Table of Contents

Chapter 1 DHCP Overview.. 1-1

1.1 Introduction to DHCP. 1-1

1.2 DHCP IP Address Assignment 1-2

1.2.1 IP Address Assignment Policy. 1-2

1.2.2 Obtaining IP Addresses Dynamically. 1-2

1.2.3 Updating IP Address Lease. 1-3

1.3 DHCP Packet Format 1-3

1.4 DHCP Packet Processing Modes. 1-5

1.5 Protocols and Standards. 1-5

Chapter 2 DHCP Server Configuration. 2-1

2.1 Introduction to DHCP Server 2-1

2.1.1 Usage of DHCP Server 2-1

2.1.2 DHCP Address Pool 2-1

2.1.3 DHCP IP Address Preferences. 2-2

2.2 Global Address Pool-Based DHCP Server Configuration. 2-3

2.2.1 Configuration Task List 2-3

2.2.2 Enabling DHCP. 2-3

2.2.3 Configuring Global Address Pool Mode on Interface(s) 2-3

2.2.4 Configuring How to Assign IP Addresses in a Global Address Pool 2-4

2.2.5 Configuring DNS Services for the DHCP Server 2-6

2.2.6 Configuring NetBIOS Services for the DHCP Server 2-7

2.2.7 Customizing DHCP Service. 2-8

2.2.8 Configuring Gateway Addresses for DHCP Clients. 2-8

2.3 Interface Address Pool-Based DHCP Server Configuration. 2-9

2.3.1 Configuration Overview. 2-9

2.3.2 Enabling DHCP. 2-10

2.3.3 Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients. 2-10

2.3.4 Configuring to Assign IP Addresses of DHCP Address Pools to DHCP Clients. 2-11

2.3.5 Configuring DNS Services for the DHCP Server 2-13

2.3.6 Configuring NetBIOS Services for DHCP Clients. 2-14

2.3.7 Customizing DHCP Service. 2-15

2.4 DHCP Security Configuration. 2-16

2.4.1 Prerequisites. 2-16

2.4.2 Configuring Private DHCP Server Detecting. 2-16

2.4.3 Configuring IP Address Detecting. 2-17

2.5 Displaying and Maintaining a DHCP Server 2-18

2.6 DHCP Server Configuration Example. 2-18

2.7 Troubleshooting a DHCP Server 2-21

Chapter 3 DHCP Relay Agent Configuration. 3-1

3.1 Introduction to DHCP Relay Agent 3-1

3.1.1 Usage of DHCP Relay Agent 3-1

3.1.2 DHCP Relay Agent Fundamentals. 3-1

3.1.3 Option 82 Supporting. 3-2

3.2 Configuring DHCP Relay Agent 3-4

3.2.1 DHCP Relay Agent Configuration Task List 3-4

3.2.2 Enabling DHCP. 3-4

3.2.3 Configuring an Interface to Operate in DHCP Relay Agent Mode. 3-4

3.2.4 Configuring DHCP Relay Agent Security. 3-5

3.2.5 Configuring Option 82 Supporting. 3-7

3.3 Displaying and Maintaining DHCP Relay Agent 3-8

3.4 DHCP Relay Agent Configuration Example. 3-8

3.5 Troubleshooting DHCP Relay Agent 3-10

Chapter 4 DHCP Snooping Configuration. 4-1

4.1 Configuring DHCP Snooping. 4-1

4.1.1 Introduction to DHCP Snooping. 4-1

4.1.2 Configuring DHCP Snooping. 4-2

4.2 DHCP-Snooping Option 82. 4-3

4.2.1 Overview of DHCP-Snooping Option 82. 4-3

4.2.2 Enabling DHCP-Snooping Option 82. 4-4

4.3 Displaying and Maintaining DHCP Snooping. 4-5

4.4 DHCP Snooping Configuration Example. 4-5

 

Chapter 1  DHCP Overview

When configuring DHCP, go to these sections for information you are interested in:

l           Introduction to DHCP

l           DHCP IP Address Assignment

l           DHCP Packet Format

l           DHCP Packet Processing Modes

l           Protocols and Standards

1.1  Introduction to DHCP

With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology. Dynamic host configuration protocol (DHCP) is developed in this background.

DHCP adopts a client/server model, where DHCP clients send requests to DHCP servers for configuration parameters; and the DHCP servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically.

A typical DHCP application includes one DHCP server and multiple clients (such as PCs and laptops), as shown in Figure 1-1.

Figure 1-1 Typical DHCP application

1.2  DHCP IP Address Assignment

1.2.1  IP Address Assignment Policy

Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients:

l           Manual assignment. The administrator statically binds IP addresses to few clients with special uses (such as WWW server). Then the DHCP server assigns these fixed IP addresses to the clients.

l           Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently.

l           Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address at the expiration of the period. This policy applies to most clients.

1.2.2  Obtaining IP Addresses Dynamically

A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server:

1)         Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a DHCP-DISCOVER packet.

2)         Offer: In this phase, the DHCP server offers an IP address. Each DHCP server that receives the DHCP-DISCOVER packet chooses an unassigned IP address from the address pool based on the IP address assignment policy and then sends a DHCP-OFFER packet (which carries the IP address and other configuration information) to the DHCP client. The transmission mode depends on the flag field in the DHCP-DISCOVER packet. For details, see section DHCP Packet Format.

3)         Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only accepts the DHCP-OFFER packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP address carried in the DHCP-OFFER packet.

4)         Acknowledge: Upon receiving the DHCP-REQUEST packet, the DHCP server returns a DHCP-ACK packet to the DHCP client to confirm the assignment of the IP address to the client, or returns a DHCP-NAK packet to refuse the assignment of the IP address to the client. When the client receives the DHCP-ACK packet, it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address, and uses the IP address only if it does not receive any response within a specified period.

 

 

1.2.3  Updating IP Address Lease

After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.

By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client. Otherwise, the DHCP server responds with a DHCP-NAK packet to notify the DHCP client that the IP address will be reclaimed when the lease time expires.

If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP server again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described in the previous section.

