04-DHCP Configuration
Chapters Download (201.36 KB)
Enabling the DHCP Client on an Interface
Displaying and Maintaining the DHCP Client
DHCP Client Configuration Example
Application Environment of Trusted Ports
DHCP Snooping Support for Option 82
Configuring DHCP Snooping Basic Functions
Configuring DHCP Snooping to Support Option 82
Configuring DHCP Snooping to Support Option 82
Displaying and Maintaining DHCP Snooping
DHCP Snooping Configuration Examples
DHCP Snooping Configuration Example
DHCP Snooping Option 82 Support Configuration Example
Obtaining an IP Address Dynamically
Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP
Displaying and Maintaining BOOTP Client Configuration
BOOTP Client Configuration Example
This document is organized as follows:
When configuring the DHCP client, go to these sections for information you are interested in:
l Enabling the DHCP Client on an Interface
l Displaying and Maintaining the DHCP Client
l DHCP Client Configuration Example
When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.
With the DHCP client enabled, an interface will use DHCP to obtain configuration parameters such as an IP address from the DHCP server.
Follow these steps to enable the DHCP client on an interface:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Enable the DHCP client on the interface |
ip address dhcp-alloc [ client-identifier mac interface-type interface-number ] |
Required Disabled by default. |
l An interface can be configured to acquire an IP address in multiple ways, but these ways are mutually exclusive. The latest configuration will overwrite the previous one.
l After the DHCP client is enabled on an interface, no secondary IP address can be configured for the interface.
l If the IP address assigned by the DHCP server is on the same network segment as the IP addresses of other interfaces on the device, the DHCP client will not request any IP address from the DHCP server, unless you delete the conflicting IP address and bring up the interface again by first executing the shutdown command and then the undo shutdown command or re-enable the DHCP client on the interface by executing the undo ip address dhcp-alloc command and then the ip address dhcp-alloc command.
|
To do… |
Use the command… |
Remarks |
|
Display specified configuration information |
display dhcp client [ verbose ] [ interface interface-type interface-number ] |
Available in any view |
As shown in Figure 1-1, on a LAN, Switch A contacts the DHCP server via VLAN-interface 1 to obtain an IP address.
Figure 1-1 DHCP network diagram
The following is the configuration on Switch A shown in Figure 1-1.
# Enable the DHCP client on VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address dhcp-alloc
When configuring DHCP snooping, go to these sections for information you are interested in:
l Configuring DHCP Snooping Basic Functions
l Configuring DHCP Snooping to Support Option 82
l Displaying and Maintaining DHCP Snooping
l DHCP Snooping Configuration Examples
The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server.
As a DHCP security feature, DHCP snooping can implement the following:
1) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
2) Recording IP-to-MAC mappings of DHCP clients
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and network configuration parameters, and cannot normally communicate with other network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP servers.
l Trusted: A trusted port forwards DHCP messages normally.
l Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCP server.
You should configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted, and other ports as untrusted. With such configurations, DHCP clients obtain IP addresses from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP addresses to DHCP clients.
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping entries, DHCP snooping can implement the following:
l ARP detection: Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details, refer to ARP Configuration in the IP Services Volume.
l IP Source Guard: IP Source Guard uses dynamic binding entries generated by DHCP snooping to filter packets on a per-port basis, and thus prevents unauthorized packets from traveling through. For details, refer to IP Source Guard Configuration in the Security Volume.
Figure 2-1 Configure trusted and untrusted ports
As shown in Figure 2-1, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.
In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly connected to DHCP clients, from recording clients’ IP-to-MAC bindings upon receiving DHCP requests.
Figure 2-2 Configure trusted ports in a cascaded network
Table 2-1 describes roles of the ports shown in Figure 2-2.
|
Device |
Untrusted port |
Trusted port disabled from recording binding entries |
Trusted port enabled to record binding entries |
|
Switch A |
GigabitEthernet 1/0/1 |
GigabitEthernet 1/0/3 |
GigabitEthernet 1/0/2 |
|
Switch B |
GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 |
GigabitEthernet 1/0/1 |
GigabitEthernet 1/0/2 |
|
Switch C |
GigabitEthernet 1/0/1 |
GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 |
GigabitEthernet 1/0/2 |
Option 82 records the location information of the DHCP client. The administrator can locate the DHCP client to further implement security control and accounting.
