ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths.

Figure 1 ARP message format

· Hardware type—Hardware address type. The value 1 represents Ethernet.

· Protocol type—Type of the protocol address to be mapped. The hexadecimal value 0x0800 represents IP.

· Hardware address length and protocol address length—Length, in bytes, of a hardware address and a protocol address. For an Ethernet address, the value of the hardware address length field is 6. For an IPv4 address, the value of the protocol address length field is 4.

· OP—Operation code, which describes the type of ARP message. The value 1 represents an ARP request, and the value 2 represents an ARP reply.

· Sender hardware address—Hardware address of the device sending the message.

· Sender protocol address—Protocol address of the device sending the message.

· Target hardware address—Hardware address of the device to which the message is being sent.

· Target protocol address—Protocol address of the device to which the message is being sent.

ARP operating mechanism

As shown in Figure 2, Host A and Host B are on the same subnet. Host A sends a packet to Host B as follows:

1. Host A looks through the ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame. Then Host A sends the frame to Host B.

2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information:

? Sender IP address and sender MAC address—Host A's IP address and MAC address.

? Target IP address—Host B's IP address.

? Target MAC address—An all-zero MAC address.

All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request.

3. Host B compares its own IP address with the target IP address in the ARP request. If they are the same, Host B operates as follows:

a. Adds the sender IP address and sender MAC address into its ARP table.

b. Encapsulates its MAC address into an ARP reply.

c. Unicasts the ARP reply to Host A.

4. After receiving the ARP reply, Host A operates as follows:

a. Adds the MAC address of Host B into its ARP table.

b. Encapsulates the MAC address into the packet and sends the packet to Host B.

Figure 2 ARP address resolution process

If Host A and Host B are on different subnets, Host A sends a packet to Host B as follows:

1. Host A broadcasts an ARP request where the target IP address is the IP address of the gateway.

2. The gateway responds with its MAC address in an ARP reply to Host A.

3. Host A uses the gateway's MAC address to encapsulate the packet, and then sends the packet to the gateway.

4. If the gateway has an ARP entry for Host B, it forwards the packet to Host B directly. If not, the gateway broadcasts an ARP request, in which the target IP address is the IP address of Host B.

5. After the gateway gets the MAC address of Host B, it sends the packet to Host B.

ARP table

An ARP table stores dynamic and static ARP entries.

Dynamic ARP entry

ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down. In addition, a dynamic ARP entry can be overwritten by a static ARP entry.

Static ARP entry

A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry.

Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.

The device supports the following types of static ARP entries:

· Long static ARP entry—It contains the IP address, MAC address, VLAN, and output interface.

A long static ARP entry is directly used for forwarding packets.

· Short static ARP entry—It contains only the IP address and MAC address.

? If the output interface is a Layer 3 Ethernet interface, the short ARP entry can be directly used to forward packets.

? If the output interface is a VLAN interface, the device sends an ARP request whose target IP address is the IP address in the short entry. If the sender IP and MAC addresses in the received ARP reply match the short static ARP entry, the device performs the following operations:

- Adds the interface that received the ARP reply to the short static ARP entry.

- Uses the resolved short static ARP entry to forward IP packets.

To communicate with a host by using a fixed IP-to-MAC mapping, configure a short static ARP entry on the device. To communicate with a host by using a fixed IP-to-MAC mapping through an interface in a VLAN, configure a long static ARP entry on the device.

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Configuring a static ARP entry

A static ARP entry is effective when the device functions correctly. If a VLAN or VLAN interface is deleted, long static ARP entries in the VLAN are deleted, and resolved short static ARP entries in the VLAN become unresolved.

A resolved short static ARP entry becomes unresolved upon certain events. For example, it becomes unresolved when the resolved output interface goes down.

A long static ARP entry is ineffective in either of the following situations:

· The IP address in the entry conflicts with a local IP address.

· No local interface has an IP address in the same subnet as the IP address in the ARP entry.

To configure a static ARP entry:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a static ARP entry.	· Configure a long static ARP entry: arp static ip-address mac-address [ vlan-id interface-type interface-number ] · Configure a short static ARP entry: arp static ip-address mac-address	By default, no static ARP entry is configured.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure a static ARP entry.

· Configure a long static ARP entry:
arp static ip-address mac-address [ vlan-id interface-type interface-number ]

· Configure a short static ARP entry:
arp static ip-address mac-address

By default, no static ARP entry is configured.

Setting the maximum number of dynamic ARP entries for a device

A device can dynamically learn ARP entries. To prevent a device from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the device can learn. When the maximum number is reached, the device stops learning ARP entries.

If you set a value lower than the number of existing dynamic ARP entries, the device does not remove the existing entries unless they are aged out.

To set the maximum number of dynamic ARP entries for a device:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the maximum number of dynamic ARP entries for the device.	arp max-learning-number number slot slot-number	By default, the maximum number of dynamic ARP entries varies by device model. For more information, see Layer 3—IP Services Command Reference. To disable the device from learning dynamic ARP entries, set the number to 0.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the maximum number of dynamic ARP entries for the device.

arp max-learning-number number slot slot-number

By default, the maximum number of dynamic ARP entries varies by device model. For more information, see Layer 3—IP Services Command Reference.

To disable the device from learning dynamic ARP entries, set the number to 0.

Setting the maximum number of dynamic ARP entries for an interface

An interface can dynamically learn ARP entries. To prevent an interface from holding too many ARP entries, you can set the maximum number of dynamic ARP entries that the interface can learn. When the maximum number is reached, the interface stops learning ARP entries.

You can set limits for both a Layer 2 interface and the VLAN interface for a permitted VLAN on the Layer 2 interface. The Layer 2 interface learns an ARP entry only when neither limit is reached.

To set the maximum number of dynamic ARP entries for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the maximum number of dynamic ARP entries for the interface.	arp max-learning-num number	By default, the maximum number of dynamic ARP entries varies by device model. For more information, see Layer 3—IP Services Command Reference. To disable the interface from learning dynamic ARP entries, set the number to 0.

Setting the aging timer for dynamic ARP entries

Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated. A dynamic ARP entry that is not updated before its aging timer expires is deleted from the ARP table.

To set the aging timer for dynamic ARP entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the aging timer for dynamic ARP entries.	arp timer aging aging-time	The default setting is 20 minutes.

Enabling dynamic ARP entry check

The dynamic ARP entry check feature disables the device from supporting dynamic ARP entries that contain multicast MAC addresses. The device cannot learn dynamic ARP entries containing multicast MAC addresses. You cannot manually add static ARP entries containing multicast MAC addresses.

When dynamic ARP entry check is disabled, ARP entries containing multicast MAC addresses are supported. The device can learn dynamic ARP entries containing multicast MAC addresses obtained from the ARP packets sourced from a unicast MAC address. You can also manually add static ARP entries containing multicast MAC addresses.

To enable dynamic ARP entry check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable dynamic ARP entry check.	arp check enable	By default, dynamic ARP entry check is enabled.

Enabling ARP logging

This feature enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following ARP events:

· On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses:

? The IP address of the receiving interface.

? The public IP address after NAT.

· The sender IP address of a received ARP reply conflicts with one of the following IP addresses:

? The IP address of the receiving interface.

? The public IP address after NAT.

The device sends ARP log messages to the information center. You can use the info-center source command to specify the log output rules for the information center. For more information about information center, see Network Management and Monitoring Configuration Guide.

To enable the ARP logging feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the ARP logging feature.	arp check log enable	By default, ARP logging is disabled.

Displaying and maintaining ARP

IMPORTANT:

Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications.

Execute display commands in any view and reset commands in user view.

Task	Command
Display ARP entries.	display arp [ [ all \| dynamic \| static ] [ slot slot-number ] \| vlan vlan-id \| interface interface-type interface-number ] [ count \| verbose ]
Display the ARP entry for an IP address.	display arp ip-address [ slot slot-number ] [ verbose ]
Display the aging timer of dynamic ARP entries.	display arp timer aging
Clear ARP entries from the ARP table.	reset arp { all \| dynamic \| interface interface-type interface-number \| slot slot-number \| static }

Configuring gratuitous ARP

Overview

In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device.

A device sends a gratuitous ARP packet for either of the following purposes:

· Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply.

· Inform other devices of a MAC address change.

Gratuitous ARP packet learning

This feature enables a device to create or update ARP entries by using the sender IP and MAC addresses in received gratuitous ARP packets.

When this feature is disabled, the device uses received gratuitous ARP packets to update existing ARP entries only. ARP entries are not created based on the received gratuitous ARP packets, which saves ARP table space.

Periodic sending of gratuitous ARP packets

Enabling periodic sending of gratuitous ARP packets helps downstream devices update ARP entries or MAC entries in a timely manner.

This feature can implement the following functions:

· Prevent gateway spoofing.

Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network. The traffic destined for the gateway from the hosts is sent to the attacker instead. As a result, the hosts cannot access the external network.

To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets at intervals. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so hosts can learn correct gateway information.

· Prevent ARP entries from aging out.

If network traffic is heavy or if the host CPU usage is high, received ARP packets can be discarded or are not promptly processed. Eventually, the dynamic ARP entries on the receiving host age out. The traffic between the host and the corresponding devices is interrupted until the host re-creates the ARP entries.

To prevent this problem, you can enable the gateway to send gratuitous ARP packets periodically. Gratuitous ARP packets contain the primary IP address and manually configured secondary IP addresses of the gateway, so the receiving hosts can update ARP entries in a timely manner.

Configuration procedure

When you configure gratuitous ARP, follow these restrictions and guidelines:

· You can enable periodic sending of gratuitous ARP packets on a maximum of 1024 interfaces.

· Periodic sending of gratuitous ARP packets takes effect on an interface only when the following conditions are met:

? The data link layer state of the interface is up.

? The interface has an IP address.

· If you change the sending interval for gratuitous ARP packets, the configuration takes effect at the next sending interval.

· The sending interval for gratuitous ARP packets might be much longer than the specified sending interval in any of the following circumstances:

? This feature is enabled on multiple interfaces.

? Each interface is configured with multiple secondary IP addresses.

? A small sending interval is configured when the previous two conditions exist.

To configure gratuitous ARP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable learning of gratuitous ARP packets.	gratuitous-arp-learning enable	By default, learning of gratuitous ARP packets is enabled.
3. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.	gratuitous-arp-sending enable	By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet.
4. Enter interface view.	interface interface-type interface-number	N/A
5. Enable periodic sending of gratuitous ARP packets.	arp send-gratuitous-arp [ interval milliseconds ]	By default, periodic sending of gratuitous ARP packets is disabled.

Enabling IP conflict notification

By default, if the sender IP address of an ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request. It also displays an error message after it receives an ARP reply about the conflict.

You can use this command to enable the device to display error messages before sending a gratuitous ARP reply or request for conflict confirmation.

To enable IP conflict notification:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable IP conflict notification.	arp ip-conflict log prompt	By default, IP conflict notification is disabled.

Configuring proxy ARP

Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain.

Proxy ARP includes common proxy ARP and local proxy ARP.

· Common proxy ARP—Allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.

· Local proxy ARP—Allows communication between hosts that connect to the same Layer 3 interface and reside in different broadcast domains.

Enabling common proxy ARP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	The following interface types are supported: · VLAN interface. · Layer 3 Ethernet interface. · Layer 3 Ethernet subinterface.
3. Enable common proxy ARP.	proxy-arp enable	By default, common proxy ARP is disabled.

Enabling local proxy ARP

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	The following interface types are supported: · VLAN interface. · Layer 3 Ethernet interface. · Layer 3 Ethernet subinterface.
3. Enable local proxy ARP.	local-proxy-arp enable [ ip-range startIP to endIP ]	By default, local proxy ARP is disabled.

Displaying proxy ARP

Execute display commands in any view.