1.3  DHCP Packet Format

DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different. The DHCP packet format is based on that of the BOOTP packets. The following table describes the packet format (the number in the brackets indicates the field length, in bytes):

Figure 1-2 Format of DHCP packets

The field meanings are illustrated as follows:

l           op: Operation types of DHCP packets: 1 for request packets and 2 for response packets.

l           htype, hlen: Hardware address type and length of the DHCP client.

l           hops: Number of DHCP relay agents which a DHCP packet passes. For each DHCP relay agent that the DHCP request packet passes, the field value increases by 1.

l           xid: Random number that the client selects when it initiates a request. The number is used to identify an address-requesting process.

l           secs: Elapsed time after the DHCP client initiates a DHCP request.

l           flags: The first bit is the broadcast response flag bit. It is used to identify that the DHCP response packet is sent in the unicast or broadcast mode. Other bits are reserved.

l           ciaddr: IP address of a DHCP client.

l           yiaddr: IP address that the DHCP server assigns to a client.

l           siaddr: IP address of the DHCP server.

l           giaddr: IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet.

l           chaddr: Hardware address of the DHCP client.

l           sname: Name of the DHCP server.

l           file: Name of the start configuration file that the DHCP server specifies for the DHCP client.

l           option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.

1.4  DHCP Packet Processing Modes

After the DHCP server is enabled on a device, the device processes the DHCP packet received from a DHCP client in one of the following three modes depending on your configuration:

l           Global address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients.

l           Interface address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

l           Trunk: DHCP packets received from DHCP clients are forwarded to an external DHCP server, which assigns IP addresses to the DHCP clients.

You can specify the mode to process DHCP packets. For the configuration of the first two modes, see DHCP Server Configuration. For the configuration of the trunk mode, see DHCP Relay Agent Configuration.

One interface only corresponds to one mode. In this case, the new configuration overwrites the previous one.

1.5  Protocols and Standards

Protocol specifications related to DHCP include:

l           RFC2131: Dynamic Host Configuration Protocol

l           RFC2132: DHCP Options and BOOTP Vendor Extensions

l           RFC1542: Clarifications and Extensions for the Bootstrap Protocol

 

Chapter 2  DHCP Server Configuration

When configuring DHCP servers, go to these sections for information you are interested in:

l           Introduction to DHCP Server

l           Global Address Pool-Based DHCP Server Configuration

l           Interface Address Pool-Based DHCP Server Configuration

l           DHCP Security Configuration

l           Displaying and Maintaining a DHCP Server

l           DHCP Server Configuration Example

l           Troubleshooting a DHCP Server

2.1  Introduction to DHCP Server

2.1.1  Usage of DHCP Server

Generally, DHCP servers are used in the following networks to assign IP addresses:

l           Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole network in a centralized way.

l           Networks where the number of available IP addresses is less than that of the hosts. In this type of networks, IP addresses are not enough for all the hosts to obtain a fixed IP address, and the number of on-line users is limited (such is the case in an ISP network). In these networks, a great number of hosts must dynamically obtain IP addresses through DHCP.

l           Networks where only a few hosts need fixed IP addresses and most hosts do not need fixed IP addresses.

2.1.2  DHCP Address Pool

A DHCP address pool holds the IP addresses to be assigned to DHCP clients. When a DHCP server receives a DHCP request from a DHCP client, it selects an address pool depending on the configuration, picks an IP address from the pool and sends the IP address and other related parameters (such as the IP address of the DNS server, and the lease time of the IP address) to the DHCP client.

I. Types of address pools

The address pools of a DHCP server fall into two types: global address pool and interface address pool.

l           A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device.

l           If an interface is configured with a valid unicast IP address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view. The IP addresses an interface address pool holds belong to the network segment the interface resides in and are available to the interface only.

II. The structure of an address pool

The address pools of a DHCP server are hierarchically organized in a tree-like structure. The root holds the IP addresses of the network segment, the branches hold the subnet IP addresses, and the leaves hold the IP addresses that are manually bound to specific clients. The address pools that are of the same level are sorted by their configuration precedence order. Such a structure enables configurations to be inherited. That is, the configurations of the network segment can be inherited by its subnets, whose configurations in turn can be inherited by their client address. So, for the parameters that are common to the whole network segment or some subnets (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance.

1)         A newly created child address pool inherits the configurations of its parent address pool.

2)         For an existing parent-child address pool pair, when you perform a new configuration on the parent address pool:

l           The child address pool inherits the new configuration if there is no corresponding configuration on the child address pool.

l           The child address pool does not inherit the new configuration if there is already a corresponding configuration on the child address pool.

2.1.3  DHCP IP Address Preferences

Interfaces of the DHCP server can work in the global address pool mode or in the interface address pool mode. If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

A DHCP server assigns IP addresses in interface address pools or global address pools to DHCP clients in the following sequence:

l           IP addresses that are statically bound to the MAC addresses of DHCP clients

l           IP addresses that are ever used by DHCP clients. That is, those in the assigned leases recorded by the DHCP server. If there is no record in the leases and the DHCP-DISCOVER packets sent by DHCP clients contain option 50 fields, the DHCP server assigns the IP address requested by option 50.

l           The first IP address found among the available IP addresses in the DHCP address pool.

l           If no IP address is available, the DHCP server queries lease-expired and conflicted IP addresses. If the DHCP server finds such IP addresses, it assigns them; otherwise the DHCP server does not assign IP addresses.

2.2  Global Address Pool-Based DHCP Server Configuration

2.2.1  Configuration Task List

Complete the following tasks to configure global address pool-based DHCP server:

Task		Remarks
Enabling DHCP		Required
Configuring Global Address Pool Mode on Interface(s)		Optional
Configuring How to Assign IP Addresses in a Global Address Pool	Configuring to assign IP addresses by static binding	One among these two options is required. Only one mode can be selected for the same global address pool.
	Configuring to assign IP addresses dynamically
Configuring DNS Services for the DHCP Server		Optional
Configuring NetBIOS Services for the DHCP Server		Optional
Customizing DHCP Service		Optional
Configuring Gateway Addresses for DHCP Clients		Optional

 

2.2.2  Enabling DHCP

You need to enable DHCP before performing other DHCP-related configurations, which takes effect only after DHCP is enabled.

