With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology. Dynamic host configuration protocol (DHCP) is developed in this background.

DHCP adopts a client/server model, where DHCP clients send requests to DHCP servers for configuration parameters; and the DHCP servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically.

A typical DHCP application includes one DHCP server and multiple clients (such as PCs and laptops), as shown in Figure 1-1.

Figure 1-1 Typical DHCP application

1.2 DHCP IP Address Assignment

1.2.1 IP Address Assignment Policy

Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients:

l Manual assignment. The administrator statically binds IP addresses to few clients with special uses (such as WWW server). Then the DHCP server assigns these fixed IP addresses to the clients.

l Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently.

l Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period. This policy applies to most clients.

1.2.2 Obtaining IP Addresses Dynamically

A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server:

1) Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a DHCP-DISCOVER packet.

2) Offer: In this phase, the DHCP server offers an IP address. After the DHCP server receives the DHCP-DISCOVER packet, it chooses an unassigned IP address according to the priority order of IP address assignment and then sends the IP address and other configuration information together in a DHCP-OFFER packet to the DHCP client. The sending mode is decided by the flag filed in the DHCP-DISCOVER packet, refer to section 1.3 "DHCP Packet Format” for detail.

3) Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only accepts the DHCP-OFFER packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP address carried in the DHCP-OFFER packet.

4) Acknowledge: In this phase, the DHCP servers acknowledge the IP address. Upon receiving the DHCP-REQUEST packet, only the selected DHCP server returns a DHCP-ACK packet to the DHCP client to confirm the assignment of the IP address to the client, or returns a DHCP-NAK packet to refuse the assignment of the IP address to the client. When the client receives the DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address, and uses the IP address only if it does not receive any response within a specified period.

& Note:

The IP addresses offered by other DHCP servers but not used by the DHCP client are still available to other clients.

1.2.3 Updating IP Address Lease

After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.

By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client. Otherwise, the DHCP server responds with a DHCP-NAK packet to notify the DHCP client that the IP address will be reclaimed when the lease time expires.

If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described above.

1.3 DHCP Packet Format

DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different. The DHCP packet format is based on that of the BOOTP packets. The following figure describes the packet format (the number in the brackets indicates the field length, in bytes):

Figure 1-2 DHCP packet format

The fields are described as follows:

l op: Operation types of DHCP packets, 1 for request packets and 2 for response packets.

l htype, hlen: Hardware address type and length of the DHCP client.

l hops: Number of DHCP relays which a DHCP packet passes. For each DHCP relay that the DHCP request packet passes, the field value increases by 1.

l xid: Random number that the client selects when it initiates a request. The number is used to identify an address-requesting process.

l secs: Elapsed time after the DHCP client initiates a DHCP request.

l flags: The first bit is the broadcast response flag bit. It is used to identify that the DHCP response packet is sent in the unicast or broadcast mode. Other bits are reserved.

l ciaddr: IP address of a DHCP client.

l yiaddr: IP address that the DHCP server assigns to a client.

l siaddr: IP address of the DHCP server.

l giaddr: IP address of the first DHCP relay that the request packet sent by the DHCP client passes.

l chaddr: Hardware address of the DHCP client.

l sname: Name of the DHCP server.

l file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client.

l option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.

1.4 DHCP Packet Processing Modes

After the DHCP is enabled on a device, the device processes the DHCP packet received from a DHCP client in one of the following three modes depending on your configuration:

l Global address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients.

l Interface address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

l Relay: DHCP packets received from DHCP clients are forwarded to an external DHCP server, which assigns IP addresses to the DHCP clients.

You can specify the mode to process DHCP packets. For the configuration of the first two modes, see Chapter 2 DHCP Server Configuration. For the configuration of the trunk mode, see Chapter 3 DHCP Relay Configuration.

One interface only corresponds to one mode. In this case, the new configuration overwrites the previous one.

1.5 Protocol Specification

Protocol specifications related to DHCP include:

l RFC2131: Dynamic Host Configuration Protocol

l RFC2132: DHCP Options and BOOTP Vendor Extensions

l RFC1542: Clarifications and Extensions for the Bootstrap Protocol

Chapter 2 DHCP Server Configuration

& Note:

The contents of this chapter are only applicable to the S3600-EI series among S3600 series switches.

2.1 Introduction to DHCP Server

2.1.1 Usage of DHCP Server

Generally, DHCP servers are used in the following networks to assign IP addresses:

l Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way.

l Networks where the number of available IP addresses is less than that of the hosts. In this type of networks, IP addresses are not enough for all the hosts to obtain a fixed IP address, and the number of on-line users is limited (such is the case in an ISP network). In these networks, a great number of hosts must dynamically obtain IP addresses through DHCP.

l Networks where only a few hosts need fixed IP addresses and most hosts do not need fixed IP addresses.

2.1.2 IRF Support

In an IRF (intelligent resilient framework) system, DHCP servers operate in a centralized way to fit the IRF environment.

l DHCP servers run (as tasks) on all the units (including the master unit and the slave units) in a Fabric system. But only the one running on the master unit receives/sends packets and carries out all functions of a DHCP server. Those running on the slave units only operate as the backup tasks of the one running on the master unit.

l When a slave unit receives a DHCP-REQUEST packet, it redirects the packet to the DHCP server on the master unit, which returns a DHCP-ACK/DHCP-NAK packet to the DHCP client and at the same time backs up the related information to the slave units. In this way, when the current master unit fails, one of the slaves can change to the master and operates as the DHCP server immediately.

l DHCP is an UDP-based protocol operating at the application layer. When a DHCP server in a fabric system runs on a Layer 2 network device, DHCP packets are directly forwarded by hardware instead of being delivered to the DHCP server, or being redirected to the master unit by UDP HELPER. This idles the DHCP server. DHCP packets can be redirected to the DHCP server on the master unit by UDP HELPER only when the Layer 2 device is upgraded to a Layer 3 device.

Caution:

l When you merge two or more IRF systems into one IRF system, a new master unit is elected, and the new IRF system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new IRF system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.

l When an IRF system is split into multiple new IRF systems, some of the new IRF systems may be degraded to Layer 2 devices. For a new IRF system degraded to Layer 2 device, although the original DHCP server still exists in the new system, it runs idle for being unable to receive any packets. When the IRF system restores to a Layer 3 device due to being merged into a new IRF system, it adopts the configurations on the new IRF system. And you need to perform DHCP server configurations if the new IRF system does not have DHCP server-related configurations.

l In an IRF system, the UDP HELPER function must be enabled on the DHCP servers that are in fabric state.

2.1.3 DHCP Address Pool

A DHCP address pool holds the IP addresses to be assigned to DHCP clients. When a DHCP server receives a DHCP request from a DHCP client, it selects an address pool depending on the configuration, picks an IP address from the pool and sends the IP address and other related parameters (such as the IP address of the DNS server, and the lease time of the IP address) to the DHCP client.

I. Types of address pool

The address pools of a DHCP server fall into two types: global address pool and interface address pool.

l A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device.

l If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view. The IP addresses an interface address pool holds belong to the network segment the interface resides in and are available to the interface only.

II. The structure of an address pool

The address pools of a DHCP server are hierarchically organized in a tree-like structure. The root holds the IP address of the natural network segment, the branches hold the subnet IP addresses, and the leaves holds the IP addresses that are manually bound to specific clients. The address pools that are of the same level are sorted by their configuration precedence order. Such a structure enables configurations to be inherited. That is, the configurations of the natural network segment can be inherited by its subnets, whose configurations in turn can be inherited by their client address. So, for the parameters that are common to the whole network segment or some subnets (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance.

1) A newly created child address pool inherits the configurations of its parent address pool.

2) For an existing parent-child address pool pair, when you performs a new configuration on the parent address pool:

l The child address pool inherits the new configuration if there is no corresponding configuration on the child address pool.

l The child address pool does not inherit the new configuration if there is already a corresponding configuration on the child address pool.

2.1.4 DHCP IP Address Preferences

Interfaces of the DHCP server can work in the global address pool mode or in the interface address pool mode. If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

A DHCP server assigns IP addresses in interface address pools or global address pools to DHCP clients in the following sequence:

l IP addresses that are statically bound to the MAC addresses of DHCP clients or client IDs

l IP addresses that are ever used by DHCP clients. That is, those in the assigned leases recorded by the DHCP server. If there is no record in the leases and the DHCP-DISCOVER packets sent by DHCP clients contain option 50 fields, the DHCP server assigns the IP address requested by option 50.

l The first IP address found among the available IP addresses in the DHCP address pool.

l If no IP address is available, the DHCP server queries lease-expired and conflicted IP addresses. If the DHCP server finds such IP addresses, it assigns them; otherwise the DHCP server does not assign an IP address.

