19-DHCP Snooping Configuration
Chapters Download (108.62 KB)
DHCP Snooping Support for Option 82
Configuring DHCP Snooping on the OLT
Configuring DHCP Snooping Basic Functions
Configuring DHCP Snooping to Support Option 82
Configuring DHCP Snooping to Support Option 82
Configuring DHCP Snooping on the ONU
Configuring DHCP Snooping to Support Option 82
Displaying and Maintaining DHCP Snooping
OLT's Support for DHCP Snooping Configuration Examples
DHCP Snooping Configuration Example
DHCP Snooping Option 82 Support Configuration Example
When configuring DHCP snooping, go to these sections for information you are interested in:
l Configuring DHCP Snooping on the OLT
l Configuring DHCP Snooping to Support Option 82
l Configuring DHCP Snooping on the ONU
l Displaying and Maintaining DHCP Snooping
l OLT's Support for DHCP Snooping Configuration Examples
The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
As a DHCP security feature, DHCP snooping can implement the following:
1) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
2) Recording IP-to-MAC mappings of DHCP clients
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.
l Trusted: A trusted port forwards DHCP messages normally.
l Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCP server.
You should configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted, and other ports as untrusted. With such configurations, DHCP clients obtain IP addresses from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP addresses to DHCP clients.
Figure 1-1 Configure trusted and untrusted ports
As shown in Figure 1-1, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong.
Option 82 records the location information of the DHCP client. The administrator can locate the DHCP client to further implement security control and accounting.
If DHCP snooping supports Option 82, it will handle a client’s request according to the contents defined in Option 82, if any. The handling strategies are described in the table below.
If a reply returned by the DHCP server contains Option 82, the DHCP snooping device will remove the Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP snooping device forwards it directly.
|
If a client’s requesting message has… |
Handling strategy |
Padding format |
The DHCP snooping device will… |
|
Option 82 |
Drop |
Random |
Drop the message. |
|
Keep |
Random |
Forward the message without changing Option 82. |
|
|
Replace |
normal |
Forward the message after replacing the original Option 82 with the Option 82 padded in normal format. |
|
|
verbose |
Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format. |
||
|
user-defined |
Forward the message after replacing the original Option 82 with the user-defined Option 82. |
||
|
no Option 82 |
— |
normal |
Forward the message after adding the Option 82 padded in normal format. |
|
— |
verbose |
Forward the message after adding the Option 82 padded in verbose format. |
|
|
— |
user-defined |
Forward the message after adding the user-defined Option 82. |
Follow these steps to configure DHCP snooping basic functions:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable DHCP snooping |
dhcp-snooping |
Required Disabled by default. |
|
Enter Ethernet interface or Layer 2 aggregate interface view |
interface interface-type interface-number |
— |
|
Specify the port as trusted |
dhcp-snooping trust [ no-user-binding ] |
Required Untrusted by default. |
l You need to specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN.
l You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For details about aggregate interfaces, refer to Link Aggregation Configuration.
l If a Layer 2 Ethernet port is added to an aggregation group, DHCP snooping configured on the interface will not take effect. After the interface quits from the aggregation group, DHCP snooping will be effective.
l Do not add an untrusted Layer 2 Ethernet port to an aggregation group.
l Configuring both the DHCP snooping and selective QinQ function on the switch is not recommended because it may result in malfunction of DHCP snooping.
You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82.
Follow these steps to configure DHCP snooping to support Option 82:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet interface or ONU port view |
interface interface-type interface-number |
— |
|
|
Enable DHCP snooping to support Option 82 |
dhcp-snooping information enable |
Required Disabled by default. |
|
|
Configure the handling strategy for requesting messages containing Option 82 |
dhcp-snooping information strategy { drop | keep | replace } |
Optional replace by default. |
|
|
Configure non-user-defined Option 82 |
Configure the padding format for Option 82 |
dhcp-snooping information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } |
Optional normal by default. The padding format for Option 82 on an ONU port is normal only. |
|
Configure the code type for the circuit ID sub-option |
dhcp-snooping information circuit-id format-type { ascii | hex } |
Optional By default, the code type depends on the padding format of Option 82. Each field has its own code type. This code type configuration applies to non-user-defined Option 82 only. |
|
|
Configure the code type for the remote ID sub-option |
dhcp-snooping information remote-id format-type { ascii | hex } |
Optional hex by default. The code type configuration applies to non-user-defined Option 82 only. |
|
|
Configure user-defined Option 82 |
Configure the padding content for the circuit ID sub-option |
dhcp-snooping information [ vlan vlan-id ] circuit-id string circuit-id |
Optional By default, the padding content depends on the padding format of Option 82. |
|
Configure the padding content for the remote ID sub-option |
dhcp-snooping information [ vlan vlan-id ] remote-id string { remote-id | sysname } |
Optional By default, the padding content depends on the padding format of Option 82. |
|
l You can enable DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces or ONU ports only.
l To support Option 82, it is required to perform related configuration on both the DHCP server and the device enabled with DHCP snooping.
l If the handling strategy of the DHCP-snooping-enabled device is configured as replace, you need to configure a padding format for Option 82. If the handling strategy is keep or drop, you need not configure any padding format.
l If the Option 82 is padded with the device name (sysname) of a node, the device name must contain no spaces. Otherwise, the DHCP-snooping-enabled device will drop the message.