Follow these steps to enable DHCP:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

 

2.2.3  Configuring Global Address Pool Mode on Interface(s)

You can configure the global address pool mode on the specified or all interfaces of a DHCP server. After that, when the DHCP server receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in the global address pool to the DHCP clients.

Follow these steps to configure the global address pool mode on interface(s):

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure the specified interface(s) or all interfaces to operate in global address pool mode	Configure the current interface	interface interface-type interface-number	Optional By default, a DHCP server assigns the IP addresses of the global address pool to DHCP clients in response to DHCP packets received from DHCP clients
		dhcp select global
		quit
	Configure multiple interfaces in system view	dhcp select global { interface interface-type interface-number [ to interface-type interface-number ] | all }

 

2.2.4  Configuring How to Assign IP Addresses in a Global Address Pool

You can specify to bind an IP address in a global address pool statically to a DHCP client or assign IP addresses in the pool dynamically to DHCP clients as needed. In the global address pool, you can bind an IP address statically to a DHCP client and assign other IP addresses in the pool dynamically to DHCP clients.

For dynamic IP address assigning, you need to specify the range of the IP addresses to be dynamically assigned. But for static IP address binding, you can consider an IP address statically bound to a DHCP client coming from a special DHCP address pool that contains only one IP address.

I. Configuring to assign IP addresses by static binding

Some DHCP clients, such as WWW servers, need fixed IP addresses. This can be achieved by binding IP addresses to the MAC addresses of these DHCP clients. When such a DHCP client applies for an IP address, the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP client.

Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address.

Follow these steps to configure to assign IP addresses by static binding:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Configure an IP address to be statically bound	static-bind ip-address ip-address [ mask mask ]	Required By default, no IP address is statically bound
Configure a client MAC address to which an IP address is to be statically bound	static-bind mac-address mac-address	Required By default, no MAC address to which an IP address is to be statically bound is configured

 

 

II. Configuring to assign IP addresses dynamically

IP addresses dynamically assigned to DHCP clients (including those that are permanently leased and those that are temporarily leased) belong to addresses segments that are previously specified. Currently, an address pool can contain only one address segment, whose ranges are determined by the subnet mask.

To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices (such as gateways and FTP servers).

The lease time can differ with address pools. But that of the IP addresses of the same address pool are the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.

Follow these steps to configure to assign IP addresses dynamically:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no DHCP address pool is created
Set the IP address segment whose IP addresses are to be assigned dynamically	network ip-address [ mask mask ]	Required By default, no IP address segment is set. That is, no IP address is available for being assigned
Configure the lease time	expired { day day [ hour hour [ minute minute ] ] | unlimited }	Optional The default lease time is one day
Return to system view	quit	—
Specify the IP addresses that are not dynamically assigned	dhcp server forbidden-ip low-ip-address [ high-ip-address ]	Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned

 

 

2.2.5  Configuring DNS Services for the DHCP Server

If a host accesses the Internet through domain names, DNS is needed to translate the domain names into the corresponding IP addresses. To enable DHCP clients to access the Internet through domain names, a DHCP server is required to provide DNS server addresses while assigning IP addresses to DHCP clients. Currently, you can configure up to eight DNS server addresses for a DHCP address pool.

You can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients as well while the former assigns IP addresses to the DHCP clients.

Follow these steps to configure DNS services for the DHCP server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Configure a domain name for DHCP clients	domain-name domain-name	Required By default, no domain name is configured for DHCP clients
Configure DNS server addresses for DHCP clients	dns-list ip-address&<1-8>	Required By default, no DNS server address is configured

 

2.2.6  Configuring NetBIOS Services for the DHCP Server

For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight WINS addresses for a DHCP address pool.

Host name-to-IP address mappings are needed for DHCP clients communicating through NetBIOS protocol. According to the way to establish the mapping, NetBIOS nodes fall into the following four categories:

l           B-node. Nodes of this type establish their mappings through broadcasting (The character b stands for the word broadcast). The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node. After receiving the broadcast packet, the destination node returns its IP address to the source node.

l           P-node. Nodes of this type establish their mappings by sending unicast packets to WINS servers. (The character p stands for peer-to-peer). The source node sends the unicast packet to the WINS server. After receiving the unicast packet, the WINS server returns the IP address corresponding to the destination node name to the source node.

l           M-node. Nodes of this type are p-nodes mixed with broadcasting features (The character m stands for the word mixed), that is to say, this type of nodes obtain mappings by sending broadcast packets first. If they fail to obtain mappings, they send unicast packets to the WINS server to obtain mappings.

l           H-node. Nodes of this type are b-nodes mixed with peer-to-peer features. (The character h stands for the word hybrid), that is to say, this type of nodes obtain mappings by sending unicast packets to WINS servers. If they fail to obtain mappings, they send broadcast packets to obtain mappings.

Follow these steps to configure NetBIOS services for the DHCP server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Configure WINS server addresses for DHCP clients	nbns-list ip-address&<1-8>	Required By default, no WINS server address is configured
Configure DHCP clients to be of a specific NetBIOS node type	netbios-type { b-node | h-node | m-node | p-node }	Optional By default, no NetBIOS node type of the DHCP client is specified and a DHCP client uses an h-node

 

2.2.7  Customizing DHCP Service

With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration.

Follow these steps to customize DHCP service:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Configure customized options	option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> }	Required By default, no customized option is configured

 

2.2.8  Configuring Gateway Addresses for DHCP Clients

Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them.

You can configure gateway addresses for address pools on a DHCP server. Currently, you can configure up to eight gateway addresses for a DHCP address pool.

Follow these steps to configure gateway addresses for DHCP clients:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP address pool and enter DHCP address pool view	dhcp server ip-pool pool-name	Required By default, no global DHCP address pool is created
Configure gateway addresses for DHCP clients	gateway-list ip-address&<1-8>	Required By default, no gateway address is configured

 

2.3  Interface Address Pool-Based DHCP Server Configuration

 

 

2.3.1  Configuration Overview

An interface address pool is created when the interface is assigned a valid unicast IP address and you execute the dhcp select interface command in interface view. The IP addresses contained in it belong to the network segment where the interface resides and are available to the interface only.