2.2 Global Address Pool-Based DHCP Server Configuration

2.2.1 Configuration Overview

Table 2-1 Configure global address pool-based DHCP server

Configuration task		Description	Related section
Enable DHCP		Required	2.2.2 “Enabling DHCP”
Configure global address pool mode on interface(s)		Optional	2.2.3 “Configuring Global Address Pool Mode on Interface(s)”
Configure the interface(s) to operate in global address pool mode	Configure to bind IP address statically to a DHCP client	One of the two options is required. Only one mode can be selected for the same global address pool.	2.2.4 “Configuring How to Assign IP Addresses in a Global Address Pool”
	Configure to assign IP addresses dynamically
Configure DNS services for the DHCP server		Optional	2.2.5 “Configuring DNS Services for the DHCP ”
Configure NetBIOS services for the DHCP server		Optional	2.2.6 “Configuring DHCP Server”
Customize DHCP service		Optional	2.2.7 “Customizing DHCP Service”
Configure the gateway IP address for DHCP clients		Optional	2.2.8 “Configuring Gateway Addresses for DHCP Clients”
Configure the connection between the DHCP global address pool and the BIMS server		Optional	2.2.9 “Configuring Connection Between a DHCP Global Address Pool and a BIMS Server”

2.2.2 Enabling DHCP

You need to enable DHCP before performing other DHCP-related configurations, which takes effect only after DHCP is enabled.

Table 2-2 Enable DHCP

Operation	Command	Description
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

Operation

Command

Description

Enter system view

system-view

—

Enable DHCP

dhcp enable

Required

By default, DHCP is enabled

& Note:

To improve security and avoid malicious attack to the unused SOCKETs, S3600 Ethernet switches provide the following functions:

l UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled.

l UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

The corresponding implementation is as follows:

l After DHCP is enabled by executing the dhcp enable command, if the DHCP server and DHCP relay functions are not configured, UDP 67 and UDP 68 ports are kept disabled; if the DHCP server / DHCP relay function is configured, UDP 67 and UDP 68 ports are enabled.

l After DHCP is disabled by executing the undo dhcp enable command, even if the DHCP server and DHCP relay functions are configured, UDP 67 and UDP 68 ports will be disabled.

2.2.3 Configuring Global Address Pool Mode on Interface(s)

You can configure the global address pool mode on the specified or all interfaces of a DHCP server. After that, when the DHCP server receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in the global address pool to the DHCP clients.

Table 2-3 Configure the global address pool mode on interface(s)

Operation		Command	Description
Enter system view		system-view	—
Configure the specified interface(s) or all the interfaces to operate in global address pool mode	Configure the current interface	interface interface-type interface-number	Optional By default, the interface operates in global address pool mode.
		dhcp select global
		quit
	Configure multiple interfaces simultaneously in system view	dhcp select global { interface interface-type interface-number [ to interface-type interface-number ] \| all }

2.2.4 Configuring How to Assign IP Addresses in a Global Address Pool

You can specify to bind an IP address in a global address pool statically to a DHCP client or assign IP addresses in the pool dynamically to DHCP clients as needed. In a global address pool, you can only bind one IP address statically to a DHCP client and assign other IP addresses in the pool dynamically to DHCP clients.

For dynamic IP address assigning, you need to specify the range of the IP addresses to be dynamically assigned. But for static IP address binding, you can regard that the IP address statically bound to a DHCP client comes from a special DHCP address pool that contains only one IP address.

I. Configuring to assign IP addresses by static binding

Some DHCP clients, such as WWW servers, need fixed IP addresses. This can be achieved by binding IP addresses to the MAC addresses of these DHCP clients. When such a DHCP client applies for an IP address, the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP client.

When some DHCP clients send DHCP-DISCOVER packets to the DHCP server to apply for IP addresses, they construct client IDs and add them in the DHCP-DISCOVER packets. The DHCP server finds the corresponding IP addresses based on the client IDs and assigns them to the DHCP clients.

Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID.

Table 2-4 Configure to assign IP addresses by static binding

Operation		Command	Description
Enter system view		system-view	—
Create a DHCP address pool and enter DHCP address pool view		dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created.
Configure an IP address to be statically bound		static-bind ip-address ip-address [ mask mask ]	Required By default, no IP address is statically bound.
Bind an IP address to the MAC address of a DHCP client or a client ID statically	Configure the MAC address to which the IP address is to be statically bound	static-bind mac-address mac-address	One of these two options is required. By default, no MAC address or client ID to which an IP address is to be statically bound is configured.
	Configure the client ID to which the IP address is to be statically bound	static-bind client-identifier client-identifier

& Note:

l The static-bind ip-address command and the static-bind mac-address command or the static-bind client-identifier command must be coupled.

l In the same global DHCP address pool, if you configure the static-bind client-identifier command after configuring the static-bind mac-address command, the new configuration overwrites the previous one, and vice versa.

l In the same global DHCP address pool, if the static-bind ip-address command, the static-bind mac-address command, or the static-bind client-identifier is executed repeatedly, the new configuration overwrites the previous one.

l The IP address to be statically bound cannot be an interface IP address of the DHCP server; otherwise static binding does not take effect.

l A client can permanently use the statically-bound IP address that it has obtained. The IP address is not limited by the lease time of the IP addresses in the address pool.

& Note:

To improve security and avoid malicious attack to the unused SOCKETs, S3600 Ethernet switches provide the following functions:

l UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled.

l UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

The corresponding implementation is as follows:

l After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

l After a DHCP address pool is deleted by executing the undo dhcp server ip-pool command and all other DHCP functions are disabled, UDP 67 and UDP 68 ports used by DHCP are disabled accordingly.

II. Configuring to assign IP addresses dynamically

IP addresses dynamically assigned to DHCP clients (including those that are permanently leased and those that are temporarily leased) belong to addresses segments that are previously specified. Currently, an address pool can contain only one address segment, whose ranges are determined by the subnet mask.

To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices (such as gateways and FTP servers).

The lease time can differ with address pools. But that of the IP addresses of the same address pool are the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.

Table 2-5 Configure to assign IP addresses dynamically

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Set the IP address segment whose IP address are to be assigned dynamically	network ip-address [ mask mask ]	Required By default, no IP address segment is set. That is, no IP address is available for being assigned
Configure the lease time	expired { day day [ hour hour [ minute minute ] ] \| unlimited }	Optional The default lease time is one day
Return to system view	quit	—
Specify the IP addresses that are not dynamically assigned	dhcp server forbidden-ip low-ip-address [ high-ip-address ]	Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned

& Note:

l In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one.

l The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.

l If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address has been bound.

2.2.5 Configuring DNS Services for the DHCP Server

If a host accesses the Internet through domain names, DNS (domain name system) is needed to translate the domain names into the corresponding IP addresses. To enable DHCP clients to access the Internet through domain names, a DHCP server is required to provide DNS server addresses while assigning IP addresses to DHCP clients. Currently, you can configure up to eight DNS server addresses for a DHCP address pool.

On a DHCP server, you can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names together with the assigned IP addresses to the DHCP clients.

Table 2-6 Configure DNS services for the DHCP server

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created.
Configure a domain name for DHCP clients	domain-name domain-name	Required By default, no domain name is configured for DHCP clients.
Configure DNS server addresses for DHCP clients	dns-list ip-address&<1-8>	Required By default, no DNS server address is configured.

2.2.6 Configuring DHCP Server to Assign WINS Server Addresses

For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight WINS addresses for a DHCP address pool.

Host name-to-IP address mappings are needed for DHCP clients communicating through NetBIOS protocol. According to the way to establish the mapping, NetBIOS nodes fall into the following four categories:

l B-node. Nodes of this type establish their mappings through broadcasting (The character b stands for the word broadcast). The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node. After receiving the broadcast packet, the destination node returns its IP address to the source node.

l P-node. Nodes of this type establish their mappings by sending unicast packets to WINS servers. (The character p stands for peer-to-peer). The source node sends the unicast packet to the WINS server. After receiving the unicast packet, the WINS server returns the IP address corresponding to the destination node name to the source node.

l M-node. Nodes of this type are p-nodes mixed with broadcasting features (The character m stands for the word mixed), that is to say, this type of nodes obtain mappings by sending broadcast packets first. If they fail to obtain mappings, they send unicast packets to the WINS server to obtain mappings.

l H-node. Nodes of this type are b-nodes mixed with peer-to-peer features. (The character h stands for the word hybrid), that is to say, this type of nodes obtain mappings by sending unicast packets to WINS servers first. If they fail to obtain mappings, they send broadcast packets to obtain mappings.

Table 2-7 Configure DHCP server to assign WINS server addresses

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created.
Configure WINS server addresses for DHCP clients	nbns-list ip-address&<1-8>	Required By default, no WINS server address is configured.
Configure DHCP clients to be of a specific NetBIOS node type	netbios-type { b-node \| h-node \| m-node \| p-node }	Optional By default, no NetBIOS node type of the DHCP client is specified and a DHCP client uses an h-node.

2.2.7 Customizing DHCP Service

With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration.