Task	Command
Display common proxy ARP status.	display proxy-arp [ interface interface-type interface-number ]
Display local proxy ARP status.	display local-proxy-arp [ interface interface-type interface-number ]

Common proxy ARP configuration example

Network requirements

As shown in Figure 3, Client 1 and Client 2 have the same IP prefix and mask, but they are located on different subnets separated by the switch. Client 1 belongs to VLAN 10, and Client 2 belongs to VLAN 20. No default gateway is configured on Client 1 and Client 2.

Configure common proxy ARP on the AC to enable communication between the two clients.

Figure 3 Network diagram

Configuration procedure

# Create VLAN 10 and VLAN 20.

<AC> system-view

[AC] vlan 10

[AC-vlan10] quit

[AC] vlan 20

[AC-vlan20] quit

# Configure the IP address of VLAN-interface 10.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] ip address 192.168.10.99 255.255.255.0

# Enable common proxy ARP on VLAN-interface 10.

[AC-Vlan-interface10] proxy-arp enable

[AC-Vlan-interface10] quit

# Configure the IP address of VLAN-interface 20.

[AC] interface vlan-interface 20

[AC-Vlan-interface20] ip address 192.168.20.99 255.255.255.0

# Enable common proxy ARP on VLAN-interface 20.

[AC-Vlan-interface20] proxy-arp enable

Verifying the configuration

# Verify that Client 1 and Client 2 can ping each other.

Configuring ARP fast-reply

Overview

ARP fast-reply enables a device to directly answer ARP requests according to DHCP snooping entries. ARP fast-reply functions in a VLAN. For information about DHCP snooping, see "Configuring DHCP snooping."

If the target IP address of a received ARP request is the IP address of the VLAN interface, the device delivers the request to the ARP module. If not, the device takes the following steps to process the packet:

1. Search the DHCP snooping table for a match by using the target IP address.

2. If a match is found, whether the device returns a reply depends on the type of interface in the matching entry.

? If the interface is the Ethernet interface that received the ARP request, the device does not return any reply.

? If the interface is a wireless interface or an Ethernet interface other than the receiving interface, the device returns a reply according to the matching entry.

3. If no matching DHCP snooping entry is found, the ARP request is forwarded to other interfaces except the receiving interface in the VLAN, or delivered to other modules.

Configuration procedure

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	N/A
3. Enable ARP fast-reply.	arp fast-reply enable	By default, ARP fast-reply is disabled.

ARP fast-reply configuration example

Network requirements

As shown in Figure 4, all clients are in VLAN 2, and access the network through the switch. APs are connected to VLAN 2. They have obtained IP addresses through DHCP.

Enable ARP fast-reply for VLAN 2. The AC directly returns an ARP reply without broadcasting received ARP requests to other APs upon receiving an ARP request from a client.

Figure 4 Network diagram

Configuration procedure

1. Configure basic functions on the AC. For more information about the configuration, see WLAN Configuration Guide.

2. Enable ARP fast-reply for VLAN 2 on the AC.

[AC] vlan 2

[AC-vlan2] arp fast-reply enable

[AC-vlan2] quit

Configuring IP addressing

The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified.

This chapter describes IP addressing basics and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter.

Overview

This section describes the IP addressing basics.

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

IP address classes

Each IP address breaks down into the following sections:

· Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits, identify the class of the IP address.

· Host ID—Identifies a host on a network.

IP addresses are divided into five classes, as shown in Figure 5. The shaded areas represent the address class. The first three classes are most commonly used.

Figure 5 IP address classes

Table 1 IP address classes and ranges

Class	Address range	Remarks
A	0.0.0.0 to 127.255.255.255	The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.
B	128.0.0.0 to 191.255.255.255	N/A
C	192.0.0.0 to 223.255.255.255	N/A
D	224.0.0.0 to 239.255.255.255	Multicast addresses.
E	240.0.0.0 to 255.255.255.255	Reserved for future use, except for the broadcast address 255.255.255.255.

Special IP addresses

The following IP addresses are for special use and cannot be used as host IP addresses:

· IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.

· IP address with an all-zero host ID—Identifies a network.

· IP address with an all-one host ID—Identifies a directed broadcast address. For example, a packet with the destination address of 192.168.1.255 will be broadcast to all the hosts on the network 192.168.1.0.

Subnetting and masking

Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Figure 6 Subnetting a Class B network

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets.

· Without subnetting—65534 (2¹⁶ – 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.)

· With subnetting—Using the first nine bits of the host-id for subnetting provides 512 (2⁹) subnets. However, only seven bits remain available for the host ID. This allows 126 (2⁷ – 2) hosts in each subnet, a total of 64512 (512 × 126) hosts.

Assigning an IP address to an interface

An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation. If you change the IP address assignment method, the new IP address will overwrite the previous address.

An interface can have one primary address and multiple secondary addresses.

Typically, you need to configure a primary IP address for an interface. If the interface connects to multiple subnets, configure primary and secondary IP addresses on the interface so the subnets can communicate with each other through the interface.

Configuration guidelines

Follow these guidelines when you assign an IP address to an interface:

· An interface can have only one primary IP address. A newly configured primary IP address overwrites the previous one.

· You cannot assign secondary IP addresses to an interface that obtains an IP address through BOOTP, DHCP, or PPP address negotiation.

· The primary and secondary IP addresses assigned to the interface can be located on the same network segment. Different interfaces on your device must reside on different network segments.

Configuration procedure

To assign an IP address to an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Assign an IP address to the interface.	ip address ip-address { mask \| mask-length } [ sub ]	By default, no IP address is assigned to the interface.

Displaying and maintaining IP addressing

Execute display commands in any view.

Task	Command
Display IP configuration and statistics for the specified or all Layer 3 interfaces.	display ip interface [ interface-type interface-number ]
Display brief IP configuration for Layer 3 interfaces.	display ip interface [ interface-type [ interface-number ] ] brief [ description ]

DHCP overview

The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.

Figure 7 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent."

Figure 7 A typical DHCP application

DHCP address allocation

Allocation mechanisms

DHCP supports the following allocation mechanisms:

· Static allocation—The network administrator assigns an IP address to a client, such as a WWW server, and DHCP conveys the assigned address to the client.

· Automatic allocation—DHCP assigns a permanent IP address to a client.

· Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.

IP address allocation process

Figure 8 IP address allocation process

As shown in Figure 8, a DHCP server assigns an IP address to a DHCP client in the following process:

1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server.

2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format."

3. If the client receives multiple offers, it accepts the first received offer, and broadcasts it in a DHCP-REQUEST message to formally request the IP address. (IP addresses offered by other DHCP servers can be assigned to other clients.)

4. All DHCP servers receive the DHCP-REQUEST message. However, only the server selected by the client does one of the following operations:

? Returns a DHCP-ACK message to confirm that the IP address has been allocated to the client.

? Returns a DHCP-NAK message to deny the IP address allocation.

After receiving the DHCP-ACK message, the client verifies the following details before using the assigned IP address:

· The assigned IP address is not in use. To verify this, the client broadcasts a gratuitous ARP packet. The assigned IP address is not in use if no response is received within the specified time.

· The assigned IP address is not on the same subnet as any IP address in use on the client.

Otherwise, the client sends a DHCP-DECLINE message to the server to request an IP address again.

IP address lease extension

A dynamically assigned IP address has a lease. When the lease expires, the IP address is reclaimed by the DHCP server. To continue using the IP address, the client must extend the lease duration.

When about half of the lease duration elapses, the DHCP client unicasts a DHCP-REQUEST to the DHCP server to extend the lease. Depending on the availability of the IP address, the DHCP server returns one of the following messages:

· A DHCP-ACK unicast confirming that the client's lease duration has been extended.

· A DHCP-NAK unicast denying the request.

If the client receives no reply, it broadcasts another DHCP-REQUEST message for lease extension when about seven-eighths of the lease duration elapses. Again, depending on the availability of the IP address, the DHCP server returns either a DHCP-ACK unicast or a DHCP-NAK unicast.

DHCP message format

Figure 9 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes.

Figure 9 DHCP message format

· op—Message type defined in options field. 1 = REQUEST, 2 = REPLY

· htype, hlen—Hardware address type and length of the DHCP client.

· hops—Number of relay agents a request message traveled.

· xid—Transaction ID, a random number chosen by the client to identify an IP address allocation.

· secs—Filled in by the client, the number of seconds elapsed since the client began address acquisition or renewal process. This field is reserved and set to 0.

· flags—The leftmost bit is defined as the BROADCAST (B) flag. If this flag is set to 0, the DHCP server sent a reply back by unicast. If this flag is set to 1, the DHCP server sent a reply back by broadcast. The remaining bits of the flags field are reserved for future use.

· ciaddr—Client IP address if the client has an IP address that is valid and usable. Otherwise, set to zero. (The client does not use this field to request an IP address to lease.)

· yiaddr—Your IP address. It is an IP address assigned by the DHCP server to the DHCP client.

· siaddr—Server IP address, from which the client obtained configuration parameters.

· giaddr—Gateway IP address. It is the IP address of the first relay agent to which a request message travels.

· chaddr—Client hardware address.

· sname—Server host name, from which the client obtained configuration parameters.

· file—Boot file (also called system software image) name and path information, defined by the server to the client.

· options—Optional parameters field that is variable in length. Optional parameters include the message type, lease duration, subnet mask, domain name server IP address, and WINS IP address.

DHCP options

DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information for clients.

Figure 10 DHCP option format

DHCP server's DHCP options

The following are DHCP server's DHCP options:

· Option 3—Router option. It specifies the gateway address.

· Option 6—DNS server option. It specifies the DNS server's IP address.

· Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

· Option 51—IP address lease option.

· Option 53—DHCP message type option. It identifies the type of the DHCP message.

· Option 55—Parameter request list option. It is used by a DHCP client to request specified configuration parameters. The option includes values that correspond to the parameters requested by the client.

· Option 60—Vendor class identifier option. A DHCP client uses this option to identify its vendor. A DHCP server uses this option to distinguish DHCP clients, and assigns IP addresses to them.

· Option 66—TFTP server name option. It specifies a TFTP server to be assigned to the client.

· Option 67—Boot file name option. It specifies the boot file name to be assigned to the client.

· Option 121—Classless route option. It specifies a list of classless static routes (the destination addresses in these static routes are classless) that a client should add into its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored.

· Option 150—TFTP server IP address option. It specifies the TFTP server IP address to be assigned to the client.

For more information about DHCP options, see RFC 2132 and RFC 3442.

Custom DHCP options

Some options, such as Option 43, Option 82, and Option 184, have no standard definitions in RFC 2132.

Vendor-specific option (Option 43)

DHCP servers and clients use Option 43 to exchange vendor-specific configuration information.

The DHCP client can obtain the following information through Option 43:

· ACS parameters, including the ACS URL, username, and password.

· Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters.

· PXE server address, which is used to obtain the boot file or other control information from the PXE server.

· AC address, which is used by an AP to obtain the boot file or other control information from the AC.

1. Format of Option 43:

Figure 11 Option 43 format

Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 11.

? Sub-option type—The field value can be 0x01 (ACS parameter sub-option), 0x02 (service provider identifier sub-option), or 0x80 (PXE server address sub-option).

? Sub-option length—Excludes the sub-option type and sub-option length fields.

? Sub-option value—The value format varies by sub-option.

2. Sub-option value field formats:

? ACS parameter sub-option value field—Includes the ACS URL, username, and password separated by spaces (0x20) as shown in Figure 12.

Figure 12 ACS parameter sub-option value field

? Service provider identifier sub-option value field—Includes the service provider identifier.

? PXE server address sub-option value field—Includes the PXE server type that can only be 0, the server number that indicates the number of PXE servers contained in the sub-option, and server IP addresses, as shown in Figure 13.

Figure 13 PXE server address sub-option value field

Relay agent option (Option 82)

Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent receives a client's request, it adds Option 82 to the request and sends it to the server.