You can perform certain configurations for DHCP address pools of an interface or multiple interfaces within specified interface ranges. Configuring for multiple interfaces eases configuration work load and makes you to configure in a more convenient way.

Complete the following tasks to configure interface address pool-based DHCP server:

Task		Remarks
Enabling DHCP		Required
Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients		Required
Configuring to Assign IP Addresses of DHCP Address Pools to DHCP Clients	Configuring to assign IP addresses by static binding	One among these two options is required. These two options can be configured at the same time.
	Configuring to assign IP addresses dynamically
Configuring DNS Services for the DHCP Server		Optional
Configuring NetBIOS Services for DHCP Clients		Optional
Customizing DHCP Service		Optional

 

2.3.2  Enabling DHCP

You need to enable DHCP before performing DHCP configurations. DHCP-related configurations are valid only when DHCP is enabled.

Follow these steps to enable DHCP:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

 

2.3.3  Configuring to Assign the IP Addresses of Interface Address Pools to DHCP Clients

If the DHCP server works in the interface address pool mode, it picks IP addresses from the interface address pools and assigns them to the DHCP clients. If there is no available IP address in the interface address pools, the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients.

Follow these steps to configure to assign the IP addresses of interface address pools to DHCP clients:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure to assign the IP addresses of interface address pools to DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, a DHCP server assigns the IP addresses of the global address pool to DHCP clients
		dhcp select interface
		quit
	Configure multiple interfaces in system view	dhcp select interface { interface interface-type interface-number [ to interface-type interface-number ] | all }

 

2.3.4  Configuring to Assign IP Addresses of DHCP Address Pools to DHCP Clients

You can assign IP addresses by static binding or assign IP addresses dynamically to DHCP clients as needed.

I. Configuring to assign IP addresses by static binding

Some DHCP clients, such as WWW servers, need fixed IP addresses. This is achieved by binding IP addresses to the MAC addresses of these DHCP clients. When such a DHCP client applies for an IP address, the DHCP server finds the IP address corresponding to the MAC address of the DHCP client, and then assigns the IP address to the DHCP client.

Follow these steps to configure to assign IP addresses by static binding:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter interface view	interface interface-type interface-number	—
Configure static binding	dhcp server static-bind ip-address ip-address mac-address mac-address	Required By default, static binding is not configured

 

 

II. Configuring to assign IP addresses dynamically

As an interface-based address pool is created after the interface is assigned a valid unicast IP address, the IP addresses contained in the address pool belong to the network segment where the interface resides and are available to the interface only. So specifying the range of the IP addresses to be dynamically assigned is unnecessary.

To avoid IP address conflicts, the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices (such as gateways and FTP servers).

The lease time can differ with address pools. But that of the IP addresses of the same address pool is the same. Lease time is not inherited, that is to say, the lease time of a child address pool is not affected by the configuration of the parent address pool.

Follow these steps to configure to assign IP addresses dynamically:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure the lease time	Configure for the current interface	interface interface-type interface-number	Optional The default lease time is one day
		dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }
		quit
	Configure multiple interfaces in system view	dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited } { interface interface-type interface-number [ to interface-type interface-number ] | all }
Specify the IP addresses that are not dynamically assigned		dhcp server forbidden-ip low-ip-address [ high-ip-address ]	Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned.

 

 

2.3.5  Configuring DNS Services for the DHCP Server

If a host accesses the Internet through domain names, DNS is needed to translate the domain names into the corresponding IP addresses. To enable DHCP clients to access the Internet through domain names, a DHCP server is required to provide DNS server addresses while assigning IP addresses to DHCP clients. Currently, you can configure up to eight DNS server addresses for a DHCP address pool.

On the DHCP server, you can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients while the DHCP server assigns IP addresses to the DHCP clients.

Follow these steps to configure DNS services for the DHCP server:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure a domain name for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no domain name is configured for DHCP clients
		dhcp server domain-name domain-name
		quit
	Configure multiple interfaces in system view	dhcp server domain-name domain-name { interface interface-type interface-number [ to interface-type interface-number ] | all }
Configure DNS server addresses for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no DNS server address is configured.
		dhcp server dns-list ip-address&<1-8>
		quit
	Configure multiple interfaces in system view	dhcp server dns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all }

 

2.3.6  Configuring NetBIOS Services for DHCP Clients

For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by WINS servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight WINS addresses for a DHCP address pool.

Host name-to-IP address mappings are needed for DHCP clients communicating through the NetBIOS protocol. According to the way to establish the mapping, NetBIOS nodes fall into the following four categories:

l           B-node. Nodes of this type establish their mappings through broadcasting (The character b stands for the word broadcast). The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node. After receiving the broadcast packet, the destination node returns its IP address to the source node.

l           P-node. Nodes of this type establish their mappings by communicating with WINS servers (The character p stands for peer-to-peer). The source node sends the unicast packet to the WINS server. After receiving the unicast packet, the WINS server returns the IP address corresponding to the destination node name to the source node.

l           M-node. Nodes of this type are p-nodes mixed with broadcasting features (The character m stands for the word mixed), that is to say, this type of nodes obtain mappings by sending broadcast packets first. If they fail to obtain mappings, they send unicast packets to the WINS server to obtain mappings.

l           H-node. Nodes of this type are b-nodes mixed with peer-to-peer features (The character h stands for the word hybrid), that is to say, this type of nodes obtain mappings by sending unicast packets to WINS servers. If they fail to obtain mappings, they send broadcast packets to obtain mappings.

Follow these steps to configure NetBIOS services for the DHCP server:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure the WINS server address for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no WINS server address is configured
		dhcp server nbns-list ip-address&<1-8>
		quit
	Configure multiple interfaces in system view	dhcp server nbns-list ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all }
Configure NetBIOS node types for DHCP clients	Configure the current interface	interface interface-type interface-number	Required By default, no NetBIOS node type is specified and a DHCP client uses an h-node.
		dhcp server netbios-type { b-node | h-node | m-node | p-node }
		quit
	Configure multiple interfaces in system view	dhcp server netbios-type { b-node | h-node | m-node | p-node } { interface interface-type interface-number [ to interface-type interface-number ] | all }

 

2.3.7  Customizing DHCP Service

With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration.