Table 2-8 Customize DHCP service

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created.
Configure customized options	option code { ascii ascii-string \| hex hex-string&<1-10> \| ip-address ip-address&<1-8> }	Required By default, no customized option is configured.

2.2.8 Configuring Gateway Addresses for DHCP Clients

Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them.

You can configure gateway addresses for address pools on a DHCP server. Currently, you can configure up to eight gateway addresses for a DHCP address pool.

Table 2-9 Configure gateway addresses for DHCP clients

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created.
Configure gateway addresses for DHCP clients	gateway-list ip-address&<1-8>	Required By default, no gateway address is configured.

2.2.9 Configuring Connection Between a DHCP Global Address Pool and a BIMS Server

Branch intelligent management system (BIMS) is a kind of network management software, provided by H3C Technologies Co., Ltd. With BIMS you can manage and monitor network devices that dynamically obtain IP addresses universally and effectively.

After configuring the connection between the DHCP global address pool and the BIMS server, you can enable the BIMS server to manage the devices that have obtained IP addresses from the global address pool.

Table 2-10 Configure connection between a DHCP global address pool and a BIMS server

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no DHCP global address pool is created.
Configure the connection between the DHCP global address pool and the BIMS server	bims-server ip ip-address [ port port-number ] sharekey key	Required By default, no connection between the DHCP global address pool and the BIMS server is configured.

2.3 Interface Address Pool-based DHCP Server Configuration

Caution:

In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the segment of the interface address pool and assigns them to the DHCP clients. As a result, the IP addresses obtained from global address pools and those obtained from interface address pools are not in the same network segment, so the clients cannot interoperate with each other.

Therefore, in the interface address pool mode, if the IP addresses in the same address pool are required to be assigned to the clients on the same VLAN interface, the number of clients that obtain IP addresses automatically cannot exceed the number of the IP addresses that can be assigned in the interface address pool.

2.3.1 Configuration Overview

An interface address pool is created when the interface is assigned a valid unicast IP address and you execute the dhcp select interface command in interface view. The IP addresses contained in it belong to the network segment where the interface resides in and are available to the interface only.

You can perform certain configurations for DHCP address pools of an interface or multiple interfaces within specified interface ranges. Configuring for multiple interfaces eases configuration work load and makes you to configure in a more convenient way.

Table 2-11 Overview of interface address pool-based DHCP server configuration

Configuration task		Description	Related section
Enable DHCP		Required	2.3.2 “Enabling DHCP”
Configure to assign the IP addresses of the local interface-based address pools to DHCP clients		Required	2.3.3 “Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients”
Configure to assign IP addresses of DHCP interface address pool to DHCP clients	Configure to bind IP address statically to DHCP clients	You must choose at least one of the two options. And these two options can be configured at the same time.	2.3.4 "Configuring the Mode to Assign IP Addresses to DHCP Clients”
	Configure to assign IP addresses dynamically
Configure DNS service for the DHCP server		Optional	2.3.5 “Configuring DNS Services for the DHCP Server”
Configure NetBIOS service for the DHCP server		Optional	2.3.6 “Configuring DHCP Servers”
Customize DHCP service		Optional	2.3.7 “Customizing DHCP Service”
Configure the connection between the DHCP interface address pool and the BIMS server		Optional	2.3.8 "Configuring Connection Between the DHCP Interface Address Pool and the BIMS Server”

2.3.2 Enabling DHCP

You need to enable DHCP before performing DHCP configurations. DHCP-related configurations are valid only when DHCP is enabled.

Table 2-12 Enable DHCP

Operation	Command	Description
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

Operation

Command

Description

Enter system view

system-view

—

Enable DHCP

dhcp enable

Required

By default, DHCP is enabled

2.3.3 Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients

If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

Table 2-13 Configure to assign the IP addresses of interface address pools to DHCP clients

Operation		Command	Description
Enter system view		system-view	—
Configure to assign the IP addresses of interface address pools to DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, a DHCP server assigns the IP addresses of the global address pool to DHCP clients.
		dhcp select interface
		quit
	Configure multiple interfaces in system view	dhcp select interface { interface interface-type interface-number [ to interface-type interface-number ] \| all }

& Note:

To improve security and avoid malicious attack to the unused SOCKETs, S3600 Ethernet switches provide the following functions:

l UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled.

l UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

The corresponding implementation is as follows:

l After a DHCP interface address pool is created by executing the dhcp select interface command, UDP 67 and UDP 68 ports used by DHCP are enabled.

l After a DHCP interface address pool is deleted by executing the undo dhcp select interface command and all other DHCP functions are disabled, UDP 67 and UDP 68 ports used by DHCP are disabled accordingly.

2.3.4 Configuring the Mode to Assign IP Addresses to DHCP Clients

IP addresses of an interface address pool can be statically bound to DHCP clients or dynamically allocated to DHCP clients.

I. Configuring to assign IP addresses by static binding

Some DHCP clients, such as WWW servers, need fixed IP addresses. This is achieved by binding IP addresses to the MAC addresses of these DHCP clients. When such a DHCP client applies for an IP address, the DHCP server finds the IP address corresponding to the MAC address of the DHCP client, and then assigns the IP address to the DHCP client.

Table 2-14 Configure to assign IP addresses by static binding

Operation	Command	Description
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure static binding	dhcp server static-bind ip-address ip-address { client-identifier client-identifier \| mac-address mac-address }	Required By default, static binding is not configured

& Note:

l The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

l There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

l An IP address can be statically bound to only one MAC address or one client ID. A MAC address or client ID can be bound with only one IP address statically.

l The IP address to be statically bound cannot be an interface IP address of the DHCP server; otherwise the static binding does not take effect.

II. Configuring to assign IP addresses dynamically

As an interface-based address pool is created after the interface is assigned a valid unicast IP address, the IP addresses contained in the address pool belong to the network segment where the interface resides in and are available to the interface only. So specifying the range of the IP addresses to be dynamically assigned is unnecessary.

To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices (such as gateways and FTP servers).

Table 2-15 Configure to assign IP addresses dynamically

Operation		Command	Description
Enter system view		system-view	—
Configure the lease time	Configure for the current interface	interface interface-type interface-number	Optional The default lease time is one day
		dhcp server expired { day day [ hour hour [ minute minute ] ] \| unlimited }
		quit
	Configure multiple interfaces in system view	dhcp server expired { day day [ hour hour [ minute minute ] ] \| unlimited } { interface interface-type interface-number [ to interface-type interface-number ] \| all }
Specify the IP addresses that are not dynamically assigned		dhcp server forbidden-ip low-ip-address [ high-ip-address ]	Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned.

& Note:

l The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.

l Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.

2.3.5 Configuring DNS Services for the DHCP Server

If a host accesses the Internet through domain names, DNS is needed to translate the domain names into the corresponding IP addresses. To enable DHCP clients to access the Internet through domain names, a DHCP server is required to provide DNS server addresses while assigning IP addresses to DHCP clients. Currently, you can configure up to eight DNS server addresses for a DHCP interface address pool.

On the DHCP server, you can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients while the DHCP server assigns IP addresses to the DHCP clients.

Table 2-16 Configure DNS services for the DHCP server

Operation		Command	Description
Enter system view		system-view	—
Configure a domain name for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no domain name is configured for DHCP clients.
		dhcp server domain-name domain-name
		quit
	Configure multiple interfaces in system view	dhcp server domain-name domain-name { interface interface-type interface-number [ to interface-type interface-number ] \| all }
Configure DNS server addresses for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no DNS server address is configured.
		dhcp server dns-list ip-address&<1-8>
		quit
	Configure multiple interfaces in system view	dhcp server dns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] \| all }

2.3.6 Configuring DHCP Servers to Assign WINS Server Addresses

For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by WINS servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight WINS addresses for a DHCP address pool.

Host name-to-IP address mappings are needed for DHCP clients communicating through the NetBIOS protocol. According to the way to establish the mapping, NetBIOS nodes fall into the following four categories:

l P-node. Nodes of this type establish their mappings by communicating with WINS servers (The character p stands for peer-to-peer). The source node sends the unicast packet to the WINS server. After receiving the unicast packet, the WINS server returns the IP address corresponding to the destination node name to the source node.

l H-node. Nodes of this type are b-nodes mixed with peer-to-peer features (The character h stands for the word hybrid), that is to say, this type of nodes obtain mappings by sending unicast packets to WINS servers first. If they fail to obtain mappings, they send broadcast packets to obtain mappings.

Table 2-17 Configure DHCP servers to assign WINS server addresses

Operation		Command	Description
Enter system view		system-view	—
Configure WINS server addresses for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no WINS server address is configured
		dhcp server nbns-list ip-address&<1-8>
		quit
	Configure multiple interfaces in system view	dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] \| all }
Configure NetBIOS node types for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no NetBIOS node type is specified and a DHCP client uses an h-node.
		dhcp server netbios-type { b-node \| h-node \| m-node \| p-node }
		quit
	Configure multiple interfaces in system view	dhcp server netbios-type { b-node \| h-node \| m-node \| p-node } { interface interface-type interface-number [ to interface-type interface-number ] \| all }

2.3.7 Customizing DHCP Service

With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration.

