DHCP clients. The IP addresses will be occupied by the DHCP
clients permanently.
l
Dynamic assignment. The DHCP server assigns IP
addresses to DHCP clients for predetermined period of time. In this case, a
DHCP client must apply for an IP address again at the expiration of the period.
This policy applies to most clients.
A DHCP client undergoes the following four
phases to dynamically obtain an IP address from a DHCP server:
1)
Discover: In this phase, the DHCP client tries
to find a DHCP server by broadcasting a DHCP-DISCOVER packet.
2)
Offer: In this phase, the DHCP server offers an
IP address. After the DHCP server receives the DHCP-DISCOVER packet, it chooses
an unassigned IP address according to the priority order of IP address
assignment and then sends the IP address and other configuration information together
in a DHCP-OFFER packet to the DHCP client. The sending mode is decided by the
flag filed in the DHCP-DISCOVER packet, refer to section 1.3 "DHCP Packet Format” for detail.
3)
Select: In this phase, the DHCP client selects
an IP address. If more than one DHCP server sends DHCP-OFFER packets to the
DHCP client, the DHCP client only accepts the DHCP-OFFER packet that first
arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP
address carried in the DHCP-OFFER packet.
4)
Acknowledge: In this phase, the DHCP servers
acknowledge the IP address. Upon receiving the DHCP-REQUEST packet, only the selected
DHCP server returns a DHCP-ACK packet to the DHCP client to confirm the
assignment of the IP address to the client, or returns a DHCP-NAK packet to
refuse the assignment of the IP address to the client. When the client receives
the DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address
as the destination address to detect the assigned IP address, and uses the IP
address only if it does not receive any response within a specified period.
The IP addresses
offered by other DHCP servers but not used by the DHCP client are still
available to other clients.
After a DHCP server dynamically assigns an
IP address to a DHCP client, the IP address keeps valid only within a specified
lease time and will be reclaimed by the DHCP server when the lease expires. If
the DHCP client wants to use the IP address for a longer time, it must update
the IP lease.
By default, a DHCP client updates its IP
address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP
server when half of the lease time elapses. The DHCP server responds with a
DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can
assign the same IP address to the client. Otherwise, the DHCP server responds
with a DHCP-NAK packet to notify the DHCP client that the IP address will be
reclaimed when the lease time expires.
If the DHCP client fails to update its IP address lease when half of
the lease time elapses, it will update its IP address lease by broadcasting a
DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease
time elapses. The DHCP server performs the same operations as those described above.
DHCP has eight types of packets. They have
the same format, but the values of some fields in the packets are different.
The DHCP packet format is based on that of the BOOTP packets. The following figure
describes the packet format (the number in the brackets indicates the field
length, in bytes):
Figure
1-2 DHCP packet format
The fields are described as follows:
l
op: Operation types of DHCP packets, 1 for request
packets and 2 for response packets.
l
htype, hlen: Hardware address type and length of
the DHCP client.
l
hops: Number of DHCP relays which a DHCP packet
passes. For each DHCP relay that the DHCP request packet passes, the field
value increases by 1.
l
xid: Random number that the client selects when
it initiates a request. The number is used to identify an address-requesting
process.
l
secs: Elapsed time after the DHCP client
initiates a DHCP request.
l
flags: The first bit is the broadcast response
flag bit. It is used to identify that the DHCP response packet is sent in the unicast
or broadcast mode. Other bits are reserved.
l
ciaddr: IP address of a DHCP client.
l
yiaddr: IP address that the DHCP server assigns
to a client.
l
siaddr: IP address of the DHCP server.
l
giaddr: IP address of the first DHCP relay that
the DHCP client passes after it sent the request packet.
l
chaddr: Hardware address of the DHCP client.
l
sname: Name of the DHCP server.
l
file: Path and name of the boot configuration
file that the DHCP server specifies for the DHCP client.
l
option: Optional variable-length fields,
including packet type, valid lease time, IP address of a DNS server, and IP
address of the WINS server.
Protocol specifications related to DHCP
include:
l
RFC2131: Dynamic Host Configuration Protocol
l
RFC2132: DHCP Options and BOOTP Vendor
Extensions
l
RFC1542: Clarifications and Extensions for the
Bootstrap Protocol
2.1 Introduction
to DHCP Snooping
For the sake of security, the IP addresses
used by online DHCP clients need to be tracked for the administrator to verify
the corresponding relationship between the IP addresses the DHCP clients
obtained from DHCP servers and the MAC addresses of the DHCP clients.
l
Layer 3 switches can track DHCP client IP
addresses through DHCP relay.
l
Layer 2 switches can track DHCP client IP
addresses through the DHCP snooping function, which listens DHCP broadcast
packets.