Follow these steps to customize DHCP service:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configure customized options	Configure the current interface	interface interface-type interface-number	Required By default, no customized option is configured
		dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> }
		quit
	Configure multiple interfaces in system view	dhcp server option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> } { interface interface-type interface-number [ to interface-type interface-number ] | all }

 

2.4  DHCP Security Configuration

DHCP security configuration is needed to ensure the security of DHCP service.

2.4.1  Prerequisites

Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).

2.4.2  Configuring Private DHCP Server Detecting

A private DHCP server on a network also answers IP address request packets and assigns IP addresses to DHCP clients. However, the IP addresses they assigned may conflict with those of other hosts. As a result, users cannot normally access networks. This kind of DHCP servers are known as private DHCP servers.

With the private DHCP server detecting function enabled, when a DHCP client sends the DHCP-REQUEST packet, the DHCP server tracks the information (such as the IP addresses and interfaces) of DHCP servers to enable the administrator to detect private DHCP servers in time and take proper measures.

Follow these steps to enable detection of a private DHCP server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the private DHCP server detecting function	dhcp server detect	Required By default, the private DHCP server detecting function is disabled

 

2.4.3  Configuring IP Address Detecting

To avoid IP address conflicts caused by assigning the same IP address to multiple DHCP clients simultaneously, you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client.

IP address detecting is achieved by performing ping operations. To detect whether an IP address is currently in use, the DHCP server sends an ICMP packet with the IP address to be assigned as the destination and waits for a response. If the DHCP server receives no response within a specified time, it resends an ICMP packet. This procedure repeats until the DHCP server receives a response or the number of the sent ICMP packets reaches the specified maximum number. The DHCP server assigns the IP address to the DHCP client only when no response is received during the whole course, thus ensuring that an IP address is assigned to one DHCP client exclusively.

Follow these steps to configure IP address detecting:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Set the maximum number of ICMP packets a DHCP server sends in a ping test	dhcp server ping packets number	Optional By default, a DHCP server performs the ping operation twice to test an IP address
Set the response timeout time of each ICMP packet	dhcp server ping timeout milliseconds	Optional The default timeout time is 500 milliseconds

 

2.5  Displaying and Maintaining a DHCP Server

To do…	Use the command…	Remarks
Display the statistics on IP address conflicts	display dhcp server conflict { all | ip ip-address }	Available in any view
Display lease expiration information	display dhcp server expired { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] all }
Display the free IP addresses	display dhcp server free-ip
Display information about address binding	display dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] all }
Display the statistics on a DHCP server	display dhcp server statistics
Display information about DHCP address pool tree	display dhcp server tree { pool [ pool-name ] | interface [ interface-type interface-number ] | all }
Clear IP address conflict statistics	reset dhcp server conflict { all | ip ip-address }	Available in user view
Clear dynamic address binding information	reset dhcp server ip-in-use { ip ip-address | pool [ pool-name ] | interface [ interface-type interface-number ] | all }
Clear the statistics on a DHCP server	reset dhcp server statistics

 

 

2.6  DHCP Server Configuration Example

Currently, DHCP networking can be implemented in two ways. One is to deploy the DHCP server and DHCP clients in the same network segment. This enables the clients to communicate with the server directly. The other is to deploy the DHCP server and DHCP clients in different network segments. In this case, IP address assigning is carried out through DHCP relay agent. Note that DHCP server configuration is the same in both scenarios.

I. Network requirements

The DHCP server assigns IP addresses dynamically to the DHCP clients on the same network segment. The network segment 10.1.1.0/24, to which the IP addresses of the address pool belong, is divided into two sub-network segments: 10.1.1.0/25 and 10.1.1.128/25. The switch operating as the DHCP server hosts two VLANs, whose interface IP addresses are 10.1.1.1/25 and 10.1.1.129/25 respectively.

The DHCP settings of the 10.1.1.0/25 network segment are as follows:

l           Lease time: 10 days plus 12 hours

l           Domain name: aabbcc.com

l           DNS server: 10.1.1.2

l           WINS server: none

l           Gateway: 10.1.1.126

The DHCP settings of the 10.1.1.128/25 network segment are as follows:

l           Lease time: 5 days

l           Domain name: aabbcc.com

l           DNS server: 10.1.1.2

l           WINS server: 10.1.1.4

l           Gateway: 10.1.1.254

 

 

II. Network diagram

Figure 2-1 Network diagram for DHCP configuration

III. Configuration procedure

1)         Configure a VLAN and add a port in this VLAN, and then configure the IP address of the VLAN interface (omitted).

2)         Configure DHCP service.

# Enable DHCP.

<H3C> system-view

[H3C] dhcp enable

# Configure the IP addresses that are not dynamically assigned. (That is, the IP addresses of the DNS server, WINS server, and gateways.)

[H3C] dhcp server forbidden-ip 10.1.1.2

[H3C] dhcp server forbidden-ip 10.1.1.4

[H3C] dhcp server forbidden-ip 10.1.1.126

[H3C] dhcp server forbidden-ip 10.1.1.254

# Configure DHCP address pool 0, including address range and DNS server address.

[H3C] dhcp server ip-pool 0

[H3C-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

[H3C-dhcp-pool-0] domain-name aabbcc.com

[H3C-dhcp-pool-0] dns-list 10.1.1.2

[H3C-dhcp-pool-0] quit

# Configure DHCP address pool 1, including address range, gateway, and lease time.

[H3C] dhcp server ip-pool 1

[H3C-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[H3C-dhcp-pool-1] gateway-list 10.1.1.126

[H3C-dhcp-pool-1] expired day 10 hour 12

[H3C-dhcp-pool-1] quit

# Configure DHCP address pool 2, including address range, gateway, WINS server address, and lease time.

[H3C] dhcp server ip-pool 2

[H3C-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128

[H3C-dhcp-pool-2] expired day 5

[H3C-dhcp-pool-2] nbns-list 10.1.1.4

[H3C-dhcp-pool-2] gateway-list 10.1.1.254

2.7  Troubleshooting a DHCP Server

I. Symptom

The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.