Table 2-18 Customize DHCP service

Operation		Command	Description
Enter system view		system-view	—
Configure customized options	Configure the current interface	interface interface-type interface-number	Required By default, no customized option is configured.
		dhcp server option code { ascii ascii-string \| hex hex-string&<1-10> \| ip-address ip-address&<1-8> }
		quit
	Configure multiple interfaces in system view	dhcp server option code { ascii ascii-string \| hex hex-string&<1-10> \| ip-address ip-address&<1-8> } { interface interface-type interface-number [ to interface-type interface-number ] \| all }

2.3.8 Configuring Connection Between the DHCP Interface Address Pool and the BIMS Server

After configuring the connection between the DHCP interface address pool and the BIMS server, you can enable the BIMS server to manage the devices that have obtained IP addresses from the interface address pool.

Table 2-19 Configure connection between the DHCP interface address pool and the BIMS server

Operation	Command	Description
Enter system view	system-view	—
Configure connection between the DHCP interface address pool and the BIMS server	dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] \| all }	Required By default, no connection between the DHCP interface address pool and the BIMS server is configured.

Operation

Command

Description

Enter system view

system-view

—

Configure connection between the DHCP interface address pool and the BIMS server

dhcp server bims-server ip ip-address [ port port-number ] sharekey key { interface interface-type interface-number [ to interface-type interface-number ] | all }

Required

By default, no connection between the DHCP interface address pool and the BIMS server is configured.

2.4 DHCP Security Configuration

DHCP security configuration is needed to ensure the security of DHCP service.

2.4.1 Prerequisites

Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).

2.4.2 Configuring Private DHCP Server Detecting

A private DHCP server on a network also answers IP address request packets and assigns IP addresses to DHCP clients. However, the IP addresses they assigned may conflict with those of other hosts. As a result, users cannot normally access networks. This kind of DHCP servers are known as private DHCP servers.

With the private DHCP server detecting function enabled, when a DHCP client sends the DHCP-REQUEST packet, the DHCP server tracks the information (such as the IP address and interface) of the DHCP server which assigns the IP address to the client to enable the administrator to detect private DHCP servers in time and take proper measures.

Table 2-20 Enable detection of a private DHCP server

Operation	Command	Description
Enter system view	system-view	—
Enable the private DHCP server detecting function	dhcp server detect	Required By default, the private DHCP server detecting function is disabled.

Operation

Command

Description

Enter system view

system-view

—

Enable the private DHCP server detecting function

dhcp server detect

Required

By default, the private DHCP server detecting function is disabled.

2.4.3 Configuring IP Address Detecting

To avoid IP address conflicts caused by assigning the same IP address to multiple DHCP clients simultaneously, you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client.

IP address detecting is achieved by performing ping operations. To detect whether an IP address is currently in use, the DHCP server sends an ICMP packet with the IP address to be assigned as the destination and waits for a ping response. If the DHCP server receives no response within a specified time, it resends an ICMP packet. This procedure repeats until the DHCP server receives a response or the number of the ping operations reaches the specified maximum number. The DHCP server assigns the IP address to the DHCP client only when no response is received during the whole course, thus ensuring that an IP address is assigned to one DHCP client exclusively.

Table 2-21 Configure IP address detecting

Operation	Command	Description
Enter system view	system-view	—
Set the maximum number of ping operations performed by a DHCP server	dhcp server ping packets number	Optional By default, a DHCP server performs the ping operation twice to test an IP address.
Set the response timeout time of each ping operation	dhcp server ping timeout milliseconds	Optional The default timeout time is 500 milliseconds.

2.5 Option 82 Supporting Configuration

2.5.1 Introduction to DHCP-Server Option 82

If a DHCP server supports option 82, after the DHCP server receives packets containing option 82 forwarded by the DHCP relay, the DHCP server processes the packets normally and assigns IP addresses for the clients.

If a DHCP server does not support option 82, after the DHCP server receives packets containing option 82 forwarded by the DHCP relay, the DHCP server does not process the packets.

For details of option 82, see section 3.1.3 "Option 82 Supporting”.

2.5.2 Configuration Prerequisites

Before enabling option 82 for the DHCP server, you need to configure the DHCP server based on global address pools or interface address pools.

2.5.3 Configuring the Option 82 Supporting Function

Table 2-22 Enable the DHCP server to support option 82

Operation	Command	Description
Enter system view	system-view	—
Enable the DHCP server to support option 82	dhcp server relay information enable	Required By default, the DHCP server supports option 82

Operation

Command

Description

Enter system view

system-view

—

Enable the DHCP server to support option 82

dhcp server relay information enable

Required

By default, the DHCP server supports option 82

& Note:

To enable option 82 normally, you need to perform corresponding configuration on both the DHCP server and the DHCP relay. For the configuration of the DHCP relay, see section 3.1.3 "Option 82 Supporting”.

2.6 Option 184 Supporting Configuration

2.6.1 Introduction to Option 184

Option 184 is an RFC reserved option, and the information it carries can be customized. H3C defines four proprietary sub-options for this option, enabling the DHCP server to put the information required by a DHCP client in the response packet to the client.

I. Basic concept

The four sub-options of option 184 mainly carry information about voice. The following lists the sub-options and the carried information:

l option: An option in a DHCP message. This option may be a field in variable length. Option contains some lease information and message types. The option field contains at least one and up to 255 options.

l Sub-option 1: IP address of the network call processor (NCP-IP).

l Sub-option 2: IP address of the alternate server (AS-IP).

l Sub-option 3: Voice VLAN configuration.

l Sub-option 4: Fail-over call routing.

II. Meanings of the sub-options for option 184

Table 2-23 Meanings of the sub-options for option 184

Sub-option	Feature	Function	Note
NCP-IP (sub-option 1)	The NCP-IP sub-option carries the IP address of the network call processor (NCP).	The IP address of the NCP server carried by sub-option 1 of option 184 is intended for identifying the server serving as the network call controller and the server used for application downloading.	When used in option 184, this sub-option must be the first sub-option, that is, sub-option 1
AS-IP (sub-option 2)	The AS-IP sub-option carries the IP address of the alternate server (AS).	The alternate NCP server identified by sub-option 2 of option 184 acts as the backup of the NCP server. The NCP server specified by this option is used only when the IP address carried by the NCP-IP sub-option is unreachable or invalid.	The AS-IP sub-option takes effect only when sub-option 1 (that is, the NCP-IP sub-option) is defined
Voice VLAN Configuration (sub-option 3)	The voice VLAN configuration sub-option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function is enabled.	The sub-option 3 of option 184 comprises two parts: l One part carries the flag indicating whether the voice VLAN identification function is enabled. l The other part carries the ID of the voice VLAN.	l A flag value of 0 indicates that the voice VLAN identification function is not enabled, in which case the information carried by the VLAN ID part will be neglected. l A flag value of 1 indicates that the voice VLAN identification function is enabled.
Fail-Over Call Routing (sub-option 4)	The fail-over call routing sub-option carries the IP address for fail-over call routing and the associated dial number. The IP address for fail-over call routing and the dial number in sub-option 4 of option 184 refer to the IP address and dial number of the session initiation protocol (SIP) peer.	When the NCP server is unreachable, a SIP user can use the configured IP address and dial number of the peer to establish a connection and communicate with the peer SIP user.	—

& Note:

For the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you must configure the DHCP server to add sub-option 1.

III. Mechanism of using option 184 on DHCP server

The DHCP server encapsulates the information for option 184 to carry in the response packets sent to the DHCP clients. Supposing that the DHCP clients are on the same segment as the DHCP server, the mechanism of option 184 supporting on DHCP server is as follows:

1) A DHCP client sends to the DHCP server a request packet carrying option 55, which indicates the client requests the configuration parameters of option 184.

2) The DHCP server checks the request list in option 55 carried by the request packet, and then adds the sub-options of option 184 in the Options field of the response packet to be sent to the DHCP client.

& Note:

Only when the DHCP client specifies in option 55 of the request packet that it requires option 184, does the DHCP server add option 184 in the response packet sent to the client.

2.6.2 Prerequisites

The following are required before you configure the option 184 supporting function.

l The network parameters, address pools, and lease time are configured.

l The DHCP server and the DHCP clients can communicate properly with each other.

l Before configuring option 184, you must configure an IP address for the interface on which option 184 is to be enabled.

2.6.3 Configuring the Option 184 Supporting Function

You can configure the sub-options of option 184 in system view, interface view, and DHCP global address pool view. Note that an interface-based address pool is needed for the first two methods.