The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.

Option 82 can include a maximum of 255 sub-options and must include a minimum of one sub-option. Option 82 supports two sub-options: sub-option 1 (Circuit ID) and sub-option 2 (Remote ID). Option 82 has no standard definition. Its padding formats vary by vendor.

· Circuit ID has the following padding modes:

? String padding mode—Includes a character string specified by the user.

? Normal padding mode—Includes the VLAN ID and interface number of the interface that receives the client's request.

? Verbose padding mode—Includes the access node identifier specified by the user, and the VLAN ID, interface number and interface type of the interface that receives the client's request.

· Remote ID has the following padding modes:

? String padding mode—Includes a character string specified by the user.

? Normal padding mode—Includes the MAC address of the DHCP relay agent interface that receives the client's request.

? Sysname padding mode—Includes the device name of the device. To set the device name for the device, use the sysname command in system view.

Option 184

Option 184 is a reserved option. You can define the parameters in the option as needed. The device supports Option 184 carrying voice related parameters, so a DHCP client with voice functions can get voice parameters from the DHCP server.

Option 184 has the following sub-options:

· Sub-option 1—Specifies the IP address of the primary network calling processor. The primary processor acts as the network calling control source and provides program download services. For Option 184, you must define sub-option 1 to make other sub-options take effect.

· Sub-option 2—Specifies the IP address of the backup network calling processor. DHCP clients contact the backup processor when the primary one is unreachable.

· Sub-option 3—Specifies the voice VLAN ID and the result whether the DHCP client takes this VLAN as the voice VLAN.

· Sub-option 4—Specifies the failover route that includes the IP address and the number of the target user. A SIP VoIP user uses this IP address and number to directly establish a connection to the target SIP user when both the primary and backup calling processors are unreachable.

Protocols and standards

· RFC 2131, Dynamic Host Configuration Protocol

· RFC 2132, DHCP Options and BOOTP Vendor Extensions

· RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

· RFC 3046, DHCP Relay Agent Information Option

· RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4

Configuring the DHCP server

Overview

The DHCP server is well suited to networks where:

· Manual configuration and centralized management are difficult to implement.

· IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically.

· Most hosts do not need fixed IP addresses.

DHCP address pool

Each DHCP address pool has a group of assignable IP addresses and network configuration parameters. The DHCP server selects IP addresses and other parameters from the address pool and assigns them to the DHCP clients.

Address assignment mechanisms

Configure the following address assignment mechanisms as needed:

· Static address allocation—Manually bind the MAC address or ID of a client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

· Dynamic address allocation—Specify IP address ranges in a DHCP address pool. Upon receiving a DHCP request, the DHCP server dynamically selects an IP address from the matching IP address range in the address pool.

You can specify IP address ranges in an address pool by using either of the following methods:

· Method 1—Specify a primary subnet in an address pool and divide the subnet into multiple address ranges. These address ranges include a DHCP server's IP address range and IP address ranges for DHCP user classes.

Upon receiving a DHCP request, the DHCP server finds a user class matching the client and selects an IP address in the address range of the user class for the client. A user class can include multiple matching rules, and a client matches the user class as long as it matches any of the rules. In address pool view, you can specify different address ranges for different user classes.

The DHCP server selects an IP address for a client by performing the following steps:

a. DHCP server compares the client against DHCP user classes in the order they are configured.

b. If the client matches a user class, the DHCP server selects an IP address from the address range of the user class.

c. If the matching user class has no assignable addresses, the DHCP server compares the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the DHCP server's address range.

d. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command. If the address range has no assignable IP addresses or it is not configured, the address allocation fails.

NOTE:

All address ranges must belong to the primary subnet. If an address range does not reside on the primary subnet, DHCP cannot assign the addresses in the address range.

· Method 2—Specify a primary subnet and multiple secondary subnets in an address pool.

The DHCP server selects an IP address from the primary subnet first. If there is no assignable IP address on the primary subnet, the DHCP server selects an IP address from secondary subnets in the order they are configured.

Principles for selecting an address pool

The DHCP server observes the following principles to select an address pool for a client:

1. If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address and other configuration parameters to the client.

2. If the receiving interface has an address pool applied, the DHCP server selects an IP address and other configuration parameters from this address pool.

3. If no static address pool is configured and no address pool is applied to the receiving interface, the DHCP server selects an address pool depending on the client location.

? Client on the same subnet as the server—The DHCP server compares the IP address of the receiving interface with the primary subnets of all address pools.

- If a match is found, the server selects the address pool with the longest-matching primary subnet.

- If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

? Client on a different subnet than the server—The DHCP server compares the IP address in the giaddr field of the DHCP request with the primary subnets of all address pools.

- If a match is found, the server selects the address pool with the longest-matching primary subnet.

- If no match is found, the DHCP server compares the IP address with the secondary subnets of all address pools. The server selects the address pool with the longest-matching secondary subnet.

For example, two address pools 1.1.1.0/24 and 1.1.1.0/25 are configured but not applied to any DHCP server's interfaces.

· If the IP address of the receiving interface is 1.1.1.1/25, the DHCP server selects the address pool 1.1.1.0/25. If the address pool has no available IP addresses, the DHCP server will not select the other pool and the address allocation will fail.

· If the IP address of the receiving interface is 1.1.1.130/25, the DHCP server selects the address pool 1.1.1.0/24.

To ensure correct address allocation, keep the IP addresses used for dynamic allocation on one of the subnets:

· Clients on the same subnet as the server—Subnet where the DHCP server receiving interface resides.

· Clients on a different subnet than the server—Subnet where the first DHCP relay interface that faces the clients resides.

NOTE:

H3C recommends that you configure a minimum of one matching primary subnet in your network. Otherwise, the DHCP server selects only the first matching secondary subnet for address allocation. If the network has more DHCP clients than the assignable IP addresses in the secondary subnet, not all DHCP clients can obtain IP addresses.

IP address allocation sequence

The DHCP server selects an IP address for a client in the following sequence:

1. IP address statically bound to the client's MAC address or ID.

2. IP address that was ever assigned to the client.

3. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client.

Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined.

4. First assignable IP address found in the way discussed in "DHCP address pool."

5. IP address that was a conflict or passed its lease duration. If no IP address is assignable, the server does not respond.

NOTE:

· If a client moves to another subnet, the DHCP server selects an IP address in the address pool matching the new subnet. It does not assign the IP address that was once assigned to the client.

· Conflicted IP addresses can be assigned to other DHCP clients only after the addresses are in conflict for an hour.

DHCP server configuration task list

Tasks at a glance

(Required.) Configuring an address pool on the DHCP server

(Required.) Enabling DHCP

(Required.) Enabling the DHCP server on an interface

(Optional.) Applying an address pool on an interface

(Optional.) Configuring a DHCP policy for dynamic address assignment

(Optional.) Configuring IP address conflict detection

(Optional.) Enabling handling of Option 82

(Optional.) Configuring DHCP server compatibility

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP server

(Optional.) Configuring DHCP binding auto backup

(Optional.) Configuring address pool usage alarming

(Optional.) Binding gateways to DHCP server's MAC address

(Optional.) Advertising subnets assigned to clients

(Optional.) Enabling client offline detection on the DHCP server

(Optional.) Enabling DHCP logging on the DHCP server

Configuring an address pool on the DHCP server

Configuration task list

Tasks at a glance

(Required.) Creating a DHCP address pool

Perform one or more of the following tasks:

· Specifying IP address ranges for a DHCP address pool

· Specifying gateways for DHCP clients

· Specifying a domain name suffix for DHCP clients

· Specifying DNS servers for DHCP clients

· Specifying WINS servers and NetBIOS node type for DHCP clients

· Specifying BIMS server for DHCP clients

· Specifying the configuration file for DHCP client auto-configuration

· Specifying a server for DHCP clients

· Configuring Option 184 parameters for DHCP clients

· Customizing DHCP options

· Configuring the DHCP user class whitelist

Creating a DHCP address pool

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.

Specifying IP address ranges for a DHCP address pool

You can configure both static and dynamic address allocation mechanisms in a DHCP address pool. For dynamic address allocation, you can specify either a primary subnet with multiple address ranges or a primary subnet with multiple secondary subnets for a DHCP address pool. You cannot configure both.

Specifying a primary subnet and multiple address ranges for a DHCP address pool

Some scenarios need to classify DHCP clients on the same subnet into different address groups. To meet this need, you can configure DHCP user classes and specify different address ranges for the classes. The clients matching a user class can then get the IP addresses of an address range. In addition, you can specify a DHCP server's address range for the clients that do not match any user class. If no DHCP server's address range is specified, such clients fail to obtain IP addresses.

If there is no need to classify clients, you do not need to configure DHCP user classes or their address ranges.

Follow these guidelines when you specify a primary subnet and multiple address ranges for a DHCP address pool:

· If you use the network or address range command multiple times for the same address pool, the most recent configuration takes effect.

· IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool.

To specify a primary subnet and multiple address ranges for a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP user class and enter DHCP user class view.	dhcp class class-name	Required for client classification. By default, no DHCP user class exists.
3. Configure a match rule for the DHCP user class.	if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask \| option option-code [ ascii ascii-string [ offset offset \| partial ] \| hex hex-string [ mask mask \| offset offset length length \| partial ] ] \| relay-agent gateway-address }	Required for client classification. By default, no match rule is configured for a DHCP user class.
4. Return to system view.	quit	N/A
5. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
6. Specify the primary subnet for the address pool.	network network-address [ mask-length \| mask mask ]	By default, no primary subnet is specified.
7. (Optional.) Specify the DHCP server's address range.	address range start-ip-address end-ip-address	By default, no IP address range is specified.
8. (Optional.) Specify an IP address range for a DHCP user class.	class class-name range start-ip-address end-ip-address	By default, no IP address range is specified for a user class. The DHCP user class must already exist. To specify address ranges for multiple DHCP user classes, repeat this step.
9. (Optional.) Set the address lease duration.	expired { day day [ hour hour [ minute minute [ second second ] ] ] \| unlimited }	The default setting is 1 day.
10. (Optional.) Exclude the specified IP addresses in the address pool from dynamic allocation.	forbidden-ip ip-address&<1-8>	By default, all the IP addresses in the DHCP address pool are assignable. To exclude multiple address ranges from dynamic allocation, repeat this step.
11. Return to system view.	quit	N/A
12. (Optional.) Exclude the specified IP addresses from automatic allocation globally.	dhcp server forbidden-ip start-ip-address [ end-ip-address ]	By default, except for the IP address of the DHCP server interface, all IP addresses in address pools are assignable. To exclude multiple IP address ranges, repeat this step.

Specifying a primary subnet and multiple secondary subnets for a DHCP address pool

If an address pool has a primary subnet and multiple secondary subnets, the server assigns IP addresses on a secondary subnet when the primary subnet has no assignable IP addresses.

Follow these guidelines when you specify a primary subnet and secondary subnets for a DHCP address pool:

· You can specify only one primary subnet in each address pool. If you use the network command multiple times, the most recent configuration takes effect.

· You can specify a maximum of 32 secondary subnets in each address pool.

To specify a primary subnet and secondary subnets for a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify the primary subnet.	network network-address [ mask-length \| mask mask ]	By default, no primary subnet is specified.
4. (Optional.) Specify a secondary subnet.	network network-address [ mask-length \| mask mask ] secondary	By default, no secondary subnet is specified.
5. (Optional.) Return to address pool view.	quit	N/A
6. (Optional.) Set the address lease duration.	expired { day day [ hour hour [ minute minute [ second second ] ] ] \| unlimited }	The default setting is 1 day.
7. (Optional.) Exclude the specified IP addresses from dynamic allocation.	forbidden-ip ip-address&<1-8>	By default, all the IP addresses in the DHCP address pool can be dynamically allocated. To exclude multiple address ranges from the address pool, repeat this step.
8. Return to system view.	quit	N/A
9. (Optional.) Exclude the specified IP addresses from dynamic allocation globally.	dhcp server forbidden-ip start-ip-address [ end-ip-address ]	Except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable by default. To exclude multiple address ranges globally, repeat this step.