II. Analysis

With DHCP enabled, IP address conflicts are usually caused by IP addresses that are manually configured on hosts.

III. Solution

l           Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network, with the conflicting IP address as the destination and an enough timeout time.

l           The IP address is manually configured on a host if you receive a response packet of the ping operation. You can then disable the IP address from being dynamically assigned by using the dhcp server forbidden-ip command on the DHCP server.

l           Attach the DHCP client to the network, release the dynamically assigned IP address and obtain an IP address again. For example, enter DOS by executing the cmd command in Windows XP, and then release the IP address by executing the ipconfig/release command. Then obtain an IP address again by executing the ipconfig/renew command.

 

Chapter 3  DHCP Relay Agent Configuration

When configuring DHCP relay agents, go to these sections for information you are interested in:

l           Introduction to DHCP Relay Agent

l           Configuring DHCP Relay Agent

l           Displaying and Maintaining DHCP Relay Agent

l           DHCP Relay Agent Configuration Example

l           Troubleshooting DHCP Relay Agent

3.1  Introduction to DHCP Relay Agent

3.1.1  Usage of DHCP Relay Agent

Since the packets are broadcasted in the process of obtaining IP addresses, DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical.

The DHCP relay agent is designed to address this problem. It enables DHCP clients in a subnet to communicate with the DHCP server in another subnet so that the DHCP clients can obtain IP addresses. In this case, the DHCP clients in multiple networks can use the same DHCP server, which can decrease your cost and provide a centralized administration.

3.1.2  DHCP Relay Agent Fundamentals

Figure 3-1 illustrates a typical DHCP relay agent application.

Figure 3-1 Typical DHCP relay agent application

DHCP relay agents can transparently transmit broadcast packets on DHCP clients or servers to the DHCP servers or clients in other network segments.

In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent. For the interaction process of the packets, see Obtaining IP Addresses Dynamically.

1)         The DHCP client broadcasts the DHCP-DISCOVER packet.

2)         After receiving the packets, the network device providing the DHCP relay agent function unicasts the packet to the designated DHCP server based on the configuration.

3)         The DHCP server assigns IP addresses and transmits the configuration information to the clients through the DHCP relay agent so that the clients can be configured dynamically. The transmission mode depends on the flag field in the DHCP-DISCOVER packet. For details, see section DHCP Packet Format.

3.1.3  Option 82 Supporting

I. Introduction to option 82 supporting

Option 82 is a relay agent information option in DHCP packets. When a request packet from a DHCP client travels through a DHCP relay agent on its way to the DHCP server, the DHCP relay agent adds option 82 into the request packet. Option 82 includes many sub-options, but the DHCP server supports only sub-option 1 and sub-option 2 at present. Sub-option 1 defines agent circuit ID (that is, Circuit ID) and sub-option 2 defines remote agent ID (that is, Remote ID).

Option 82 enables a DHCP server to track the address information of DHCP relay agents, through which and other proper software, you can achieve the DHCP assignment limitation and accounting functions.

II. Primary terminologies

l           Option: A length-variable field in DHCP packets, carrying information such as part of the lease information and packet type. It includes at least one option and at most 255 options.

l           Option 82: Also known as relay agent information option. This option is a part of the Option field in DHCP packet. According to RFC3046, option 82 lies before option 255 and after the other options. Option 82 includes at least one sub-option and at most 255 sub-options. Currently, the commonly used sub-options in option 82 are sub-option 1 and sub-option 2.

l           Sub-option 1: A sub-option of option 82. Sub-option 1 represents the agent circuit ID, namely Circuit ID. It holds the port number and VLAN-ID of the switch port connected to the DHCP client, and is usually configured on the DHCP relay agent. Generally, sub-option 1 and sub-option 2 must be used together to identify information about a DHCP source.

l           Sub-option 2: A sub-option of option 82. Sub-option 2 represents the remote agent ID, namely Remote ID. It holds the MAC address of the DHCP relay agent, and is usually configured on the DHCP relay agent. Generally, sub-option 1 and sub-option 2 must be used together to identify information about a DHCP source.

III. Related specification

The specifications concerning option 82 supporting are as follows:

RFC2131 Dynamic Host Configuration Protocol

RFC3046 DHCP Relay Agent Information Option

IV. Mechanism of option 82 supporting on DHCP relay agent

The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay agent.

1)         A DHCP client broadcasts a request packet when it initiates.

2)         The DHCP relay agent on the local network receives the request packet, and then checks whether the packet contains option 82 and processes the packet accordingly.

3)         If the packet contains option 82, the DHCP relay agent processes the packet depending on the configured policy (that is, discards the packet, replaces the original option 82 in the packet with its own, or leaves the original option 82 unchanged in the packet), and forwards the packet (if not discarded) to the DHCP server.

4)         If the packet does not contain option 82, the DHCP relay agent adds option 82 to the packet and forwards the packet to the DHCP server. The forwarded packet contains the port number of the switch to which the DHCP client is connected, the VLAN to which the DHCP client belongs, and the MAC address of the DHCP relay agent.

5)         Upon receiving the DHCP request packet forwarded by the DHCP relay agent, the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP relay agent.

6)         Upon receiving the packet returned from the DHCP server, the DHCP relay agent strips option 82 from the packet and forwards the packet with the DHCP configuration information to the DHCP client.

 

 

3.2  Configuring DHCP Relay Agent

3.2.1  DHCP Relay Agent Configuration Task List

Complete the following tasks to configure DHCP relay agent:

Task	Remarks
Enabling DHCP	Required
Configuring an Interface to Operate in DHCP Relay Agent Mode	Required
Configuring DHCP Relay Agent Security	Optional
Configuring Option 82 Supporting	Optional

 

3.2.2  Enabling DHCP

Make sure to enable DHCP before you perform other DHCP relay agent-related configurations, since other DHCP-related configurations cannot take effect with DHCP disabled.