I. Configuring the option 184 supporting function in system view

Table 2-24 Configure the option 184 supporting function in system view

Operation	Command	Description
Enter system view	system-view	—
Configure the interface to operate in DHCP server mode and assign the IP addresses of a specified interface-based address pool to DHCP clients	dhcp select interface { all \| interface interface-type interface-number [ to interface-type interface-number ] }	Required
Configure the NCP-IP sub-option	dhcp server voice-config ncp-ip ip-address { all \| interface interface-type interface-number [ to interface-type interface-number ] }	Required
Configure the AS-IP sub-option	dhcp server voice-config as-ip ip-address { all \| interface interface-type interface-number [ to interface-type interface-number ] }	Optional
Configure the voice VLAN configuration sub-option	dhcp server voice-config voice-vlan vlan-id { enable \| disable } { all \| interface interface-type interface-number [ to interface-type interface-number ] }
Configure the Fail-over call routing sub-option	dhcp server voice-config fail-over ip-address dialer-string { all \| interface interface-type interface-number [ to interface-type interface-number ] }

& Note:

l Perform the operations listed in Table 2-24 in system view if you specify to assign IP addresses of an interface-based address pool to DHCP clients.

l This method allows you to configure the option 184 supporting function for multiple interfaces.

II. Configuring the option 184 supporting function in interface view

Table 2-25 Configure the option 184 supporting function in interface view

Operation	Command	Description
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure an IP address for the interface	ip address ip-address net-mask	—
Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface-based address pool to DHCP clients	dhcp select interface	Required
Configure the NCP-IP sub-option	dhcp server voice-config ncp-ip ip-address	Required
Configure the AS-IP sub-option	dhcp server voice-config as-ip ip-address	Optional
Configure the voice VLAN configuration sub-option	dhcp server voice-config voice-vlan vlan-id { enable \| disable }	Optional
Configure the Fail-over call routing sub-option	dhcp server voice-config fail-over ip-address dialer-string	Optional

& Note:

l Perform the operations listed in Table 2-25 in interface view if you specify to assign IP addresses of an interface-based address pool to DHCP clients.

l This method allows you to configure the option 184 supporting function for a specific interface.

III. Configuring the option 184 supporting function in global DHCP address pool view

Table 2-26 Configure the option 184 supporting function in global DHCP address pool view

Operation	Command	Description
Enter system view	system-view	—
Configure the interface to operate in DHCP server mode and assign the IP addresses of a global address pool to DHCP clients	dhcp select global { all \| interface interface-type interface-number [ to interface-type interface-number ] }	Required
Enter DHCP address pool view	dhcp server ip-pool pool-name	—
Configure an IP address range IP addresses in which are dynamically assigned	network ip-address [ mask netmask ]	—
Configure the NCP-IP sub-option	voice-config ncp-ip ip-address	Required
Configure the AS-IP sub-option	voice-config as-ip ip-address	Optional
Configure the voice VLAN configuration sub-option	voice-config voice-vlan vlan-id { enable \| disable }	Optional
Configure the Fail-over call routing sub-option	voice-config fail-over ip-address dialer-string	Optional

& Note:

Perform the operations listed in Table 2-26 in global address pool view if you specify to assign IP addresses of a global DHCP address pool to DHCP clients.

2.6.4 Configuration Example

I. Network requirements

A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of option 184. A H3C series switch operates as the DHCP server. The option 184 supporting function is configured for a global DHCP address pool. The sub-options of option 184 are as follows:

l NCP-IP: 3.3.3.3

l AS-IP: 2.2.2.2

l Voice VLAN configuration: voice VLAN: enabled; voice VLAN ID: 3

l Fail-over routing: IP address: 1.1.1.1; dialer string: 99*

II. Network diagram

Figure 2-1 Network diagram for option 184 supporting configuration

III. Configuration procedure

1) Configure the DHCP client.

Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of option 184. (Configuration process omitted)

2) Configure the DHCP server.

# Enter system view.

<H3C> system-view

[H3C]

# Add Ethernet1/0/1 to VLAN 2 and configure the IP address of VLAN 2 interface to be 10.1.1.1/24.

[H3C] vlan 2

[H3C-vlan2] port Ethernet 1/0/1

[H3C-vlan2] quit

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] ip address 10.1.1.1 255.255.255.0

[H3C-Vlan-interface2] quit

# Configure VLAN 2 interface to operate in the DHCP server mode.

[H3C] dhcp select global interface Vlan-interface 2

# Enter DHCP address pool view.

[H3C] dhcp server ip-pool 123

# Configure sub-options of option 184 in global DHCP address pool view.

[H3C-dhcp-pool-123] network 10.1.1.1 mask 255.255.255.0

[H3C-dhcp-pool-123] voice-config ncp-ip 3.3.3.3

[H3C-dhcp-pool-123] voice-config as-ip 2.2.2.2

[H3C-dhcp-pool-123] voice-config voice-vlan 3 enable

[H3C-dhcp-pool-123] voice-config fail-over 1.1.1.1 99*

2.7 Displaying and Debugging a DHCP Server

You can verify your DHCP-related configuration by executing the display command in any view.

To clear the information about DHCP servers, execute the reset command in user view.

Table 2-27 Display and debug a DHCP server

Operation	Command	Description
Display the statistics on IP address conflicts	display dhcp server conflict { all \| ip ip-address }	The display command can be executed in any view
Display lease expiration information	display dhcp server expired { ip ip-address \| pool [ pool-name ] \| interface [ interface-type interface-number ] \| all }
Display the free IP addresses	display dhcp server free-ip
Display information about address binding	display dhcp server ip-in-use { ip ip-address \| pool [ pool-name ] \| interface [ interface-type interface-number ] \| all }
Display the statistics on a DHCP server	display dhcp server statistics
Display information about DHCP address pool tree	display dhcp server tree { pool [ pool-name ] \| interface [ interface-type interface-number ] \| all }
Clear IP address conflict statistics	reset dhcp server conflict { all \| ip ip-address }	The reset command can be executed in user view
Clear dynamic address binding information	reset dhcp server ip-in-use { ip ip-address \| pool [ pool-name ] \| interface [ interface-type interface-number ] \| all }
Clear the statistics on a DHCP server	reset dhcp server statistics

& Note:

Executing the save command will not save the lease information on a DHCP server to the flash memory. Therefore, the configuration file contains no lease information after the DHCP server restarts or you clear the lease information by executing the reset dhcp server ip-in-use command. In this case, any lease-update requests will be denied, and the clients must apply for IP addresses again.

2.8 DHCP Server Configuration Example

Currently, DHCP networking can be implemented in two ways. One is to deploy the DHCP server and DHCP clients in the same network segment. This enables the clients to communicate with the server directly. The other is to deploy the DHCP server and DHCP clients in different network segments. In this case, IP address assigning is carried out through DHCP relay. Note that DHCP server configuration is the same in both scenarios.

I. Network requirements

The DHCP server assigns IP addresses dynamically to the DHCP clients on the same network segment. The network segment 10.1.1.0/24, to which the IP addresses of the address pool belong, is divided into two sub-network segment: 10.1.1.0/25 and 10.1.1.128/25. The switch operating as the DHCP server holds two VLANs, whose interface IP addresses are 10.1.1.1/25 and 10.1.1.129/25 respectively.

The DHCP settings of the 10.1.1.0/25 network segment are as follows:

l Lease time: 10 days plus 12 hours

l Domain name: aabbcc.com

l DNS server: 10.1.1.2

l WINS server: none

l Gateway: 10.1.1.126

The DHCP settings of the 10.1.1.128/25 network segment are as follows:

l Lease time: 5 days

l Domain name: aabbcc.com

l DNS server: 10.1.1.2

l WINS server: 10.1.1.4

l Gateway: 10.1.1.254

& Note:

If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool; otherwise extra IP addresses will be obtained from the parent address pool, and the attributes (for example, gateway) also are based on the configuration of the parent address pool.

For example, in the network to which VLAN-interface1 is connected, if multiple clients apply for IP addresses, the child address pool 10.1.1.0/25 assigns IP addresses first. When the IP addresses in the child address pool have been assigned, if other clients need IP addresses, the IP addresses will be assigned from the parent address pool 10.1.1.0/24 and the attributes will be based on the configuration of the parent address pool.

For this example, the number of clients applying for IP addresses from VLAN-interface1 is recommended to be less than or equal to 122 and the number of clients applying for IP addresses from VLAN-interface2 is recommended to be less than or equal to 124.

II. Network diagram

Figure 2-2 Network diagram for DHCP configuration

III. Configuration procedure

1) Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted).

2) Configure DHCP service.

# Enable DHCP.

<H3C> system-view

[H3C] dhcp enable

# Configure the IP addresses that are not dynamically assigned. (That is, the IP addresses of the DNS server, WINS server, and gateways.)