When an unauthorized DHCP server exists in
the network, a DHCP client may obtains an illegal IP address. To ensure that
the DHCP clients obtain IP addresses from valid DHCP servers, you can specify a
port to be a trusted port or an untrusted port by the DHCP snooping function.
l
Trusted ports can be used to connect DHCP
servers or ports of other switches. Untrusted ports can be used to connect DHCP
clients or networks.
l
Untrusted ports drop the DHCP-ACK and DHCP-OFFER
packets received from DHCP servers. Trusted ports forward any received DHCP
packets to ensure that DHCP clients can obtain IP addresses from valid DHCP
servers.
Figure 2-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S3100-52P series Ethernet switch.
Figure 2-1
Typical network diagram for DHCP snooping application
Figure 2-2 illustrates the interaction between a DHCP client and a DHCP server.
Figure 2-2
Interaction between a DHCP client and a DHCP server
DHCP snooping listens the following two
types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP
servers and the MAC addresses of the DHCP clients:
l
DHCP-ACK packet
l
DHCP-REQUEST packet
Table 2-1 Configure
the DHCP snooping function
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable the DHCP snooping function
|
dhcp-snooping
|
Required
By default, the DHCP snooping function is
disabled.
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Set the port connected to a DHCP server
to a trusted port
|
dhcp-snooping trust
|
Optional
By default, all ports of a switch are untrusted
ports.
|
When you need to
enable DHCP snooping on the switches in a fabric state, configure the fabric ports
on all devices to be trusted ports to ensure that the users connected to each
device can obtain IP addresses.
After the above configurations, you can
verify the configurations by executing the display command in any view.
Table 2-2
Display DHCP snooping
|
Operation
|
Command
|
Description
|
|
Display the user IP-MAC address mapping
entries recorded by the DHCP snooping function
|
display dhcp-snooping [ unit unit-id ]
|
You can execute the display
command in any view
|
|
Display the (enabled/disabled) state of
the DHCP snooping function and the trusted ports
|
display dhcp-snooping trust
|
I. Network requirements
As shown in Figure
2-1, the Ethernet1/0/1 port of Switch A ( S3100-52P ) is connected to Switch B (acting as a DHCP relay). A network segment containing some DHCP clients is connected to the Ethernet1/0/2 port of Switch A.
l
Enable the DHCP snooping function on Switch A.
l
Set the Ethernet1/0/1 port of Switch A to a
trusted port.
II. Configuration procedure
# Enter system view.
<H3C> system-view
# Enable the DHCP snooping function.
[H3C] dhcp-snooping
# Enter Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Set the port to a trusted port.
[H3C-Ethernet1/0/1] dhcp-snooping
trust
As the network scale expands and the
network complexity increases, the network configurations become more and more
complex accordingly. It is usually the case that the computer locations change
(such as the portable computers in wireless networks) or the number of the
computers exceeds that of the available IP addresses. The dynamic host
configuration protocol (DHCP) is developed to meet these requirements. DHCP
adopts the client/server model, where DHCP clients request DHCP servers
dynamically for configuration information, and the DHCP servers in turn return
corresponding configuration information based on policies.
A typical DHCP implementation usually
involves a DHCP server and multiple clients (such as PCs and portable
computers), as shown in Figure 3-1.
Figure 3-1 A typical DHCP implementation
The interactions between a DHCP client and
a DHCP server are shown in Figure 3-2.
Figure 3-2
The interaction between a DHCP client and a DHCP
server
To obtain a valid IP address dynamically, a
DHCP client exchanges different information with the DHCP server in different
phases. Usually, the following three phases are involved.
1)
The DHCP client accesses the network for the
first time
When a DHCP client accesses a network for
the first time, it goes through the following four phases to establish
connections with the DHCP server.
l
Discovery. The DHCP client tries to discover a
DHCP server by broadcasting DHCP-DISCOVER packets in the network. Only DHCP
servers respond to this type of packets.
l
Offering IP addresses. Upon receiving
DHCP-DISCOVER packets, each DHCP server selects a free IP address from an
address pool and sends a DHCP-OFFER packet that carries the selected IP address
and other configuration information to the DHCP client.
l
Selecting the IP address to be used. The DHCP
client only accepts and processes the first-arrived DHCP-OFFER packet (if
multiple DHCP servers send DHCP-OFFER packets to it), and broadcasts a
DHCP-REQUEST packet to each DHCP server. The packet contains the IP address
carried in the DHCP-OFFER packet the DHCP client receives.
l
Acknowledgement. Upon receiving the DHCP-REQUEST
packet, the DHCP server that owns the IP address carried in the DHCP-REQUEST
sends a DHCP-ACK packet to the DHCP client. The packet contains the IP address
offered and other configuration information. The DHCP client binds TCP/IP
protocol components to its MAC address after receiving the packet.