Follow these steps to enable DHCP:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable DHCP	dhcp enable	Required By default, DHCP is enabled

 

3.2.3  Configuring an Interface to Operate in DHCP Relay Agent Mode

When an interface operates in the relay mode, the interface forwards the DHCP packets received from DHCP clients to an external DHCP server, which assigns IP addresses to the DHCP clients.

To enhance reliability, you can set multiple DHCP servers on the same network. These DHCP servers form a DHCP server group. When the interface establishes mapping relationship with the DHCP server group, the interface forwards the DHCP packets to all servers in the server group.

Follow these steps to configure an interface to operate in DHCP relay agent mode:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the DHCP server IP address(es) in a specified DHCP server group	dhcp-server groupNo ip ip-address&<1-8>	Required By default, no DHCP server IP address is configured in a DHCP server group
Map an interface to a DHCP server group	interface interface-type interface-number	Required By default, a VLAN interface is not mapped to any DHCP server group
	dhcp-server groupNo

 

 

3.2.4  Configuring DHCP Relay Agent Security

I. Configuring address checking

When a DHCP client obtains an IP address from a DHCP server with the help of a DHCP relay agent, the DHCP relay agent creates an entry (dynamic entry) in the user address table to track the IP-MAC address binding information about the DHCP client. You can also configure user address entries manually (static entries) to bind an IP address and a MAC address statically.

The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users from statically configuring IP addresses to access external networks. With this function enabled, a DHCP relay agent inhibits a user from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries (including the entries dynamically tracked by the DHCP relay agent and the manually configured static entries) in the user address table on the DHCP relay agent.

Follow these steps to configure address checking:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a DHCP user address entry manually	dhcp-security static ip-address mac-address	Optional By default, no DHCP user address entry is configured
Enter interface view	interface interface-type interface-number	—
Enable the address checking function	address-check enable	Required By default, the address checking function is disabled

 

II. Configuring dynamic entries

Through this configuration task, you can validate or invalidate the dynamic IP-to-MAC mapping entries generated by the DHCP relay agent. DHCP client addresses are matched based on the dynamic entries generated by DHCP relay agent only after these entries are activated; otherwise, DHCP client addresses are matched based only on the security address entries statically configured.

Follow these steps to configure dynamic entries generated by DHCP relay agents:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter VLAN interface view	interface interface-type interface-number	—
Validate the dynamic entries generated by the DHCP relay agent	address-check dhcp-relay enable	Optional By default, the dynamic IP-to-MAC mapping entries generated by the DHCP relay agent are valid

 

This configuration will take effect only after the address checking function of the DHCP relay agent on the VLAN interface is enabled.

III. Configuring whether to allow freely-connected clients to pass DHCP security check

A freely-connected client refers to the client whose IP address and MAC address are not in the DHCP security table. When the freely-connected client is not allowed to pass DHCP security check, you cannot access the network on this client even if the freely-connected client has a valid IP address.

Follow these steps to configure whether to allow freely-connected clients to pass DHCP security check:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter VLAN interface view	interface interface-type interface-number	—
Forbid freely-connected clients to pass DHCP security check	address-check no-matched enable	Optional Freely-connected clients are not allowed to pass DHCP security check

 

This configuration will take effect only after the address checking function of the DHCP relay agent on the VLAN interface is enabled.

3.2.5  Configuring Option 82 Supporting

I. Prerequisites

Before configuring option 82 supporting on a DHCP relay agent, you need to:

l           Configure network parameters and relay function of the DHCP relay agent.

l           Perform assignment strategy-related configurations, such as network parameters of the DHCP server, address pool, and lease time.

l           The routes between the DHCP relay agent and the DHCP server are reachable.

II. Enabling option 82 supporting on a DHCP relay agent

The following operations need to be performed on a DHCP relay agent–enabled network device.

Follow these steps to enable option 82 supporting on a DHCP relay agent:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable option 82 supporting on the DHCP relay agent	dhcp relay information enable	Required By default, this function is disabled
Configure the strategy for the DHCP relay agent to process request packets containing option 82	dhcp relay information strategy { drop | keep | replace }	Optional By default, the replace policy is adopted

 

 

3.3  Displaying and Maintaining DHCP Relay Agent

To do…	Use the command…	Remarks
Display the information about a specified DHCP server group	display dhcp-server groupNo	Available in any view
Display the information about the DHCP server group to which a specified VLAN interface is mapped	display dhcp-server interface vlan-interface vlan-id
Display the address information of all the users in the valid user address table of the DHCP server group	display dhcp-security [ ip-address | dynamic | static ]
Clear the statistics information of the specified DHCP server group	reset dhcp-server groupNo	Available in user view

 

3.4  DHCP Relay Agent Configuration Example

I. Network requirements

The DHCP clients on the network segment 10.110.0.0/16 are connected to a port of VLAN 2. The IP address of the DHCP server is 202.38.1.2. DHCP packets between the DHCP clients and the DHCP server are forwarded by the DHCP relay agent, through which the DHCP clients can obtain IP addresses and related configuration information from the DHCP server.

II. Network diagram

Figure 3-2 Network diagram for DHCP relay agent

III. Configuration procedure

# Enter system view.

<H3C> system-view

# Enable DHCP.

[H3C] dhcp enable

# Create DHCP server group 1 and configure an IP address of 202.38.1.2 for it.

[H3C] dhcp-server 1 ip 202.38.1.2

# Map VLAN-interface 2 to DHCP server group 1.

[H3C] interface Vlan-interface 2

[H3C-Vlan-interface2] dhcp-server 1

# Configure an IP address for VLAN-interface 2, so that this interface is on the same network segment with the DHCP clients.

[H3C-Vlan-interface2] ip address 10.110.1.1 255.255.0.0

 

 

3.5  Troubleshooting DHCP Relay Agent

I. Symptom

A client fails to obtain configuration information through a DHCP relay agent.

II. Analysis

This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command).

III. Solution

l           Check if DHCP is enabled on the DHCP server and the DHCP relay agent.

l           Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server.

l           Check if a reachable route is configured between the DHCP relay agent and the DHCP server.

l           Check the DHCP relay agent-enabled network devices. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides. Check if the IP address of the DCHP server group is correct.