[H3C] dhcp server forbidden-ip 10.1.1.2

[H3C] dhcp server forbidden-ip 10.1.1.4

[H3C] dhcp server forbidden-ip 10.1.1.126

[H3C] dhcp server forbidden-ip 10.1.1.254

# Configure DHCP address pool 0, including address range and DNS server address.

[H3C] dhcp server ip-pool 0

[H3C-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

[H3C-dhcp-pool-0] domain-name aabbcc.com

[H3C-dhcp-pool-0] dns-list 10.1.1.2

[H3C-dhcp-pool-0] quit

# Configure DHCP address pool 1, including address range, gateway, and lease time.

[H3C] dhcp server ip-pool 1

[H3C-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[H3C-dhcp-pool-1] gateway-list 10.1.1.126

[H3C-dhcp-pool-1] expired day 10 hour 12

[H3C-dhcp-pool-1] quit

# Configure DHCP address pool 2, including address range, gateway, WINS server address, and lease time.

[H3C] dhcp server ip-pool 2

[H3C-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128

[H3C-dhcp-pool-2] expired day 5

[H3C-dhcp-pool-2] nbns-list 10.1.1.4

[H3C-dhcp-pool-2] gateway-list 10.1.1.254

2.9 Troubleshooting a DHCP Server

I. Symptom

The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.

II. Analysis

With DHCP enabled, IP address conflicts are usually caused by IP addresses that are manually configured on hosts.

III. Solution

l Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network, with the conflicting IP address as the destination and an enough timeout time.

l The IP address is manually configured on a host if you receive a response packet of the ping operation. You can then disable the IP address from being dynamically assigned by using the dhcp server forbidden-ip command on the DHCP server.

l Attach the DHCP client to the network, release the dynamically assigned IP address and obtain an IP address again. For example, enter DOS by executing the cmd command in Windows XP, and then release the IP address by executing the ipconfig/release command. Then obtain an IP address again by executing the ipconfig/renew command.

Chapter 3 DHCP Relay Configuration

3.1 Introduction to DHCP Relay

3.1.1 Usage of DHCP Relay

Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.

DHCP Relay is designed to address this problem. It enables DHCP clients in a subnet to communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP addresses. In this case, the DHCP clients in multiple networks can use the same DHCP server, which can decrease your cost and provide a centralized administration.

3.1.2 DHCP Relay Fundamentals

Figure 3-1 illustrates a typical DHCP relay application.

Figure 3-1 Typical DHCP relay application

DHCP relays can transparently transmit broadcast packets of DHCP clients or servers to the DHCP servers or clients in other network segments.

In the process of dynamic IP address assignment through the DHCP relay, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay. The following sections only describe the forwarding process of the DHCP relay. For the interaction process of the packets, see section 1.2.2 “Obtaining IP Addresses Dynamically”.

1) The DHCP client broadcasts the DHCP-DISCOVER packet.

2) After receiving the packet, the network device providing the DHCP relay function unicasts the packet to the designated DHCP server based on the configuration.

3) The DHCP server assigns IP addresses and sends the configuration information to the clients through the DHCP relay so that the clients can be configured dynamically (the sending mode is decided by the flag filed in the DHCP-DISCOVER packet, refer to section 1.3 "DHCP Packet Format” for detail).

3.1.3 Option 82 Supporting

I. Introduction to option 82 supporting

Option 82 is a relay agent information option in DHCP packets. When a request packet from a DHCP client travels through a DHCP relay on its way to the DHCP server, the DHCP relay adds option 82 into the request packet. Option 82 includes many sub-options, but the DHCP server supports only sub-option 1 and sub-option 2 at present. Sub-option 1 defines agent circuit ID (that is, Circuit ID) and sub-option 2 defines remote agent ID (that is, Remote ID).

Option 82 enables a DHCP server to track the address information of DHCP clients and DHCP relays, through which and other proper software, you can achieve the DHCP assignment limitation and accounting functions.

II. Primary terminologies

l Option: A length-variable field in DHCP packets, carrying information such as part of the lease information and packet type. It includes at least one option and at most 255 options.

l Option 82: Also known as relay agent information option. This option is a part of the Option field in DHCP packet. According to RFC3046, option 82 lies before option 255 and after the other options. Option 82 includes at least one sub-option and at most 255 sub-options. Currently, the commonly used sub-options in option 82 are sub-option 1, sub-option 2, and sub-option 5.

l Sub-option 1: A sub-option of option 82. Sub-option 1 represents the agent circuit ID, namely Circuit ID. It holds the port number and VLAN-ID of the switch port connected to the DHCP client, and is usually configured on the DHCP relay. Generally, sub-option 1 and sub-option 2 must be used together to identify information about a DHCP source.

l Sub-option 2: A sub-option of option 82. Sub-option 2 represents the remote agent ID, namely Remote ID. This option is usually configured on the DHCP relay, and defines to carry the MAC address of the DHCP relay in the packet to be sent. Generally, sub-option 1 and sub-option 2 must be used together to identify information about a DHCP source.

III. Related specification

The specifications concerning option 82 supporting are as follows:

RFC2131 Dynamic Host Configuration Protocol

RFC3046 DHCP Relay Agent Information Option

IV. Mechanism of option 82 supporting on DHCP relay

The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay.

1) A DHCP client broadcasts a request packet when it initiates.

2) If a DHCP server exists in the local network, it assigns an IP address to the DHCP client directly; otherwise the DHCP relay on the local network receives and processes the request packet. The DHCP relay checks whether the packet contains option 82 and processes the packet accordingly.

3) If the packet contains option 82, the DHCP relay processes the packet depending on the configured strategy (that is, discards the packet, replaces the original option 82 in the packet with its own, or leaves the original option 82 unchanged in the packet), and forwards the packet (if not discarded) to the DHCP server.

4) If the packet does not contain option 82, the DHCP relay adds option 82 to the packet and forwards the packet to the DHCP server. The forwarded packet contains the port number of the switch to which the DHCP client is connected, the VLAN to which the port belongs, and the MAC address of the DHCP relay.

5) Upon receiving the DHCP request packet forwarded by the DHCP relay, the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP relay.

6) Upon receiving the packet returned from the DHCP server, the DHCP relay strips option 82 from the packet and forwards the packet with the DHCP configuration information to the DHCP client.

& Note:

Request packets sent by a DHCP client fall into two categories: DHCP-DISCOVER packets and DHCP-REQUEST packets. As DHCP servers coming from different manufacturers process DHCP request packets in different ways (that is, some DHCP servers process option 82 in DHCP-DISCOVER packets, whereas the rest process option 82 in DHCP-REQUEST packets), a DHCP relay adds option 82 to both types of packets to accommodate to DHCP servers of different manufacturers.

3.2 DHCP Relay Configuration

& Note:

If a switch belongs to a fabric, you need to enable the UDP-helper function on it before configure it to be a DHCP relay.

3.2.1 DHCP Relay Configuration Tasks

Table 3-1 DHCP relay configuration tasks

Configuration task	Remarks	Section
Enable DHCP	Required	3.2.2 “Enabling DHCP”
Configure an interface to operate in DHCP relay mode	Required	3.2.3 “Configuring an Interface to Operate in DHCP Relay Mode”
Configure DHCP relay security	Optional	3.2.4 “Configuring DHCP Relay Security”
Configure option 82 supporting	Optional	3.2.5 “Configuring Option 82 Supporting”

3.2.2 Enabling DHCP

Make sure to enable DHCP before you perform other DHCP relay-related configurations, since other DHCP-related configurations cannot take effect with DHCP disabled.

Table 3-2 Enable DHCP

Operation	Command	Description
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

Operation

Command

Description

Enter system view

system-view

—

Enable DHCP

dhcp enable

Required

By default, DHCP is enabled

3.2.3 Configuring an Interface to Operate in DHCP Relay Mode

When an interface operates in the relay mode, the interface forwards the DHCP packets received from DHCP clients to an external DHCP server, which assigns IP addresses to the DHCP clients.

To enhance reliability, you can set multiple DHCP servers on the same network. These DHCP servers form a DHCP server group. When the interface establishes mapping relationship with the DHCP server group, the interface forwards the DHCP packets to all servers in the server group.

Table 3-3 Configure an interface to operate in DHCP relay mode

Operation	Command	Description
Enter system view	system-view	—
Configure the DHCP server IP address(es) in a specified DHCP server group	dhcp-server groupNo ip ip-address&<1-8>	Required By default, no DHCP server IP address is configured in a DHCP server group.
Map an interface to a DHCP server group	interface interface-type interface-number	Required By default, a VLAN interface is not mapped to any DHCP server group.
Map an interface to a DHCP server group	dhcp-server groupNo

& Note:

To improve security and avoid malicious attack to the unused SOCKETs, S3600 Ethernet switches provide the following functions:

l UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled.

l UDP 67 and UDP 68 ports are disabled when DHCP is disabled.