Configuring a static binding in a DHCP address pool

Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.

Follow these guidelines when you configure a static binding:

· One IP address can be bound to only one client MAC or client ID. You cannot modify bindings that have been created. To change the binding for a DHCP client, you must delete the existing binding first.

· The IP address of a static binding cannot be the address of the DHCP server interface. Otherwise, an IP address conflict occurs and the bound client cannot obtain an IP address correctly.

· Multiple interfaces on the same device might all use DHCP to request a static IP address. In this case, use client IDs rather than the device's MAC address to identify the interfaces. Otherwise, IP address allocation will fail.

To configure a static binding:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Configure a static binding.	static-bind ip-address ip-address [ mask-length \| mask mask ] { client-identifier client-identifier \| hardware-address hardware-address [ ethernet \| token-ring ] }	By default, no static binding is configured. To add more static bindings, repeat this step.
4. (Optional.) Set the lease duration for the IP address.	expired { day day [ hour hour [ minute minute [ second second ] ] ] \| unlimited }	The default setting is 1 day.

Specifying gateways for DHCP clients

DHCP clients send packets destined for other networks to a gateway. The DHCP server can assign the gateway address to the DHCP clients.

You can specify gateway addresses in each address pool on the DHCP server. A maximum of 64 gateways can be specified in DHCP address pool view or secondary subnet view.

The DHCP server assigns gateway addresses to clients on a secondary subnet in the following ways:

· If gateways are specified in both address pool view and secondary subnet view, DHCP assigns those specified in the secondary subnet view.

· If gateways are specified in address pool view but not in secondary subnet view, DHCP assigns those specified in address pool view.

To configure gateways in the DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify gateways.	gateway-list ip-address&<1-64>	By default, no gateway is specified.
4. (Optional.) Enter secondary subnet view	network network-address [ mask-length \| mask mask ] secondary	N/A
5. (Optional.) Specify gateways.	gateway-list ip-address&<1-64>	By default, no gateway is specified.

Specifying a domain name suffix for DHCP clients

You can specify a domain name suffix in a DHCP address pool on the DHCP server. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring DNS."

To configure a domain name suffix in the DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify a domain name suffix.	domain-name domain-name	By default, no domain name is specified.

Specifying DNS servers for DHCP clients

To access hosts on the Internet through domain names, a DHCP client must contact a DNS server to resolve names. You can specify up to eight DNS servers in a DHCP address pool.

To specify DNS servers in a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify DNS servers.	dns-list ip-address&<1-8>	By default, no DNS server is specified.

Specifying WINS servers and NetBIOS node type for DHCP clients

A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool.

In addition, you must specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types:

· b (broadcast)-node—A b-node client sends the destination name in a broadcast message. The destination returns its IP address to the client after receiving the message.

· p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the WINS server. The WINS server returns the destination IP address.

· m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it unicasts the destination name to the WINS server to get the destination IP address.

· h (hybrid)-node—An h-node client unicasts the destination name to the WINS server. If it receives no response, it broadcasts the destination name to get the destination IP address.

To configure WINS servers and NetBIOS node type in a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify WINS servers.	nbns-list ip-address&<1-8>	This step is optional for b-node. By default, no WINS server is specified.
4. Specify the NetBIOS node type.	netbios-type { b-node \| h-node \| m-node \| p-node }	By default, no NetBIOS node type is specified.

Specifying BIMS server for DHCP clients

Perform this task to provide the BIMS server IP address, port number, and shared key for the clients. The DHCP clients contact the BIMS server to get configuration files and perform software upgrade and backup.

To configure the BIMS server IP address, port number, and shared key in the DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify the BIMS server IP address, port number, and shared key.	bims-server ip ip-address [ port port-number ] sharekey { cipher \| simple } key	By default, no BIMS server information is specified.

Specifying the configuration file for DHCP client auto-configuration

Auto-configuration enables a device to obtain a set of configuration settings automatically from servers when the device starts up without a configuration file. It requires the cooperation of the DHCP server, HTTP server, DNS server, and TFTP server. For more information about auto-configuration, see Fundamentals Configuration Guide.

The DHCP client uses the obtained parameters to contact the TFTP server or the HTTP server to get the configuration file.

To specify the configuration file name in a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify the IP address or the name of a TFTP server.	· Specify the IP address of the TFTP server: tftp-server ip-address ip-address · Specify the name of the TFTP server: tftp-server domain-name domain-name	You can specify both the IP address and name of the TFTP server. By default, no TFTP server is specified.
4. Specify the configuration file name.	bootfile-name bootfile-name	By default, no configuration file name is specified.

Specifying a server for DHCP clients

Some DHCP clients need to obtain configuration information from a server, such as a TFTP server. You can specify the IP address of that server. The DHCP server sends the server's IP address to DHCP clients along with other configuration information.

To specify the IP address of a server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify the IP address of a server.	next-server ip-address	By default, no server is specified.

Configuring Option 184 parameters for DHCP clients

To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184."

To configure option 184 parameters in a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Specify the IP address of the primary network calling processor.	voice-config ncp-ip ip-address	By default, no primary network calling processor is specified. After you configure this command, the other Option 184 parameters take effect.
4. (Optional.) Specify the IP address for the backup server.	voice-config as-ip ip-address	By default, no backup network calling processor is specified.
5. (Optional.) Configure the voice VLAN.	voice-config voice-vlan vlan-id { disable \| enable }	By default, no voice VLAN is configured.
6. (Optional.) Specify the failover IP address and dialer string.	voice-config fail-over ip-address dialer-string	By default, no failover IP address or dialer string is specified.

Customizing DHCP options

IMPORTANT:

Use caution when customizing DHCP options because the configuration might affect DHCP operation.

You can customize options for the following purposes:

· Add newly released options.

· Add options for which the vendor defines the contents, for example, Option 43.

· Add options for which the CLI does not provide a dedicated configuration command. For example, you can use the option 4 ip-address 1.1.1.1 command to define the time server address 1.1.1.1 for DHCP clients.

· Add all option values if the actual requirement exceeds the limit for a dedicated option configuration command. For example, the dns-list command can specify up to eight DNS servers. To specify more than eight DNS servers, you must use the option 6 command to define all DNS servers.

To customize a DHCP option in a DHCP address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Customize a DHCP option.	option code { ascii ascii-string \| hex hex-string \| ip-address ip-address&<1-8> }	By default, no DHCP option is customized in a DHCP address pool. DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.

To customize a DHCP option in a DHCP option group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP user class and enter DHCP user class view.	dhcp class class-name	By default, no DHCP user class exists.
3. Configure a match rule for the DHCP user class.	if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask \| option option-code [ ascii ascii-string [ offset offset \| partial ] \| hex hex-string [ mask mask \| offset offset length length \| partial ] ] \| relay-agent gateway-address }	By default, no match rule is configured for a DHCP user class.
4. Return to system view.	quit	N/A
5. Create a DHCP option group and enter DHCP option group view.	dhcp option group option-group-number	By default, no DHCP option group exists.
6. Customize a DHCP option.	option code { ascii ascii-string \| hex hex-string \| ip-address ip-address&<1-8> }	By default, no DHCP option is customized in a DHCP option group. DHCP options specified in DHCP option groups take precedence over those specified in DHCP address pools.
7. Create a DHCP address pool and enter DHCP address pool view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
8. Specify the DHCP option group for the DHCP user class.	class class-name option group option-group-number	By default, no DHCP option group is specified for a DHCP user class.

Table 2 DHCP server's DHCP options

Option	Option name	Corresponding command	Recommended option command parameters
3	Router Option	gateway-list	ip-address
6	Domain Name Server Option	dns-list	ip-address
15	Domain Name	domain-name	ascii
44	NetBIOS over TCP/IP Name Server Option	nbns-list	ip-address
46	NetBIOS over TCP/IP Node Type Option	netbios-type	hex
66	TFTP server name	tftp-server	ascii
67	Boot file name	bootfile-name	ascii
43	Vendor Specific Information	N/A	hex

Configuring the DHCP user class whitelist

The DHCP user class whitelist allows the DHCP server to process requests only from clients on the DHCP user class whitelist. The whitelist does not take effect on clients who request static IP addresses, and the server always processes their requests.

To configure the DHCP user class whitelist:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP user class and enter DHCP user class view.	dhcp class class-name	By default, no DHCP user class exists.
3. Configure a match rule for the DHCP user class.	if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask \| option option-code [ ascii ascii-string [ offset offset \| partial ] \| hex hex-string [ mask mask \| offset offset length length \| partial ] ] \| relay-agent gateway-address }	By default, no match rule is configured for a DHCP user class.
4. Return to system view.	quit	N/A
5. Create a DHCP address pool and enter DHCP address pool view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
6. Enable the DHCP user class whitelist.	verify class	By default, the DHCP user class whitelist is disabled.
7. Add DHCP user classes to the DHCP user class whitelist.	valid class class-name&<1-8>	By default, no DHCP user class is on the DHCP user class whitelist.

Enabling DHCP

You must enable DHCP to validate other DHCP configurations.

To enable DHCP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DHCP.	dhcp enable	By default, DHCP is disabled.

Enabling the DHCP server on an interface

Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns the client an IP address and other configuration parameters from a DHCP address pool.

To enable the DHCP server on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the DHCP server on the interface.	dhcp select server	By default, the DHCP server on the interface is enabled.

Applying an address pool on an interface

Perform this task to apply a DHCP address pool on an interface.

Upon receiving a DHCP request from the interface, the DHCP server performs address allocation in the following ways:

· If a static binding is found for the client, the server assigns the static IP address and configuration parameters from the address pool that contains the static binding.

· If no static binding is found for the client, the server uses the address pool applied to the interface for address and configuration parameter allocation.

To apply an address pool on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Apply an address pool on the interface.	dhcp server apply ip-pool pool-name	By default, no address pool is applied on an interface. If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation.

Configuring a DHCP policy for dynamic address assignment

In a DHCP policy, each DHCP user class has a bound DHCP address pool. Clients matching different user classes obtain IP addresses and other parameters from different address pools. The DHCP policy must be applied to the interface that acts as the DHCP server. When receiving a DHCP request, the DHCP server compares the packet against the user classes in the order that they are configured.

· If a match is found and the bound address pool has assignable IP addresses, the server assigns an IP address and other parameters from the address pool. If the address pool does not have assignable IP addresses, the address assignment fails.

· If no match is found, the server assigns an IP address and other parameters from the default DHCP address pool. If no default address pool is specified or the default address pool does not have assignable IP addresses, the address assignment fails.

For successful address assignment, make sure the applied DHCP policy and the bound address pools exist.

To configure a DHCP policy for dynamic address assignment:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP user class and enter DHCP user class view.	dhcp class class-name	By default, no DHCP user class exists.
3. Configure a match rule for the DHCP user class.	if-match rule rule-number { hardware-address hardware-address mask hardware-address-mask \| option option-code [ ascii ascii-string [ offset offset \| partial ] \| hex hex-string [ mask mask \| offset offset length length \| partial ] ] \| relay-agent gateway-address }	By default, no match rule is configured for a DHCP user class.
4. Return to system view.	quit	N/A
5. Create a DHCP policy and enter DHCP policy view.	dhcp policy policy-name	By default, no DHCP policy exists.
6. Specify a DHCP address pool for a DHCP user class.	class class-name ip-pool pool-name	By default, no address pool is specified for a user class.
7. Specify the default DHCP address pool.	default ip-pool pool-name	By default, no default address pool is specified.
8. Return to system view.	quit	N/A
9. Enter interface view.	interface interface-type interface-number	N/A
10. Apply the DHCP policy to the interface.	dhcp apply-policy policy-name	By default, no DHCP policy is applied to an interface.