 

Chapter 4  DHCP Snooping Configuration

When configuring DHCP snooping, go to these sections for information you are interested in:

l           Configuring DHCP Snooping

l           DHCP-Snooping Option 82

l           Displaying and Maintaining DHCP Snooping

l           DHCP Snooping Configuration Example

4.1  Configuring DHCP Snooping

4.1.1  Introduction to DHCP Snooping

For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

l           Layer 3 switches can track DHCP client IP addresses through a DHCP relay agent.

l           Layer 2 switches can track DHCP client IP addresses through the DHCP snooping function, which listens to DHCP broadcast packets.

When an unauthorized DHCP server exists in the network, a DHCP client may obtain an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, you can specify a port to be a trusted port or an untrusted port through the DHCP snooping function.

l           Trusted ports can be used to connect DHCP servers or ports of other switches. Untrusted ports can be used to connect DHCP clients or networks.

l           Trusted ports forward any received DHCP packet to ensure that DHCP clients can obtain IP addresses from valid DHCP servers. Untrusted ports drop all the received packets.

Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S7500 series switch.

Figure 4-1 Typical network diagram for DHCP snooping application

Figure 4-2 illustrates the interaction between a DHCP client and a DHCP server.

Figure 4-2 Interaction between a DHCP client and a DHCP server

DHCP snooping listens to the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients:

l           DHCP-ACK packet

l           DHCP-REQUEST packet

4.1.2  Configuring DHCP Snooping

Follow these steps to configure the DHCP snooping function:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the DHCP snooping function	dhcp-snooping	Required By default, the DHCP snooping function is disabled
Enter Ethernet port view	interface interface-type interface-number	—
Set the port connected to a DHCP server to a trusted port	dhcp-snooping trust	Required By default, all ports of a switch are untrusted ports

 

 

4.2  DHCP-Snooping Option 82

4.2.1  Overview of DHCP-Snooping Option 82

I. Introduction to DHCP Option 82

For details of option 82, see Option 82 Supporting.

II. Working mechanism of DHCP-Snooping option 82

The process in which a DHCP client obtains an IP addresses from a DHCP server through DHCP-Snooping is the same as the process in which a DHCP client obtains an IP address from a DHCP server directly. The process includes four phases: IP lease request, IP lease offer, IP lease selection, and IP lease acknowledgement. This section only introduces the working mechanism of DHCP-Snooping option 82. The details are as follows:

1)         When a DHCP client gets online, it broadcasts an IP address request message across the network.

2)         After receiving the broadcast message, the DHCP-Snooping-enabled switch checks whether the message contains option 82 and processes it.

l           If the message contains option 82, the switch replaces the original option 82 in the message with its own option 82, and then broadcasts the request message.

l           If the request message does not contain option 82, the DHCP-Snooping-enabled switch inserts option 82 into the message, and then broadcast this message.

3)         By now, the request message contains the number of the switch port connected to the DHCP client, the VLAN to which the port belongs to, and the MAC address of the DHCP-Snooping-enabled switch.

4)         After receiving the DHCP request message broadcast by the DHCP-Snooping-enabled device, the DHCP server records the information carried by the options in the message, and then sends the message containing DHCP configuration information and option 82 information to the DHCP-Snooping-enabled device.

5)         After receiving the returned message from the DHCP server, the DHCP-Snooping-enabled switch checks the option 82 field in the message.

l           If the option 82 field is inserted by the switch, the switch removes the option 82 field from the message, and then forwards the message containing the DHCP configuration information to the DHCP client.

l           If the option 82 field is not inserted by the switch, the switch obtains the VLAN information contained in this field and broadcasts the returned message in this VLAN.

 

 

4.2.2  Enabling DHCP-Snooping Option 82

I. Configuration prerequisites

Before configuring DHCP-Snooping option 82, you need to:

l           Configure network parameters of the DHCP-Snooping-enabled switch.

l           Enable DHCP-Snooping.

l           Configure network parameters of the DHCP server, address pool, and address lease time, and other address assignment policies.

II. Enabling DHCP-Snooping option 82

Follow these steps to enable DHCP-snooping option 82 on a DHCP-snooping-enabled network device:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable DHCP-Snooping option 82	dhcp-snooping information enable	Required This function is disabled by default

 

4.3  Displaying and Maintaining DHCP Snooping

To do…	Use the command…	Remarks
Display the IP-MAC mappings recorded by the DHCP-Snooping-enabled switch	display dhcp-snooping	Available in any view
Display DHCP-Snooping status and trusted port information	display dhcp-snooping trust
Display the total number of DHCP-Snooping binding table entries	display dhcp-snooping count
Display the DHCP-Snooping binding table entries of the specified VLAN	display dhcp-snooping vlan { vlan-list | all }
Clear the IP-MAC mappings recorded by the DHCP-Snooping-enabled switch	reset dhcp-snooping [ ip-address ]	Available in user view

 

4.4  DHCP Snooping Configuration Example

I. Network requirements

As shown in Figure 4-3, the Ethernet 2/0/1 port of Switch A is connected to Switch B (acting as a DHCP relay agent). A network segment containing some DHCP clients is connect to the Ethernet 2/0/2 port of Switch A.

l           The DHCP snooping function is enabled on Switch A.

l           The DHCP-Snooping-enabled device supports option 82 and option 82 is enabled on the switch.

l           The Ethernet 2/0/1 port of Switch A is a trusted port.

II. Network diagram

Figure 4-3 DHCP-Snooping configuration

III. Configuration procedure

Perform the following configuration on the DHCP-Snooping-enabled Switch A.

# Enter system view.

<H3C> system-view

# Enable the DHCP snooping function.

[H3C] dhcp-snooping

# Enable DHCP-Snooping option 82.

[H3C] dhcp-Snooping information enable

# Enter Ethernet 2/0/1 port view.

[H3C] interface ethernet2/0/1

# Specify the port as a trusted port.

[H3C-Ethernet2/0/1] dhcp-snooping trust