The corresponding implementation is as follows:

l When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled. At the same time, UDP 67 and UDP 68 ports used by DHCP are enabled.

l When the mapping between a VLAN interface and a DHCP server group is removed with the undo dhcp-server command, DHCP services are disabled. At the same time, UDP 67 and UDP 68 ports are disabled.

& Note:

l You can configure up to eight external DHCP server IP addresses in a DHCP server group.

l You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group.

l If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites the previous one.

l You need to configure the group number specified in the dhcp-server groupNo command in VLAN interface view by using the command dhcp-server groupNo ip ip-address&<1-8> in advance.

3.2.4 Configuring DHCP Relay Security

I. Configuring address checking

When a DHCP client obtain an IP address from a DHCP server with the help of a DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address table to track the IP-MAC address binding information about the DHCP client. You can also configure user address entries manually (static entries) to bind an IP address and a MAC address statically.

The purpose of the address checking function on DHCP relay is to prevent unauthorized users from statically configuring IP addresses to access external networks. With this function enabled, a DHCP relay inhibits a user from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries (including the entries dynamically tracked by the DHCP relay and the manually configured static entries) in the user address table on the DHCP relay.

Table 3-4 Configure address checking

Operation	Command	Description
Enter system view	system-view	—
Create a DHCP user address entry manually	dhcp-security static ip-address mac-address	Optional By default, no DHCP user address entry is configured. (Only S3600-EI series switches among S3600 series switches support this configuration.)
Enter interface view	interface interface-type interface-number	—
Enable the address checking function	address-check enable	Required By default, the address checking function is disabled. (Only S3600-EI series switches among S3600 series switches support this configuration.)

II. Configuring DHCP relay handshake

When the DHCP client obtains an IP address from the DHCP server through the DHCP relay, the DHCP relay records the binding relationship of the IP address and the MAC address. After the DHCP relay handshake function is enabled, the DHCP relay sends the handshake packet (the DHCP-REQUEST packet) which carries includes the IP address recorded in the binding and its own bridge MAC address to the DHCP server periodically.

l If the DHCP server returns the DHCP-ACK packet, it indicates that the IP address can be assigned. The DHCP relay ages the corresponding entry in the user address table.

l If the DHCP server returns the DHCP-NAK packet, it indicates that the lease of the IP address is not expired. The DHCP relay does not age the corresponding entry.

After the DHCP relay handshake function is disabled, the DHCP relay does not send the handshake packet (the DHCP-REQUEST packet) periodically to the DHCP server.

l When the DHCP client releases this IP address, the client unicasts the DHCP-RELEASE packet to the DHCP server.

l The DHCP relay does not process this packet, so the user address entries of the DHCP relay cannot be updated in real time.

Table 3-5 Enable/disable DHCP relay handshake

Operation	Command	Description
Enter system view	system-view	—
Enable DHCP relay handshake	dhcp relay hand enable	By default, the DHCP relay handshake function is enabled. (Only S3600-EI series switches among S3600 series switches support this configuration.)
Disable DHCP relay handshake	dhcp relay hand disable

III. Configuring the dynamic user address entry updating function

When a DHCP client obtains an IP address from a DHCP server with the help of a DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address table to track the binding information about the IP address and MAC address of the DHCP client. But as a DHCP relay does not process DHCP-RELEASE packets, which are sent to DHCP servers by DHCP clients through unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. The dynamic user address entry updating function is developed to resolve this problem.

The dynamic user address entry updating function works as follows: at regular intervals, the DHCP relay sends a DHCP-REQUEST packet that carries the IP address assigned to a DHCP client and its own bridge MAC address to the corresponding DHCP server. If the DHCP server answers with a DHCP-ACK packet, the IP address is available (it can be assigned again) and the DHCP relay ages the corresponding entry in the user address table. If the DHCP server answers with a DHCP-NAK packet, the IP address is still in use (the lease is not expired) and the DHCP relay remains the corresponding user address entry unchanged.

Table 3-6 Configure the dynamic user address entry updating function

Operation	Command	Description
Enter system view	system-view	—
Enable DHCP relay handshake	dhcp relay hand enable	Required
Set the interval at which the DHCP relay dynamically updates the user address entries	dhcp-security tracker { interval \| auto }	Optional Only S3600-EI series switches among S3600 series switches support this configuration.

IV. Configuring private DHCP server detection function

If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server interconnects with the DHCP client. As a result, the DHCP client obtains an incorrect IP address. Such unauthorized DHCP server is called a private DHCP server.

After the private DHCP server detection function is enabled on a DHCP relay, when a DHCP client sends the DHCP-REQUEST packet, the DHCP relay can obtain from the packet the information (such as the IP address and interface receiving the packet) of the DHCP server that assigns an IP address to the client. As a result, the administrator can find and deal with the private DHCP server.

Table 3-7 Configure private DHCP server detection function

Operation	Command	Description
Enter system view	system-view	—
Enable private DHCP server detection function	dhcp-server detect	Required By default, the private DHCP server detection function is disabled

Operation

Command

Description

Enter system view

system-view

—

Enable private DHCP server detection function

dhcp-server detect

Required

By default, the private DHCP server detection function is disabled

3.2.5 Configuring Option 82 Supporting

I. Prerequisites

Before configuring option 82 supporting on a DHCP relay, you need to:

l Configure network parameters and relay function of the DHCP relay device.

l Perform assignment strategy-related configurations, such as network parameters of the DHCP server, address pool, and lease time.

l The routes between the DHCP relay and the DHCP server are reachable.

II. Enabling option 82 supporting on a DHCP relay

The following operations need to be performed on a DHCP relay–enabled network device.

Table 3-8 Enable option 82 supporting on a DHCP relay

Operation	Command	Description
Enter system view	system-view	—
Enable option 82 supporting on the DHCP relay	dhcp relay information enable	Required By default, this function is disabled
Configure the strategy for the DHCP relay to process request packets containing option 82	dhcp relay information strategy { drop \| keep \| replace }	Optional By default, the replace strategy is adopted

& Note:

l By default, with the option 82 supporting function enabled on the DHCP relay, the DHCP relay will adopt the replace strategy to process the request packets containing option 82. However, if other strategies are configured before, then enabling the 82 supporting on the DHCP relay will not change the configured strategies.

l To enable option 82, you need to perform the corresponding configuration on the DHCP server and the DHCP relay.

3.3 Displaying and Debugging DHCP Relay

After the preceding configurations, you can execute the display command in any view to verify the configurations. You can also execute the reset command to clear the statistics information about the specified DHCP server group.

Table 3-9 Display DHCP relay information

Operation	Command	Description
Display the information about a specified DHCP server group	display dhcp-server groupNo	The display command can be executed in any view
Display the information about the DHCP server group to which a specified VLAN interface is mapped	display dhcp-server interface Vlan-interface vlan-id
Display the address information of all the users in the valid user address table of the DHCP server group	display dhcp-security [ ip-address \| dynamic \| static \| tracker ]
Clear the statistics information of the specified DHCP server group	reset dhcp-server groupNo	The reset command must be executed in user view

3.4 DHCP Relay Configuration Example

I. Network requirements

The DHCP clients on the network segment 10.110.0.0/16 are connected to a port of VLAN 2. The IP address of the DHCP server is 202.38.1.2. DHCP packets between the DHCP clients and the DHCP server are forwarded by the DHCP relay, through which the DHCP clients can obtain IP addresses and related configuration information from the DHCP server.

II. Network diagram

Figure 3-2 Network diagram for DHCP relay

III. Configuration procedure

# Enter system view.

<H3C> system-view

# Enable DHCP.

[H3C] dhcp enable

# Create DHCP server group 1 and configure an IP address of 202.38.1.2 for it.

[H3C] dhcp-server 1 ip 202.38.1.2

# Map VLAN-interface2 to DHCP server group 1.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] dhcp-server 1

# Configure an IP address for VLAN-interface2. The IP address of the interface should be on the same network segment with the DHCP clients.

[H3C-Vlan-interface2] ip address 10.110.1.1 255.255.0.0

& Note:

You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations vary with different DHCP server devices, so the configurations are omitted.

3.5 Troubleshooting DHCP Relay

I. Symptom

A client fails to obtain configuration information through a DHCP relay.

II. Analysis

This problem may be caused by improper DHCP relay configuration. When a DHCP relay operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command.)

III. Solution

l Check if DHCP is enabled on the DHCP server and the DHCP relay.

l Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server.

l Check if a reachable route is configured between the DHCP relay and the DHCP server.

l Check the DHCP relay-enabled network devices. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides. Check if the IP address of the DHCP server group is correct.

Chapter 4 DHCP Snooping Configuration

& Note:

After DHCP-Snooping is enabled on an S3600 Ethernet switch, clients connected with this switch cannot obtain IP addresses dynamically through BOOTP.

4.1 Introduction to DHCP Snooping

For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

l Layer 3 switches can track DHCP client IP addresses through DHCP relay.

l Layer 2 switches can track DHCP client IP addresses through the DHCP snooping function, which listens DHCP broadcast packets.