Configuring IP address conflict detection

Before assigning an IP address, the DHCP server pings that IP address.

· If the server receives a response within the specified period, it selects and pings another IP address.

· If it receives no response, the server continues to ping the IP address until a specific number of ping packets are sent. If still no response is received, the server assigns the IP address to the requesting client. The DHCP client uses gratuitous ARP to perform IP address conflict detection.

To configure IP address conflict detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Set the maximum number of ping packets to be sent for conflict detection.	dhcp server ping packets number	The default setting is one. The value 0 disables IP address conflict detection.
3. (Optional.) Set the ping timeout time.	dhcp server ping timeout milliseconds	The default setting is 500 ms. The value 0 disables IP address conflict detection.

Enabling handling of Option 82

Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response.

If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.

You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82. For information about enabling handling of Option 82 on the DHCP relay agent, see "Configuring Option 82."

To enable the DHCP server to handle Option 82:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the server to handle Option 82.	dhcp server relay information enable	By default, handling of Option 82 is enabled.

Configuring DHCP server compatibility

Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC.

Configuring the DHCP server to broadcast all responses

By default, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. You can configure the DHCP server to ignore the broadcast flag and always broadcast a response. This feature is useful when some clients set the broadcast flag to 0 but do not accept unicast responses.

The DHCP server always unicasts a response in the following situations, regardless of whether this feature is configured or not:

· The DHCP request is from a DHCP client that has an IP address (the ciaddr field is not 0).

· The DHCP request is forwarded by a DHCP relay agent from a DHCP client (the giaddr field is not 0).

To configure the DHCP server to broadcast all responses:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the DHCP server to broadcast all responses.	dhcp server always-broadcast	By default, the DHCP server reads the broadcast flag to decide whether to broadcast or unicast a response.

Configure the DHCP server to ignore BOOTP requests

The lease duration of the IP addresses obtained by the BOOTP clients is unlimited. For some scenarios that do not allow unlimited leases, you can configure the DHCP server to ignore BOOTP requests.

To configure the DHCP server to ignore BOOTP requests:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the DHCP server to ignore BOOTP requests.	dhcp server bootp ignore	By default, the DHCP server processes BOOTP requests.

Configuring the DHCP server to send BOOTP responses in RFC 1048 format

Not all BOOTP clients can send requests that are compatible with RFC 1048. By default, the DHCP server does not process the Vend field of RFC 1048-incompliant requests but copies the Vend field into responses.

This feature enables the DHCP server to fill the Vend field in RFC 1048-compliant format in DHCP responses to RFC 1048-incompliant requests sent by BOOTP clients.

This feature is effective for the BOOTP clients that request statically bound addresses.

To configure the DHCP server to send BOOTP responses in RFC 1048 format:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the DHCP server to send BOOTP responses in RFC 1048 format to the RFC 1048-incompliant BOOTP requests for statically bound addresses.	dhcp server bootp reply-rfc-1048	By default, the DHCP server directly copies the Vend field of such requests into the responses.

Disabling Option 60 encapsulation in DHCP replies

If one or more DHCP clients cannot resolve Option 60, disable the DHCP server from encapsulating Option 60 in DHCP replies. If you do not disable the capability, the DHCP server encapsulates Option 60 in a DHCP reply in the following situations:

· The received DHCP packet contains Option 60.

· Option 60 is configured for the address pool.

To disable the DHCP server from encapsulating Option 60 in DHCP replies:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable the DHCP server from encapsulating Option 60 in DHCP replies.	dhcp server reply-exclude-option60	By default, the DHCP server can encapsulate Option 60 in DHCP replies.

Setting the DSCP value for DHCP packets sent by the DHCP server

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the DSCP value for DHCP packets sent by the DHCP server.	dhcp dscp dscp-value	By default, the DSCP value in DHCP packets sent by the DHCP server is 56.

Configuring DHCP binding auto backup

The auto backup feature saves bindings to a backup file and allows the DHCP server to download the bindings from the backup file at the server reboot. The bindings include the lease bindings and conflicted IP addresses. They cannot survive a reboot on the DHCP server.

The DHCP server does not provide services during the download process. If a connection error occurs during the process and cannot be repaired in a short amount of time, you can terminate the download operation. Manual interruption allows the DHCP server to provide services without waiting for the connection to be repaired.

To configure DHCP binding auto backup:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the DHCP server to back up the bindings to a file.	dhcp server database filename { filename \| url url [ username username [ password { cipher \| simple } key ] ] }	By default, the DHCP server does not back up the DHCP bindings. With this command executed, the DHCP server backs up its bindings immediately and runs auto backup.
3. (Optional.) Manually save the DHCP bindings to the backup file.	dhcp server database update now	N/A
4. (Optional.) Set the waiting time after a DHCP binding change for the DHCP server to update the backup file.	dhcp server database update interval seconds	The default waiting time is 300 seconds. If no DHCP binding changes, the backup file is not updated.
5. (Optional.) Terminate the download of DHCP bindings from the backup file.	dhcp server database update stop	N/A

Configuring address pool usage alarming

Perform this task to set the threshold for address pool usage alarming. When the threshold is exceeded, the system sends log messages to the information center. According to the log information, you can optimize the address pool configuration. For more information about the information center, see Network Management and Monitoring Configuration Guide.

To configure address pool usage alarming:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Set the threshold for address pool usage alarming.	ip-in-use threshold threshold-value	The default threshold is 100%.

Binding gateways to DHCP server's MAC address

This feature enables the DHCP server to assign different gateway IP addresses to DHCP clients. In addition, the DHCP server adds the gateway IP addresses and the server's MAC address to the address management module. The ARP module can then use the entries to reply to ARP requests from the clients.

As shown in Figure 14, the DHCP server is configured on the access device that provides access for clients of different service types, such as broadband, IPTV, and IP telephone. The clients of different types obtain IP addresses on different subnets. For the clients to access the network, the access interface typically has no IP address configured. You must bind the gateways to the server's MAC address when specifying gateways for the DHCP clients.

Figure 14 Network diagram

To bind the gateways to the DHCP server's MAC address:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Bind the gateways to the device's MAC address.	gateway-list ip-address&<1-64> export-route	By default, gateways are not bound to any MAC address.

Advertising subnets assigned to clients

This feature enables the route management module to advertise subnets assigned to DHCP clients. This feature achieves symmetric routing for traffic of the same host.

As shown in Figure 15, Router A and Router B act as both the DHCP server and the BRAS device. The BRAS devices send accounting packets to the RADIUS server. To enable the BRAS devices to collect correct accounting information for each RADIUS user, configure the DHCP server to advertise subnets assigned to clients. The upstream and downstream traffic of a RADIUS user will pass through the same BRAS device.

Figure 15 Network diagram

To configure the subnet advertisement feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP address pool exists.
3. Advertise subnets assigned to DHCP clients.	network network-address [ mask-length \| mask mask ] export-route [ secondary ]	By default, the subnets assigned to DHCP clients are not advertised.

Enabling client offline detection on the DHCP server

The client offline detection feature reclaims an assigned IP address and deletes the binding entry when the ARP entry for the IP address ages out. The feature does not function if an ARP entry is manually deleted.

To enable client offline detection on the DHCP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable client offline detection.	dhcp client-detect	By default, client offline detection is disabled on the DHCP server.

Enabling DHCP logging on the DHCP server

The DHCP logging feature enables the DHCP server to generate DHCP logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

Disable this feature when the log generation affects the device performance or reduces the address allocation efficiency. For example, this situation might occur when a large number of clients frequently come online or go offline.

To enable DHCP logging on the DHCP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DHCP logging.	dhcp log enable	By default, DHCP logging is disabled.

Displaying and maintaining the DHCP server

IMPORTANT:

A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again.

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about IP address conflicts.	display dhcp server conflict [ ip ip-address ]
Display information about DHCP binding auto backup.	display dhcp server database
Display information about lease-expired IP addresses.	display dhcp server expired [ ip ip-address \| pool pool-name ]
Display information about assignable IP addresses.	display dhcp server free-ip [ pool pool-name ]
Display information about assigned IP addresses.	display dhcp server ip-in-use [ ip ip-address \| pool pool-name ]
Display DHCP server statistics.	display dhcp server statistics [ pool pool-name ]
Display information about DHCP address pools.	display dhcp server pool [ pool-name ]
Clear information about IP address conflicts.	reset dhcp server conflict [ ip ip-address ]
Clear information about lease-expired IP addresses.	reset dhcp server expired [ ip ip-address \| pool pool-name ]
Clear information about assigned IP addresses.	reset dhcp server ip-in-use [ ip ip-address \| pool pool-name ]
Clear DHCP server statistics.	reset dhcp server statistics

DHCP server configuration examples

DHCP networking includes the following types:

· The DHCP server and clients reside on the same subnet and exchange messages directly.

· The DHCP server and clients are not on the same subnet and they communicate with each other through a DHCP relay agent.

The DHCP server configuration for the two types is identical.

Dynamic IP address assignment configuration example

Network requirements

As shown in Figure 16, the DHCP server (AC) assigns IP addresses to the AP and DHCP clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25.

Configure DHCP server on the AC to assign IP addresses on subnet 10.1.1.0/25 to the AP and IP addresses on subnet 10.1.1.128/25 to DHCP clients.

Figure 16 Network diagram

Configuration procedure

1. Configure VLANs and VLAN interfaces:

# Create VLAN 10 and VLAN 20.

<AC> system-view

[AC] vlan 10

[AC-vlan10] quit

[AC] vlan 20

[AC-vlan20] quit

# Add the interface connected to the AP to VLAN 10.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] port link-type trunk

[AC-GigabitEthernet1/0/2] port trunk permit vlan 10

[AC-GigabitEthernet1/0/2] port trunk pvid vlan 10

[AC-GigabitEthernet1/0/2] quit

# Assign IP addresses to VLAN-interface 10 and VLAN-interface 20.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] ip address 10.1.1.1 25

[AC-Vlan-interface10] quit

[AC] interface vlan-interface 20

[AC-Vlan-interface20] ip address 10.1.1.129 25

[AC-Vlan-interface20] quit

2. Configure wireless services:

# Configure a service template and bind VLAN 20 to the service template.

[AC] wlan service-template service

[AC-wlan-st-service] ssid service

[AC-wlan-st-service] vlan 20

[AC-wlan-st-service] service-template enable

[AC-wlan-st-service] quit

# Configure the AP.

[AC] wlan ap ap1 model WA536

[AC-wlan-ap-ap1] serial-id 219801A1NQB117012935

[AC-wlan-ap-ap1] radio 1

[AC-wlan-ap-ap1-radio-1] service-template service1

[AC-wlan-ap-ap1-radio-1] radio enable

[AC-wlan-ap-ap1-radio-1] return

3. Configure the DHCP server:

# Enable DHCP.

[AC] dhcp enable

# Enable the DHCP server on VLAN-interface 10 and VLAN-interface 20.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] dhcp select server

[AC-Vlan-interface10] quit

[AC] interface vlan-interface 20

[AC-Vlan-interface20] dhcp select server

[AC-Vlan-interface20] quit

# Configure DHCP address pool 1 to assign IP addresses to the AP on subnet 10.1.1.0/25.

[AC] dhcp server ip-pool 1

[AC-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128

[AC-dhcp-pool-1] quit

# Configure DHCP address pool 2 to assign IP addresses to DHCP clients on subnet 10.1.1.128/25.

[AC] dhcp server ip-pool 2

[AC-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128

[AC-dhcp-pool-2] quit

Verifying the configuration

# Verify that the AP on subnet 10.1.1.0/25 and the DHCP clients on subnet 10.1.1.128/25 can obtain correct IP addresses from the DHCP server. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the AP and DHCP clients.