If DHCP snooping supports Option 82, it will handle a client’s request according to the contents defined in Option 82, if any. The handling strategies are described in the table below.
If a reply returned by the DHCP server contains Option 82, the DHCP snooping device will remove the Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP snooping device forwards it directly.
|
If a client’s requesting message has… |
Handling strategy |
Padding format |
The DHCP snooping device will… |
|
Option 82 |
Drop |
Random |
Drop the message. |
|
Keep |
Random |
Forward the message without changing Option 82. |
|
|
Replace |
normal |
Forward the message after replacing the original Option 82 with the Option 82 padded in normal format. |
|
|
verbose |
Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format. |
||
|
user-defined |
Forward the message after replacing the original Option 82 with the user-defined Option 82. |
||
|
no Option 82 |
— |
normal |
Forward the message after adding the Option 82 padded in normal format. |
|
— |
verbose |
Forward the message after adding the Option 82 padded in verbose format. |
|
|
— |
user-defined |
Forward the message after adding the user-defined Option 82. |
The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent.
Follow these steps to configure DHCP snooping basic functions:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable DHCP snooping |
dhcp-snooping |
Required Disabled by default. |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Specify the port as trusted |
dhcp-snooping trust [ no-user-binding ] |
Required Untrusted by default. |
l You need to specify the ports connected to the authorized DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN.
l You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For details about aggregate interfaces, refer to Link Aggregation Configuration in the Access Volume.
l If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration of the interface will not take effect. After the interface quits the aggregation group, the configuration will be effective.
You need to enable the DHCP snooping function before configuring DHCP snooping to support Option 82.
Follow these steps to configure DHCP snooping to support Option 82:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter interface view |
interface interface-type interface-number |
— |
|
|
Enable DHCP snooping to support Option 82 |
dhcp-snooping information enable |
Required Disabled by default. |
|
|
Configure the handling strategy for requesting messages containing Option 82 |
dhcp-snooping information strategy { drop | keep | replace } |
Optional replace by default. |
|
|
Configure non-user-defined Option 82 |
Configure the padding format for Option 82 |
dhcp-snooping information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } |
Optional normal by default. |
|
Configure the code type for the circuit ID sub-option |
dhcp-snooping information circuit-id format-type { ascii | hex } |
Optional By default, the code type depends on the padding format of Option 82. Each field has its own code type. This code type configuration applies to non-user-defined Option 82 only. |
|
|
Configure the code type for the remote ID sub-option |
dhcp-snooping information remote-id format-type { ascii | hex } |
Optional hex by default. The code type configuration applies to non-user-defined Option 82 only. |
|
|
Configure user-defined Option 82 |
Configure the padding content for the circuit ID sub-option |
dhcp-snooping information [ vlan vlan-id ] circuit-id string circuit-id |
Optional By default, the padding content depends on the padding format of Option 82. |
|
Configure the padding content for the remote ID sub-option |
dhcp-snooping information [ vlan vlan-id ] remote-id string { remote-id | sysname } |
Optional By default, the padding content depends on the padding format of Option 82. |
|
l You can enable DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces and Layer 2 aggregation interfaces only.
l If the handling strategy of the DHCP-snooping-enabled device is configured as replace, you need to configure a padding format for Option 82. If the handling strategy is keep or drop, you need not configure any padding format.
l If the Option 82 is padded with the device name (sysname) of a node, the device name must contain no spaces. Otherwise, the DHCP-snooping-enabled device will drop the message.
|
To do… |
Use the command… |
Remarks |
|
Display DHCP snooping entries |
display dhcp-snooping [ ip ip-address ] |
Available in any view |
|
Display Option 82 configuration information on the DHCP snooping device |
display dhcp-snooping information { all | interface interface-type interface-number } |
Available in any view |
|
Display DHCP packet statistics on the DHCP snooping device |
display dhcp-snooping packet statistics |
Available in any view |
|
Display information about trusted ports |
display dhcp-snooping trust |
Available in any view |
|
Clear DHCP snooping entries |
reset dhcp-snooping { all | ip ip-address } |
Available in user view |
|
Clear DHCP packet statistics on the DHCP snooping device |
reset dhcp-snooping packet statistics |
Available in user view |
As shown in Figure 2-3, Switch A is connected to a DHCP server through GigabitEthernet1/0/1, and to two DHCP clients through GigabitEthernet1/0/2 and GigabitEthernet1/0/3. GigabitEthernet1/0/1 forwards DHCP server responses while the other two do not.