When an unauthorized DHCP server exists in the network, a DHCP client may obtains an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, you can specify a port to be a trusted port or an untrusted port by the DHCP snooping function.

l Trusted ports can be used to connect DHCP servers or ports of other switches. Untrusted ports can be used to connect DHCP clients or networks.

l Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets received from DHCP servers. Trusted ports forward any received DHCP packets to ensure that DHCP clients can obtain IP addresses from valid DHCP servers.

Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S3600 series Ethernet switch.

Figure 4-1 Typical network diagram for DHCP snooping application

Figure 4-2 illustrates the interaction between a DHCP client and a DHCP server.

Figure 4-2 Interaction between a DHCP client and a DHCP server

DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients:

l DHCP-ACK packet

l DHCP-REQUEST packet

4.2 DHCP Snooping Configuration

Table 4-1 Configure the DHCP snooping function

Operation	Command	Description
Enter system view	system-view	—
Enable the DHCP snooping function	dhcp-snooping	Required By default, the DHCP snooping function is disabled.
Enter Ethernet port view	interface interface-type interface-number	—
Set the port connected to a DHCP server to a trusted port	dhcp-snooping trust	Optional By default, all ports of a switch are untrusted ports.

& Note:

When you need to enable DHCP snooping on the switches in a fabric state, configure the fabric ports on all devices to be trusted ports to ensure that the users connected to each device can obtain IP addresses.

4.3 Displaying DHCP Snooping

After the above configurations, you can verify the configurations by executing the display command in any view.

Table 4-2 Display DHCP snooping

Operation	Command	Description
Display the user IP-MAC address mapping entries recorded by the DHCP snooping function	display dhcp-snooping [ unit unit-id ]	You can execute the display command in any view
Display the (enabled/disabled) state of the DHCP snooping function and the trusted ports	display dhcp-snooping trust	You can execute the display command in any view

4.4 Configuration Example

I. Network requirements

As shown in Figure 4-1, the Ethernet1/0/1 port of Switch A (an S3600 series switch) is connected to Switch B (acting as a DHCP relay). A network segment containing some DHCP clients is connected to the Ethernet1/0/2 port of Switch A.

l Enable the DHCP snooping function on Switch A.

l Set the Ethernet1/0/1 port of Switch A to a trusted port.

II. Configuration procedure

# Enter system view.

<H3C> system-view

# Enable the DHCP snooping function.

[H3C] dhcp-snooping

# Enter Ethernet1/0/1 port view.

[H3C] interface Ethernet1/0/1

# Set the port to a trusted port.

[H3C-Ethernet1/0/1] dhcp-snooping trust

Chapter 5 DHCP Accounting Configuration

5.1 Introduction to DHCP Accounting

DHCP accounting allows a DHCP server to notify the RADIUS server of the start/end of accounting when it assigns/releases a lease. The cooperation of DHCP server and RADIUS server implements the network accounting function and ensures network security at the same time.

5.1.1 DHCP Accounting Fundamentals

After you complete AAA and RADIUS configuration on a switch with the DHCP server function enabled, the DHCP server acts as a RADIUS client. For the authentication process of the DHCP server acting as a RADIUS client, refer to the “Introduction to RADIUS” section of the "Security” part in this manual. The following describes only the accounting interaction between DHCP server and RADIUS server.

l After sending a DHCP-ACK packet with the IP configuration parameters to the DHCP client, the DHCP server sends an Accounting START packet to a specified RADIUS server. The RADIUS server processes the packet, makes a record, and sends a response to the DHCP server.

l Once releasing a lease for some reason, the DHCP server sends an Accounting STOP packet to the RADIUS server. The RADIUS server processes the packet, stops the recording for the DHCP client, and sends a response to the DHCP server. A lease can be released for the reasons such as lease expiration, a release request received from the DHCP client, a manual release operation, an address pool removal operation.

l If the RADIUS server of the specified domain is unreachable, the DHCP server sends up to three Accounting START packets (including the first sending attempt) at regular intervals. If the three packets bring no response from the RADIUS server, the DHCP server does not send Accounting START packets any more.

5.2 DHCP Accounting Configuration

5.2.1 Prerequisites

Before configuring DHCP accounting, make sure that:

l The DHCP server is configured and operates properly. Address pools and lease time are configured.

l DHCP clients are configured and DHCP service is enabled.

l The network operates properly.

5.2.2 Configuring DHCP Accounting

Table 5-1 Configure DHCP accounting

Operation	Command	Description
Enter system view	system-view	—
Enter address pool view	dhcp server ip-pool pool-name	Required
Enable DHCP accounting	accounting domain domain-name	Required The domain identified by the domain-name argument can be created by using the domain command.

5.2.3 DHCP Accounting Configuration Example

I. Network requirements

l The DHCP server connects to a DHCP client and a RADIUS server respectively through its Ethernet1/0/2 and Ethernet1/0/1 ports.

l Ethernet1/0/2 belongs to VLAN 2; Ethernet1/0/1 belongs to VLAN 3.

l The IP address of VLAN 2 interface is 10.1.1.1/24, and that of VLAN 3 interface is 10.1.2.1/24.

l The IP address of the RADIUS server is 10.1.2.2/24.

l DHCP accounting is enabled on the DHCP server.

l The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AAA for authentication.

II. Network diagram

Figure 5-1 Network diagram for DHCP accounting configuration

III. Configuration procedure

# Enter system view.

<H3C> system-view

# Create VLAN 2.

[H3C] vlan 2

[H3C-vlan2] quit

# Create VLAN 3.

[H3C] vlan 3

[H3C-vlan3] quit

# Enter Ethernet1/0/2 port view and add the port to VLAN 2.

[H3C] interface Ethernet 1/0/2

[H3C-Ethernet1/0/2] port access vlan 2

[H3C-Ethernet1/0/2] quit

# Enter Ethernet1/0/1 port view and add the port to VLAN 3.

[H3C] interface Ethernet 1/0/1

[H3C-Ethernet1/0/1] port access vlan 3

[H3C-Ethernet1/0/1] quit

# Enter VLAN 2 interface view and assign the IP address 10.1.1.1/24 to the VLAN interface.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] ip address 10.1.1.1 24

[H3C-Vlan-interface2] quit

# Enter VLAN 3 interface view and assign the IP address 10.1.2.1/24 to the VLAN interface.

[H3C] interface Vlan-interface 3

[H3C-Vlan-interface3] ip address 10.1.2.1 24

[H3C-Vlan-interface3] quit

# Create a domain and a RADIUS scheme. Associate the domain with the RADIUS scheme.

[H3C] radius scheme 123

[H3C-radius-123] primary authentication 10.1.2.2

[H3C-radius-123] primary accounting 10.1.2.2

[H3C] domain 123

[H3C-isp-123] scheme radius-scheme 123

[H3C-isp-123] quit

# Create an address pool on the DHCP server.

[H3C] dhcp server ip-pool test

[H3C-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0

# Enable DHCP accounting.

[H3C-dhcp-pool-test] accounting domain 123

H3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)

Chapter 1 DHCP Overview

I. Types of address pool

II. The structure of an address pool

2.2.4 Configuring How to Assign IP Addresses in a Global Address Pool

I. Configuring to assign IP addresses by static binding

II. Configuring to assign IP addresses dynamically

2.2.5 Configuring DNS Services for the DHCP Server

2.2.6 Configuring DHCP Server to Assign WINS Server Addresses

2.3.4 Configuring the Mode to Assign IP Addresses to DHCP Clients

I. Configuring to assign IP addresses by static binding

II. Configuring to assign IP addresses dynamically

2.3.6 Configuring DHCP Servers to Assign WINS Server Addresses

I. Basic concept

II. Meanings of the sub-options for option 184

III. Mechanism of using option 184 on DHCP server

I. Configuring the option 184 supporting function in system view

II. Configuring the option 184 supporting function in interface view

III. Configuring the option 184 supporting function in global DHCP address pool view

I. Network requirements

II. Network diagram

III. Configuration procedure

2.7 Displaying and Debugging a DHCP Server

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Symptom

II. Analysis

III. Solution

3.1.2 DHCP Relay Fundamentals

I. Introduction to option 82 supporting

II. Primary terminologies

IV. Mechanism of option 82 supporting on DHCP relay

I. Configuring address checking

III. Configuring the dynamic user address entry updating function

IV. Configuring private DHCP server detection function

3.2.5 Configuring Option 82 Supporting

II. Enabling option 82 supporting on a DHCP relay

3.3 Displaying and Debugging DHCP Relay

I. Network requirements

II. Network diagram

III. Configuration procedure

I. Symptom

II. Analysis

III. Solution

4.1 Introduction to DHCP Snooping

I. Network requirements

II. Configuration procedure

I. Network requirements

II. Network diagram

III. Configuration procedure

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us

Chapter 1 D HCP Overview