[AC] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

10.1.1.3 0031-3865-392e-6262- Jan 1 22:25:03 2015 Auto(C)

3363-2e30-3230-352d-

4745-302f-30

10.1.1.130 3030-3030-2e30-3030- Jan 9 10:45:11 2015 Auto(C)

662e-3030-3033-2d45-

7568-6572-1e

10.1.1.131 3030-0020-fe02-3020- Jan 9 10:45:11 2015 Auto(C)

7052-0201-2013-1e02

0201-9068-23

10.1.1.132 2020-1220-1102-3021- Jan 9 10:45:11 2015 Auto(C)

7e52-0211-2025-3402

0201-9068-9a

10.1.1.133 2021-d012-0202-4221- Jan 9 10:45:11 2015 Auto(C)

8852-0203-2022-55e0

3921-0104-31

DHCP user class configuration example

Network requirement

As shown in Figure 17, the DHCP relay agent (the switch) forwards DHCP packets between DHCP clients and the DHCP server (AC). Enable the switch to support Option 82 so that the switch can add Option 82 in the DHCP requests sent by the DHCP clients.

Configure the address allocation scheme as follows:

Assign IP addresses	To clients
10.10.1.2 to 10.10.1.10	The DHCP request contains Option 82.
10.10.1.11 to 10.10.1.26	The hardware address in the request is six bytes long and begins with aabb-aabb-aab.

For clients on subnet 10.10.1.0/24, the DNS server address is 10.10.1.20/24 and the gateway address is 10.10.1.254/24.

Figure 17 Network diagram

Configuration procedure

1. Assign IP addresses to interfaces on DHCP server and DHCP relay agent. (Details not shown.)

2. Configure basic settings on the AC. For more information, see WLAN Configuration Guide.

3. Configure DHCP services:

# Enable DHCP and configure the DHCP server to handle Option 82.

<AC> system-view

[AC] dhcp enable

[AC] dhcp server relay information enable

# Enable DHCP server on VLAN-interface10.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] dhcp select server

[AC-Vlan-interface10] quit

# Create DHCP user class tt and configure a match rule to match client requests with Option 82.

[AC] dhcp class tt

[AC-dhcp-class-tt] if-match rule 1 option 82

[AC-dhcp-class-tt] quit

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb-aab.

[AC] dhcp class ss

[AC-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-aab0 mask ffff-ffff-fff0

[AC-dhcp-class-ss] quit

# Create DHCP address pool aa.

[AC] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation.

[AC-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0

# Specify the address range for dynamic allocation.

[AC-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100

# Specify the address range for user class tt.

[AC-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.10

# Specify the address range for user class ss.

[AC-dhcp-pool-aa] class ss range 10.10.1.11 10.10.1.26

# Specify the gateway address and DNS server address.

[AC-dhcp-pool-aa] gateway-list 10.10.1.254

[AC-dhcp-pool-aa] dns-list 10.10.1.20

[AC-dhcp-pool-aa] quit

Verifying the configuration

# Verify that clients matching the user classes can obtain IP addresses in the specified ranges and all other configuration parameters from the DHCP server. (Details not shown.)

# Display the IP addresses assigned by the DHCP server.

[AC] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

10.10.1.2 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C)

3363-2e30-3230-352d-

4745-302f-30

10.10.1.11 aabb-aabb-aab1 Jan 14 22:25:03 2015 Auto(C)

DHCP user class whitelist configuration example

Network requirements

As shown in Figure 18, configure the DHCP user class whitelist to allow the DHCP server to assign IP addresses to clients whose hardware addresses are six bytes long and begin with aabb-aabb.

Figure 18 Network diagram

Configuration procedure

1. Assign IP addresses to the interfaces on the DHCP server. (Details not shown.)

2. Configure basic settings on the AC. For more information, see WLAN Configuration Guide.

3. Configure DHCP:

# Enable DHCP.

<AC> system-view

[AC] dhcp enable

# Enable DHCP server on VLAN-interface 2.

[AC] interface vlan-interface 2

[AC-Vlan-interface2] dhcp select server

[AC-Vlan-interface2] quit

# Create DHCP user class ss and configure a match rule to match DHCP requests in which the hardware address is six bytes long and begins with aabb-aabb.

[AC] dhcp class ss

[AC-dhcp-class-ss] if-match rule 1 hardware-address aabb-aabb-0000 mask ffff-ffff-0000

[AC-dhcp-class-ss] quit

# Create DHCP address pool aa.

[AC] dhcp server ip-pool aa

# Specify the subnet for dynamic allocation.

[AC-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

# Enable DHCP user class whitelist.

[AC-dhcp-pool-aa] verify class

# Add DHCP user class ss to the DHCP user class whitelist.

[AC-dhcp-pool-aa] valid class ss

[AC-dhcp-pool-aa] quit

Verifying the configuration

# Verify that clients matching the DHCP user class can obtain IP addresses on subnet 10.1.1.0/24 from the DHCP server. (Details not shown.)

# On the DHCP server, display the IP addresses assigned to the clients.

[AC] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

10.1.1.2 aabb-aabb-ab01 Jan 14 22:25:03 2015 Auto(C)

Primary and secondary subnets configuration example

Network requirements

As shown in Figure 19, the DHCP server (AC) dynamically assigns IP addresses to clients in the LAN.

Configure two subnets in the address pool on the DHCP server: 10.1.1.0/24 as the primary subnet and 10.1.2.0/24 as the secondary subnet. The DHCP server selects IP addresses from the secondary subnet when the primary subnet has no assignable addresses.

The AC also assigns the following parameters:

· The default gateway 10.1.1.254/24 to clients on subnet 10.1.1.0/24.

· The default gateway 10.1.2.254/24 to clients on subnet 10.1.2.0/24.

Figure 19 Network diagram

Configuration procedure

# Configure basic settings on the AC. For more information, see WLAN Configuration Guide.

# Enable DHCP

<AC> system-view

[AC] dhcp enable

# Configure the primary and secondary IP addresses of VLAN-interface 10.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] ip address 10.1.1.1 24

[AC-Vlan-interface10] ip address 10.1.2.1 24 sub

# Enable the DHCP server on VLAN-interface 10.

[AC-Vlan-interface10] dhcp select server

[AC-Vlan-interface10] quit

# Create DHCP address pool aa.

[AC] dhcp server ip-pool aa

# Specify the primary subnet and the gateway for dynamic allocation.

[AC-dhcp-pool-aa] network 10.1.1.0 mask 255.255.255.0

[AC-dhcp-pool-aa] gateway-list 10.1.1.254

# Specify the secondary subnet and the gateway for dynamic allocation.

[AC-dhcp-pool-aa] network 10.1.2.0 mask 255.255.255.0 secondary

[AC-dhcp-pool-aa-secondary] gateway-list 10.1.2.254

[AC-dhcp-pool-aa-secondary] quit

[AC-dhcp-pool-aa] quit

Verifying the configuration

# Verify that the DHCP server assigns clients IP addresses and gateway address from the secondary subnet when no address is available from the primary subnet. (Details not shown.)

# Display the primary and secondary subnet IP addresses the DHCP server has assigned. The following is part of the command output.

[AC] display dhcp server ip-in-use

IP address Client identifier/ Lease expiration Type

Hardware address

10.1.1.2 0031-3865-392e-6262- Jan 14 22:25:03 2015 Auto(C)

3363-2e30-3230-352d-

4745-302f-30

10.1.2.2 3030-3030-2e30-3030- Jan 14 22:25:03 2015 Auto(C)

662e-3030-3033-2d45-

7568-6572-1e

DHCP option customization configuration example

Network requirements

As shown in Figure 20, the DHCP server (the device) assigns an IP address, the AC address, a gateway address, and a DNS server address to the AP. Configure the DHCP server as follows:

· Create an address pool, specify the subnet 10.1.1.0/24, and configure the address lease duration as 10 days.

· Specify the gateway address and the DNS server address as 10.1.1.1 and 20.1.1.1.

· Configure Option 43. Specify the AC address as 10.1.1.3. The formats of Option 43 and the PXE server address sub-option are shown in Figure 11 and Figure 13. The value of Option 43 configured on the DHCP server in this example is 80 07 00 00 01 0A 01 01 03.

? The number 80 is the value of the sub-option type.

? The number 07 is the value of the sub-option length.

? The numbers 00 00 are the value of the PXE server type.

? The number 01 indicates the number of servers.

? The numbers 0A 01 01 03 indicate that the IP address of the AC is 10.1.1.3.

· To avoid address conflicts, exclude the IP addresses 10.1.1.1 and 10.1.1.3 of the gateway and the AC from dynamic allocation.

Figure 20 Network diagram

Configuration procedure

1. Specify an IP address for GigabitEthernet 1/0/1 on the device.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address 10.1.1.2 24

[Device-GigabitEthernet1/0/1] quit

2. Configure the DHCP server:

# Enable DHCP.

[Device] dhcp enable

# Enable the DHCP server on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] ip address dhcp select server

[Device-GigabitEthernet1/0/1] quit

# Exclude the gateway address and the AC address from dynamic allocation.

[Device] dhcp server forbidden-ip 10.1.1.1

[Device] dhcp server forbidden-ip 10.1.1.3

# Configure DHCP address pool 0 for dynamic allocation.

[Device] dhcp server ip-pool 0

# Specify the assignable subnet as 10.1.1.0/24 and the address lease duration as ten days.

[Device-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

[Device-dhcp-pool-0] expired day 10

# Specify the gateway address as 10.1.1.1 and the DNS server address as 20.1.1.1.

[Device-dhcp-pool-0] gateway-list 10.1.1.1

[Device-dhcp-pool-0] dns-list 20.1.1.1

# Specify the AC address as 10.1.1.3.

[Device-dhcp-pool-0] option 43 hex 80070000010A010103

Verifying the configuration

# Verify that the AP can obtain an IP address and all other network parameters from the device. (Details not shown.)

# On the DHCP server, display the IP address assigned to the AP.

[Device] display dhcp server ip-in-use

Troubleshooting DHCP server configuration

Failure to obtain a non-conflicting IP address

Symptom

A client's IP address obtained from the DHCP server conflicts with another IP address.

Solution

Another host on the subnet might have the same IP address.

To resolve the problem:

1. Disable the client's network adapter or disconnect the client's network cable. Ping the IP address of the client from another host to check whether there is a host using the same IP address.

2. If a ping response is received, the IP address has been manually configured on a host. Execute the dhcp server forbidden-ip command on the DHCP server to exclude the IP address from dynamic allocation.

3. Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client:

a. In Windows environment, execute the cmd command to enter the DOS environment.

b. Enter ipconfig /release to relinquish the IP address.

c. Enter ipconfig /renew to obtain another IP address.

Configuring the DHCP relay agent

Overview

The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 21 shows a typical application of the DHCP relay agent.

Figure 21 DHCP relay agent application

Operation

The DHCP server and client interact with each other in the same way regardless of whether the relay agent exists. For the interaction details, see "IP address allocation process." The following only describes steps related to the DHCP relay agent:

1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent processes the message as follows:

a. Fills the giaddr field of the message with its IP address.

b. Unicasts the message to the designated DHCP server.

2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response.

3. The relay agent conveys the response to the client.

Figure 22 DHCP relay agent operation

DHCP relay agent support for Option 82

Option 82 records the location information about the DHCP client. It enables the administrator to perform the following tasks:

· Locate the DHCP client for security and accounting purposes.

· Assign IP addresses in a specific range to clients.

For more information about Option 82, see "Relay agent option (Option 82)."

If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 3.

If a response returned by the DHCP server contains Option 82, the DHCP relay agent removes the Option 82 before forwarding the response to the client.

Table 3 Handling strategies of the DHCP relay agent

If a DHCP request has…	Handling strategy	The DHCP relay agent…
Option 82	Drop	Drops the message.
	Keep	Forwards the message without changing Option 82.
	Replace	Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.
No Option 82	N/A	Forwards the message after adding Option 82 padded according to the configured padding format, padding content, and code type.