Switch A records clients’ IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK messages received from trusted ports.
Figure 2-3 Network diagram for DHCP snooping configuration
# Enable DHCP snooping.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify GigabitEthernet1/0/1 as trusted.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchA-GigabitEthernet1/0/1] quit
l As shown in Figure 2-3, enable DHCP snooping and Option 82 support on Switch A.
l Configure the handling strategy for DHCP requests containing Option 82 as replace.
l On GigabitEthernet1/0/2, configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001.
l On GigabitEthernet1/0/3, configure the padding format as verbose, access node identifier as sysname, and code type as ascii for Option 82.
l Switch A forwards DHCP requests to the DHCP server after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses.
# Enable DHCP snooping.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify GigabitEthernet1/0/1 as trusted.
[SwitchA] interface GigabitEthernet1/0/1
[SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchA-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet1/0/2 to support Option 82.
[SwitchA] interface GigabitEthernet1/0/2
[SwitchA-GigabitEthernet1/0/2] dhcp-snooping information enable
[SwitchA-GigabitEthernet1/0/2] dhcp-snooping information strategy replace
[SwitchA-GigabitEthernet1/0/2] dhcp-snooping information circuit-id string company001
[SwitchA-GigabitEthernet1/0/2] dhcp-snooping information remote-id string device001
[SwitchA-GigabitEthernet1/0/2] quit
# Configure gigabitethernet 1/0/3 to support Option 82.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-gigabitethernet 1/0/3] dhcp-snooping information enable
[SwitchA-gigabitethernet 1/0/3] dhcp-snooping information strategy replace
[SwitchA-gigabitethernet 1/0/3] dhcp-snooping information format verbose node-identifier sysname
[SwitchA-gigabitethernet 1/0/3] dhcp-snooping information circuit-id format-type ascii
[SwitchA-gigabitethernet 1/0/3] dhcp-snooping information remote-id format-type ascii
While configuring a BOOTP client, go to these sections for information you are interested in:
l Introduction to BOOTP Client
l Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP
l Displaying and Maintaining BOOTP Client Configuration
If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.
This section covers these topics:
l Obtaining an IP Address Dynamically
After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server, which simplifies your configuration.
Before using BOOTP, an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client originates a request to the BOOTP server, the BOOTP server will search for the BOOTP parameter file and return the corresponding configuration information.
Because you need to configure a parameter file for each client on the BOOTP server, BOOTP usually runs under a relatively stable environment. If the network changes frequently, DHCP is more suitable.
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server.
A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.
A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps:
1) The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.
2) The BOOTP server receives the request and searches the configuration file for the corresponding IP address and other information according to the MAC address of the BOOTP client. The BOOTP server then returns a BOOTP response to the BOOTP client.
3) The BOOTP client obtains the IP address from the received response.
Some protocols and standards related to BOOTP include:
l RFC 951: Bootstrap Protocol (BOOTP)
l RFC 2132: DHCP Options and BOOTP Vendor Extensions
l RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
Follow these steps to configure an interface to dynamically obtain an IP address:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure an interface to dynamically obtain an IP address through BOOTP |
ip address bootp-alloc |
Required By default, an interface does not use BOOTP to obtain an IP address. |
|
To do… |
Use the command… |
Remarks |
|
Display BOOTP client information |
display bootp client [ interface interface-type interface-number ] |
Available in any view |
As shown in,Figure 3-1 Switch A’s port belonging to VLAN 1 is connected to the LAN. VLAN-interface 1 obtains an IP address from the DHCP server by using BOOTP.
Figure 3-1 BOOTP network diagram
The following describes only the configuration on Switch A serving as a client.
# Configure VLAN-interface 1 to dynamically obtain an IP address from the DHCP server.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address bootp-alloc