IP addresses offered by other DHCP servers
(if any) through DHCP-OFFER packets but not selected by the DHCP client are
still available for other clients.
2)
The DHCP client accesses the network for the
second and the followed time
In this case, the DHCP client establishes
connections with the DHCP server through the following steps.
l
After accessing the network successfully for the
first time, the DHCP client can access the network again by broadcasting a
DHCP-REQUEST packet that contains the IP address assigned to it last time
instead of a DHCP-DISCOVER packet.
l
Upon receiving the DHCP-REQUEST packet and, when
the IP address applied by the client is available, the DHCP server that owns
the IP address responds with a DHCP-ACK packet to enable the DHCP client to use
the IP address again.
l
If the IP address is not available (for example,
it is assigned to another DHCP client), the DHCP server responds with a
DHCP_NAK packet, which enables the DHCP client to request for a new IP address
by sending a DHCP-DISCOVER packet once again.
3)
The DHCP client extends the lease of an IP
address
IP addresses assigned dynamically are only
valid for a specified period of time and the DHCP servers reclaim their
assigned IP addresses at the expiration of these periods. Therefore, a DHCP client
need to extend the lease period if it is to use a dynamically assigned IP
address for a period longer than allowed.
By default, a DHCP client updates its IP
address lease automatically by sending DHCP-REQUEST packets to the DHCP server
when half of the lease period expires. The DHCP server, in turn, responds with
a DHCP-ACK packet to notify the DHCP client of the new lease if the IP address
is still available. An S3100-52P switch operating as a DHCP support this lease
auto-update process.
A BOOTP client can request the server for
an IP address through BOOTP. It goes through the following two phases to apply
for an IP address.
l
Sending a BOOTP request packet to the server
l
Processing the BOOTP response packet received
from the server
To obtain an IP address through BOOTP, a
BOOTP client first sends a BOOTP request packet to the server. Upon receiving
the request packet, the server returns a BOOTP response packet. The BOOTP
client then retrieves the assigned IP address from the response packet.
The BOOTP packets are sent using user
datagram protocol (UDP). To ensure reliable packet transmission, a timer is
triggered when a BOOTP client sends a request packet to the server. If no
response packet is received from the server after the timer times out, the
client sends the request packet again. BOOTP request packets are sent every
five seconds and three times at most. A BOOTP client stops sending BOOTP
request packets if it fails to obtain an IP address after sending three
successive BOOTP request packets.
An S3100-52P Ethernet switch can operate as
a DHCP client or BOOTP client. In this case, the IP address of the management
VLAN interface is obtained through DHCP or BOOTP.
Before configuring the management VLAN, you
need to create the VLAN that is to act as the management VLAN. As VLAN 1 is the
default VLAN, there is no need to create it if you configure VLAN 1 to be the
management VLAN.
Table 3-1 Configure
a DHCP/BOOTP client
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
Required
|
|
Configure a specified VLAN to be the
management VLAN
|
management-vlan vlan-id
|
Required
By default, VLAN 1 operates as the
management VLAN.
|
|
Create the management VLAN interface and
enter VLAN interface view
|
interface vlan-interface vlan-id
|
Required
|
|
Configure the way in which the management
VLAN interface obtains an IP address
|
ip address
{ bootp-alloc | dhcp-alloc }
|
Required
By default, no IP address is assigned to
the management VLAN interface.
|
I. Network requirements
To manage the Switch A remotely, which
operates as a DHCP client, through Telnet, The following are required:
l
Switch A obtains an IP address through DHCP
l
The route between Switch A and the remote
console is reachable.
To achieve this, you need to perform the
following configuration for the switch:
l
Configuring the management VLAN interface to
obtain an IP address through DHCP
l
Configuring a default route
II. Configuration procedures
# Enter system view.
<H3C> system-view
# Create VLAN 10 and configure VLAN 10 to
be the management VLAN.
[H3C] vlan 10
[H3C-vlan10] quit
[H3C] management-vlan 10
# Create VLAN 10 interface and enter VLAN
interface view.
[H3C] interface vlan-interface 10
# Configure the management VLAN interface
to obtain an IP address through DHCP.
[H3C-Vlan-interface10] ip address dhcp-alloc
[H3C-Vlan-interface10] quit
# Configure the default route.
[H3C] ip route-static 0.0.0.0 0.0.0.0
1.1.1.2
Table 3-2
Display the information about a DHCP/BOOTP client
|
Operation
|
Command
|
Description
|
|
Display
the information about IP address assignment on the DHCP client
|
display
dhcp client [ verbose ]
|
Optional
You can
execute the display commands in any view.
|
|
Display
the information about the BOOTP client
|
display
bootp client [ interface vlan-interface
vlan-id ]
|