You can use an OLT to remotely enable DHCP snooping on an ONU through extended OAM packets.
After DHCP snooping is enabled on an ONU, a DHCP snooping table will be generated on the ONU to record the IP address and user MAC address information that the DHCP client obtains from the DHCP server, with each record being an entry in the DHCP snooping table.
Follow these steps to enable DHCP snooping on an ONU:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter ONU port view |
interface onu interface-number |
— |
|
Enable DHCP snooping on the ONU |
onu-protocol dhcp-snooping enable |
Optional Disabled by default: |
With DHCP snooping Option82 enabled on an ONU,
l For DHCP request messages with Option82 fields, the ONU replaces the Option82 fields with the local one before broadcasting the DHCP request messages;
l For DHCP request messages without Option82 fields, the ONU adds the Option82 field (which contains ONU MAC addresses, number of the UNI connected to the DHCP client, and the VLAN to which the UNI belongs) into the request messages when the DHCP client connected to the ONU sends DHCP request messages to the DHCP server. This allows the DHCP client addresses to be recorded in the DHCP server.
Follow these steps to enable DHCP snooping Option82 on an ONU:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter ONU port view |
interface onu interface-number |
— |
|
Enable DHCP snooping Option82 on the ONU |
onu-protocol dhcp-snooping information enable |
Optional Disabled by default. |
|
To do… |
Use the command… |
Remarks |
|
Display DHCP snooping entries |
display dhcp-snooping [ ip ip-address ] |
Available in any view |
|
Display Option 82 configuration information on the DHCP snooping device |
display dhcp-snooping information { all | interface interface-type interface-number } |
Available in any view |
|
Display DHCP packet statistics on the DHCP snooping device |
display dhcp-snooping packet statistics |
Available in any view |
|
Display information about trusted ports |
display dhcp-snooping trust |
Available in any view |
|
Clear DHCP snooping entries |
reset dhcp-snooping { all | ip ip-address } |
Available in user view |
|
Displays the information about DHCP-Snooping Option82 supported by the ONU |
display onu-protocol [ dhcp-snooping information ] |
Available in ONU port view To display the information of an ONU, make sure the ONU is online. |
|
Clear DHCP packet statistics on the DHCP snooping device |
reset dhcp-snooping packet statistics |
Available in user view |
As shown in Figure 1-2, an OLT is connected to the DHCP server through GigabitEthernet 1/1/1, and to two ONUs through OLT 1/0/1 and an optical splitter. A DHCP client is attached to each ONU. GigabitEthernet 1/1/1 forwards DHCP server responses while OLT 1/0/1 does not.
OLT records clients’ IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK messages received from trusted ports.
Figure 1-2 Network diagram for DHCP snooping configuration
Before performing the following operations, complete the basic configurations of the EPON OLT and the ONU, and ensure that the ONU is registered normally. For detailed configurations, refer to EPON-OLT Configuration.
l Configure the OLT
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp-snooping
# Specify GigabitEthernet 1/1/1 as trusted.
[SwitchB] interface gigabitethernet 1/1/1
[SwitchB-GigabitEthernet1/1/1] dhcp-snooping trust
[SwitchB-GigabitEthernet1/1/1] quit
# Display the IP-to-MAC bindings recorded by the OLT.
<Sysname> display dhcp-snooping
DHCP Snooping is enabled.
The client binding table for all untrusted ports.
Type : D--Dynamic , S--Static
Type IP Address MAC Address Lease VLAN Interface
==== =============== ============== ============ ==== =================
D 192.168.0.44 000d-56f5-759c 85480 1 Onu1/0/1:1
D 192.168.0.11 000f-34c5-2b22 85480 1 Onu1/0/1:2
--- 2 dhcp-snooping item(s) found ---
l As shown in Figure 1-2, enable DHCP snooping and Option 82 support on the OLT.
l Configure the handling strategy for DHCP requests containing Option 82 as replace.
l On ONU 1/0/1:1, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.
l On ONU 1/0/1:2, configure the access node identifier as sysname, and code type as ascii for Option 82.
l The OLT forwards DHCP requests to the DHCP server (Switch A) after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses.
Before performing the following operations, complete the basic configurations of the EPON OLT and the ONU, and ensure that the ONU is registered normally. For detailed configurations, refer to EPON-OLT Configuration.
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp-snooping
# Configure ONU 1/0/1:1 to support Option 82.
[Sysname] interface onu 1/0/1:1
[Sysname-Onu1/0/1:1] dhcp-snooping information enable
[Sysname-Onu1/0/1:1] dhcp-snooping information strategy replace
[Sysname-Onu1/0/1:1] dhcp-snooping information circuit-id string company001
[Sysname-Onu1/0/1:1] dhcp-snooping information remote-id string device001
[Sysname-Onu1/0/1:1] quit
# Configure ONU 1/0/1:2 to support Option 82.
[Sysname] interface onu 1/0/1:2
[Sysname-Onu1/0/1:2] dhcp-snooping information enable
[Sysname-Onu1/0/1:2] dhcp-snooping information strategy replace
[Sysname-Onu1/0/1:2] dhcp-snooping information format verbose node-identifier sysname
[Sysname-Onu1/0/1:2] dhcp-snooping information circuit-id format-type ascii
[Sysname-Onu1/0/1:2] dhcp-snooping information remote-id format-type ascii