DHCP relay agent configuration task list

Tasks at a glance

(Required.) Enabling DHCP

(Required.) Enabling the DHCP relay agent on an interface

(Required.) Specifying DHCP servers on a relay agent

(Optional.) Configuring the DHCP relay agent security features

(Optional.) Configuring the DHCP relay agent to release an IP address

(Optional.) Configuring Option 82

(Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent

(Optional.) Enabling DHCP server proxy on a DHCP relay agent

(Optional.) Configuring a DHCP relay address pool

(Optional.) Specifying a gateway address for DHCP clients

(Optional.) Enabling client offline detection on the DHCP relay agent

(Optional.) Configuring the DHCP smart relay feature

Enabling DHCP

You must enable DHCP to validate other DHCP relay agent settings.

To enable DHCP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DHCP.	dhcp enable	By default, DHCP is disabled.

Enabling the DHCP relay agent on an interface

With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server.

An IP address pool that contains the IP address of the DHCP relay interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses.

To enable the DHCP relay agent on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the DHCP relay agent.	dhcp select relay	By default, when DHCP is enabled, an interface operates in the DHCP server mode.

Specifying DHCP servers on a relay agent

To improve availability, you can specify several DHCP servers on the DHCP relay agent. When the interface receives request messages from clients, the relay agent forwards them to all DHCP servers.

Follow these guidelines when you specify a DHCP server address on a relay agent:

· The IP address of any specified DHCP server must not reside on the same subnet as the IP address of the relay interface. Otherwise, the clients might fail to obtain IP addresses.

· You can specify a maximum of eight DHCP servers.

To specify a DHCP server address on a relay agent:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Specify a DHCP server address on the relay agent.	dhcp relay server-address ip-address	By default, no DHCP server address is specified on the relay agent.

Configuring the DHCP relay agent security features

Enabling the DHCP relay agent to record relay entries

Perform this task to enable the DHCP relay agent to automatically record clients' IP-to-MAC bindings (relay entries) after they obtain IP addresses through DHCP.

Some security features use the relay entries to check incoming packets and block packets that do not match any entry. In this way, illegal hosts are not able to access external networks through the relay agent. Examples of the security features are ARP address check, authorized ARP, and IP source guard.

To enable the DHCP relay agent to record relay entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the relay agent to record relay entries.	dhcp relay client-information record	By default, the relay agent does not record relay entries.

NOTE:

The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on synchronous/asynchronous serial interfaces.

Enabling periodic refresh of dynamic relay entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the following information to periodically send a DHCP-REQUEST message to the DHCP server:

· The IP address of a relay entry.

· The MAC address of the DHCP relay interface.

The relay agent maintains the relay entries depending on what it receives from the DHCP server:

· If the server returns a DHCP-ACK message or does not return any message within an interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address.

· If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.

To enable periodic refresh of dynamic relay entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable periodic refresh of dynamic relay entries.	dhcp relay client-information refresh enable	By default, periodic refresh of dynamic relay entries is enabled.
3. Set the refresh interval.	dhcp relay client-information refresh [ auto \| interval interval ]	By default, the refresh interval is auto, which is calculated based on the number of total relay entries.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. The following methods are available to relieve or prevent such attacks.

· To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can use one of the following methods:

? Limit the number of ARP entries that a Layer 3 interface can learn.

? Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when the MAC learning limit is reached.

· To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address in the frame header. If they are the same, the DHCP relay agent forwards the request to the DHCP server. If not, the relay agent discards the request.

Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A DHCP relay agent changes the source MAC address of DHCP packets before sending them.

A MAC address check entry has an aging time. When the aging time expires, both of the following occur:

· The entry ages out.

· The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in the entry.

To enable MAC address check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the aging time for MAC address check entries.	dhcp relay check mac-address aging-time time	The default aging time is 30 seconds. This command takes effect only after you execute the dhcp relay check mac-address command.
3. Enter the interface view.	interface interface-type interface-number	N/A
4. Enable MAC address check.	dhcp relay check mac-address	By default, MAC address check is disabled.

Configuring the DHCP relay agent to release an IP address

Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address.

To configure the DHCP relay agent to release an IP address:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the DHCP relay agent to release an IP address.	dhcp relay release ip client-ip	This command can release only the IP addresses in the recorded relay entries.

Configuring Option 82

Follow these guidelines when you configure Option 82:

· To support Option 82, you must perform related configuration on both the DHCP server and relay agent. For DHCP server Option 82 configuration, see "Enabling handling of Option 82."

· If the handling strategy is replace, configure a padding mode and padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure any padding mode or padding format for Option 82. The settings do not take effect even if you configure them.

· The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP relay agent will fail to add or replace Option 82.

To configure Option 82:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the relay agent to handle Option 82.	dhcp relay information enable	By default, handling of Option 82 is disabled.
4. (Optional.) Configure the strategy for handling DHCP requests that contain Option 82.	dhcp relay information strategy { drop \| keep \| replace }	By default, the handling strategy is replace.
5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.	dhcp relay information circuit-id { bas \| string circuit-id \| { normal \| verbose [ node-identifier { mac \| sysname \| user-defined node-identifier } ] [ interface ] } [ format { ascii \| hex } ] }	By default, the padding mode for Circuit ID sub-option is normal, and the padding format is hex.
6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.	dhcp relay information remote-id { { ap-mac \| ap-mac-ssid \| normal } [ format { ascii \| hex } ] \| ap-name \| ap-name-ssid \| string remote-id \| sysname }	By default, the padding mode for the Remote ID sub-option is normal, and the padding format is hex.

Setting the DSCP value for DHCP packets sent by the DHCP relay agent

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP relay agent:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the DSCP value for DHCP packets sent by the DHCP relay agent.	dhcp dscp dscp-value	By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.

Enabling DHCP server proxy on a DHCP relay agent

The DHCP server proxy feature isolates DHCP servers from DHCP clients and protects DHCP servers against attacks.

Upon receiving a response from the server, the DHCP server proxy modifies the server's IP address as the relay interface's IP address before sending out the response. The DHCP client takes the DHCP relay agent as the DHCP server.

To configure DHCP server proxy on a DHCP relay agent:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable DHCP relay agent and DHCP server proxy on the interface.	dhcp select relay proxy	By default, the interface operates in DHCP server mode.

Configuring a DHCP relay address pool

This feature allows DHCP clients of the same type to obtain IP addresses and other configuration parameters from the DHCP servers specified in the matching relay address pool.

It applies to scenarios where the DHCP relay agent connects to clients of the same access type but classified into different types by their locations. In this case, the relay interface typically has no IP address configured. You can use the gateway-list command to specify the gateway address for clients matching the same relay address pool and bind the gateway address to the device's MAC address. Example network is the IPoE network.

Upon receiving a DHCP DISCOVER or REQUEST from a client that matches a relay address pool, the relay agent processes the packet as follows:

· Fills the giaddr field of the packet with the specified gateway address.

· Forwards the packet to all DHCP servers in the matching relay address pool.

The DHCP servers select an address pool according to the gateway address.

If PPPoE users are in the network, follow these restrictions and guidelines when you configure the relay address pool:

· Enable the DHCP relay agent to record DHCP relay entries by using the dhcp relay client-information record command. When a PPPoE user goes offline, the DHCP relay agent can find a matching relay entry and send a DHCP-RELEASE message to the DHCP server. This mechanism ensures that the DHCP server is aware of the releasing of the IP address in a timely manner.

· The remote-server command also configures the device as a DHCP relay agent. You do not need to enable the DHCP relay agent by using the dhcp select relay command.

To configure a DHCP relay address pool:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a DHCP relay address pool and enter its view.	dhcp server ip-pool pool-name	By default, no DHCP relay address pool exists. This command is the same for creating DHCP address pools on a DHCP server. However, the relay address pool names are not necessarily the same as the server address pool names.
3. Specify gateway addresses for the clients matching the relay address pool.	gateway-list ip-address&<1-64> [ export-route ]	By default, no gateway address is specified.
4. Specify DHCP servers for the relay address pool.	remote-server ip-address&<1-8>	By default, no DHCP server is specified for the relay address pool. You can specify a maximum of eight DHCP servers for one relay address pool for high availability. The relay agent forwards DHCP DISCOVER and REQUEST packets to all DHCP servers in the relay address pool.

Specifying a gateway address for DHCP clients

By default, the DHCP relay agent fills the giaddr field of DHCP DISCOVER and REQUEST packets with the primary IP address of the relay interface. You can specify a gateway address on the relay agent for DHCP clients. The DHCP relay agent uses the specified gateway address to fill the giaddr field of DHCP DISCOVER and REQUEST packets.

To specify a gateway address for DHCP clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Specify a gateway address for DHCP clients.	dhcp relay gateway ip-address	By default, the DHCP relay agent uses the primary IP address of the relay interface as the clients' gateway address.

Enabling client offline detection on the DHCP relay agent

When an ARP entry ages out, the client offline detection feature deletes the relay entry for the IP address and sends a RELEASE message to the DHCP server. The feature does not function if an ARP entry is manually deleted.

To enable client offline detection on the DHCP relay agent:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the relay agent to record relay entries.	dhcp relay client-information record	By default, the relay agent does not record relay entries. Without relay entries, client offline detection cannot function correctly.
3. Enter interface view.	interface interface-type interface-number	N/A
4. Enable the DHCP relay agent.	dhcp select relay	By default, when DHCP is enabled, an interface operates in the DHCP server mode.
5. Enable client offline detection.	dhcp client-detect	By default, client offline detection is disabled on the DHCP relay agent.

Configuring the DHCP smart relay feature

The DHCP smart relay feature allows the DHCP relay agent to pad secondary IP addresses when the DHCP server does not send back the DHCP-OFFER message.

The relay agent initially pads its primary IP address to the giaddr field before forwarding a request to the DHCP server. If no DHCP-OFFER is received, the relay agent allows the client to send a maximum of two requests to the DHCP server by using the primary IP address. If no DHCP-OFFER is returned after two retries, the relay agent switches to a secondary IP address. If the DHCP server still does not respond, the next secondary IP address is used. After the secondary IP addresses are all tried and the DHCP server does not respond, the relay agent repeats the process by starting from the primary IP address.

Without this feature, the relay agent only pads the primary IP address to the giaddr field of all requests.

On a relay agent where relay address pools and gateway addresses are configured, the smart relay feature starts the process from the first gateway address. For more information about the relay address pool configuration, see "Configuring a DHCP relay address pool."

To configure the DHCP smart relay feature for a DHCP server's network:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable the DHCP relay agent.	dhcp select relay	By default, an interface operates in the DHCP server mode when DHCP is enabled.
4. Assign primary and secondary IP addresses to the DHCP relay agent.	ip address ip-address { mask-length \| mask } [ sub ]	By default, the DHCP relay agent does not have any IP addresses.
5. Return to system view.	quit	N/A
6. Enable the DHCP smart relay feature.	dhcp smart-relay enable	By default, the DHCP smart relay feature is disabled.

To configure the DHCP smart relay feature for a network with relay address pools configured:

Step		Command	Remarks
1. Enter system view.		system-view	N/A
2. Enter interface view.		interface interface-type interface-number	N/A
3. Enable the DHCP relay agent.		dhcp select relay	By default, an interface operates in the DHCP server mode when DHCP is enabled.
4. Return to system view.		quit	N/A
5. Create a DHCP relay address pool and enter its view.	dhcp server ip-pool pool-name		By default, no DHCP relay address pool exists. This command is the same for creating DHCP address pools on a DHCP server. However, the relay address pool names are not necessarily the same as the server address pool names.
6. Specify gateway addresses for the clients matching the relay address pool.	gateway-list ip-address&<1-64> [ export-route ]		By default, the relay address pool does not have any gateway addresses.
7. Specify DHCP servers for the relay address pool.	remote-server ip-address&<1-8>		By default, the relay address pool does not have any DHCP server IP addresses. You can specify a maximum of eight DHCP servers for one relay address pool for high availability. The relay agent forwards DHCP-DISCOVER and DHCP-REQUEST packets to all DHCP servers in the relay address pool.
8. Return to system view.	quit		N/A
9. Enable the DHCP smart relay feature.	dhcp smart-relay enable		By default, the DHCP smart relay feature is disabled.

Displaying and maintaining the DHCP relay agent

Execute display commands in any view and reset commands in user view.

Task	Command
Display information about DHCP servers on an interface.	display dhcp relay server-address [ interface interface-type interface-number ]
Display Option 82 configuration information on the DHCP relay agent.	display dhcp relay information [ interface interface-type interface-number ]
Display relay entries on the DHCP relay agent.	display dhcp relay client-information [ interface interface-type interface-number \| ip ip-address ]
Display packet statistics on the DHCP relay agent.	display dhcp relay statistics [ interface interface-type interface-number ]
Display MAC address check entries on the DHCP relay agent.	display dhcp relay check mac-address
Clear relay entries on the DHCP relay agent.	reset dhcp relay client-information [ interface interface-type interface-number \| ip ip-address ]
Clear packet statistics on the DHCP relay agent.	reset dhcp relay statistics [ interface interface-type interface-number ]

DHCP relay agent configuration example

Network requirements

As shown in Figure 23, configure the DHCP relay agent on the AC. The DHCP relay agent enables DHCP clients to obtain IP addresses and other configuration parameters from the DHCP server on another subnet.

The DHCP relay agent and server are on different subnets. Configure static or dynamic routing to make them reachable to each other.

Perform the configuration on the DHCP server to guarantee the client-server communication. For DHCP server configuration information, see "DHCP server configuration examples."

Figure 23 Network diagram

Configuration procedure

# Assign IP addresses to the interfaces. (Details not shown.)

# Configure basic settings on the AC. For more information, see WLAN Configuration Guide.

# Enable DHCP.

<AC> system-view

[AC] dhcp enable

# Enable the DHCP relay agent on VLAN-interface 10.

[AC] interface vlan-interface 10

[AC-Vlan-interface10] dhcp select relay

# Specify the IP address of the DHCP server on the relay agent.

[AC-Vlan-interface10] dhcp relay server-address 10.1.1.1

Verifying the configuration

# Verify that DHCP clients can obtain IP addresses and all other network parameters from the DHCP server through the DHCP relay agent. (Details not shown.)

# Display the statistics of DHCP packets forwarded by the DHCP relay agent.

[AC] display dhcp relay statistics

# Display relay entries if you have enabled relay entry recording on the DHCP relay agent.

[AC] display dhcp relay client-information

Troubleshooting DHCP relay agent configuration

Failure of DHCP clients to obtain configuration parameters through the DHCP relay agent

Symptom

DHCP clients cannot obtain configuration parameters through the DHCP relay agent.

Solution

Some problems might occur with the DHCP relay agent or server configuration.

To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.

Check that:

· DHCP is enabled on the DHCP server and relay agent.

· The DHCP server has an address pool on the same subnet as the DHCP clients.

· The DHCP server and DHCP relay agent can reach each other.

· The DHCP server address specified on the DHCP relay interface connected to the DHCP clients is correct.

Configuring the DHCP client

With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address.

The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.

Enabling the DHCP client on an interface

Follow these guidelines when you enable the DHCP client on an interface:

· On some device models, if the number of IP address request failures reaches the system-defined amount, the DHCP client-enabled interface uses a default IP address.

· An interface can be configured to acquire an IP address in multiple ways. The new configuration overwrites the old.

· Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client.

· If the interface obtains an IP address on the same segment as another interface on the device, the interface does not use the assigned address. Instead, it requests a new IP address from the DHCP server.

To enable the DHCP client on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an interface to use DHCP for IP address acquisition.	ip address dhcp-alloc	By default, an interface does not use DHCP for IP address acquisition.

Configuring a DHCP client ID for an interface

A DHCP client ID is added to the DHCP option 61. A DHCP server can specify IP addresses for clients based on the DHCP client ID.

Make sure the IDs for different DHCP clients are unique.

To configure a DHCP client ID for an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure a DHCP client ID for the interface.	dhcp client identifier { ascii string \| hex string \| mac interface-type interface-number }	By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID.
4. Verify the client ID configuration.	display dhcp client [ verbose ] [ interface interface-type interface-number ]	DHCP client ID includes ID type and type value. Each ID type has a fixed type value. You can check the fields for the client ID to verify which type of client ID is used: · If an ASCII string is used as the client ID, the type value is 00. · If a hex string is used as the client ID, the type value is the first two characters in the string. · If the MAC address of an interface is used as the client ID, the type value is 01.

Enabling duplicated address detection

DHCP client detects IP address conflict through ARP packets. An attacker can act as the IP address owner to send an ARP reply. The spoofing attack makes the client unable to use the IP address assigned by the server. H3C recommends you to disable duplicate address detection when ARP attacks exist on the network.

To enable duplicated address detection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable duplicate address detection.	dhcp client dad enable	By default, the duplicate address detection feature is enabled on an interface.

Setting the DSCP value for DHCP packets sent by the DHCP client

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.

To set the DSCP value for DHCP packets sent by the DHCP client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the DSCP value for DHCP packets sent by the DHCP client.	dhcp client dscp dscp-value	By default, the DSCP value in DHCP packets sent by the DHCP client is 56.

Displaying and maintaining the DHCP client

Execute display command in any view.

Task	Command
Display DHCP client information.	display dhcp client [ verbose ] [ interface interface-type interface-number ]

Configuring DHCP snooping

Overview

DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

DHCP snooping does not work between the DHCP server and DHCP relay agent.

DHCP snooping defines trusted and untrusted ports to make sure clients obtain IP addresses only from authorized DHCP servers.

· Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP addresses from authorized DHCP servers.

· Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN.

The following features need to use DHCP snooping entries:

· ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information, see "Configuring ARP fast-reply."

· ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide.

· IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide.

Application of trusted and untrusted ports

Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.

As shown in Figure 24, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.

Figure 24 Trusted and untrusted ports

In a cascaded network as shown in Figure 25, configure the DHCP snooping devices' ports facing the DHCP server as trusted ports. To save system resources, you can enable only the untrusted ports directly connected to the DHCP clients to record DHCP snooping entries.

Figure 25 Trusted and untrusted ports in a cascaded network

DHCP snooping support for Option 82

Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security and accounting purposes. For more information about Option 82, see "Relay agent option (Option 82)."

DHCP snooping uses the same strategies as the DHCP relay agent to handle Option 82 for DHCP request messages, as shown in Table 4. If a response returned by the DHCP server contains Option 82, DHCP snooping removes Option 82 before forwarding the response to the client. If the response contains no Option 82, DHCP snooping forwards it directly.

Table 4 Handling strategies

If a DHCP request has…	Handling strategy	DHCP snooping…
Option 82	Drop	Drops the message.
	Keep	Forwards the message without changing Option 82.
	Replace	Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type.
No Option 82	N/A	Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

DHCP snooping configuration task list

The DHCP snooping configuration does not take effect on a Layer 2 Ethernet interface that is an aggregation member port. The configuration takes effect when the interface leaves the aggregation group.

Tasks at a glance

(Required.) Configuring basic DHCP snooping

(Optional.) Configuring Option 82

(Optional.) Configuring DHCP snooping entry auto backup

(Optional.) Enabling DHCP starvation attack protection

(Optional.) Enabling DHCP-REQUEST attack protection

(Optional.) Setting the maximum number of DHCP snooping entries

(Optional.) Configuring DHCP packet rate limit

(Optional.) Configuring a DHCP packet blocking port

(Optional.) Enabling DHCP snooping logging

Configuring basic DHCP snooping

Follow these guidelines when you configure basic DHCP snooping:

· Specify the ports connected to authorized DHCP servers as trusted ports to make sure that DHCP clients can obtain valid IP addresses. The trusted ports and the ports connected to DHCP clients must be in the same VLAN.

· You can specify the following interfaces as trusted ports: Layer 2 Ethernet interfaces, and Layer 2 aggregate interfaces. For more information about aggregate interfaces, see Layer 2—LAN Switching Configuration Guide.

· The DHCP snooping configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

To configure basic DHCP snooping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DHCP snooping.	dhcp snooping enable	By default, DHCP snooping is disabled.
3. Enter interface view.	interface interface-type interface-number	This interface must connect to the DHCP server.
4. Specify the port as a trusted port.	dhcp snooping trust	By default, all ports are untrusted ports after DHCP snooping is enabled.
5. Return to system view.	quit	N/A
6. Enter interface view.	interface interface-type interface-number	This interface must connect to the DHCP client.
7. (Optional.) Enable the recording of DHCP snooping entries.	dhcp snooping binding record	By default, the recording of DHCP snooping entries is disabled.

Configuring Option 82

Follow these guidelines when you configure Option 82:

· The Option 82 configuration on a Layer 2 Ethernet interface that has been added to an aggregation group does not take effect unless the interface leaves the aggregation group.

· To support Option 82, you must configure Option 82 on both the DHCP server and the DHCP snooping device. For information about configuring Option 82 on the DHCP server, see "Enabling handling of Option 82."

· If Option 82 contains the device name, the device name must contain no spaces. Otherwise, DHCP snooping drops the message. You can use the sysname command to specify the device name. For more information about this command, see Fundamentals Command Reference.

· DHCP snooping uses "outer VLAN tag.inner VLAN tag" to fill the VLAN ID field of sub-option 1 in verbose padding format if either of the following conditions exists:

? DHCP snooping and QinQ work together.

? DHCP snooping receives a DHCP packet with two VLAN tags.

For example, if the outer VLAN tag is 10 and the inner VLAN tag is 20, the VLAN ID field is 000a.0014. The hexadecimal digit a represents the outer VLAN tag 10, and the hexadecimal digit 14 represents the inner VLAN tag 20.

· The device name (sysname) must not include spaces if it is configured as the padding content for sub-option 1. Otherwise, the DHCP snooping device will fail to add or replace Option 82.

To configure DHCP snooping to support Option 82:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable DHCP snooping to support Option 82.	dhcp snooping information enable	By default, DHCP snooping does not support Option 82.
4. (Optional.) Configure a handling strategy for DHCP requests that contain Option 82.	dhcp snooping information strategy { drop \| keep \| replace }	By default, the handling strategy is replace.
5. (Optional.) Configure the padding mode and padding format for the Circuit ID sub-option.	dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id \| { normal \| verbose [ node-identifier { mac \| sysname \| user-defined node-identifier } ] } [ format { ascii \| hex } ] }	By default, the padding mode is normal and the padding format is hex for the Circuit ID sub-option.
6. (Optional.) Configure the padding mode and padding format for the Remote ID sub-option.	dhcp snooping information remote-id { normal [ format { ascii \| hex } ] \| [ vlan vlan-id ] string remote-id \| sysname }	By default, the padding mode is normal and the padding format is hex for the Remote ID sub-option.

Configuring DHCP snooping entry auto backup

The auto backup feature saves DHCP snooping entries to a backup file, and allows the DHCP snooping device to download the entries from the backup file at device reboot. The entries on the DHCP snooping device cannot survive a reboot. The auto backup helps the security features provide services if these features (such as IP source guard) must use DHCP snooping entries for user authentication.

NOTE:

If you disable DHCP snooping with the undo dhcp snooping enable command, the device deletes all DHCP snooping entries, including those stored in the backup file.

To save DHCP snooping entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the DHCP snooping device to back up DHCP snooping entries to a file.	dhcp snooping binding database filename { filename \| url url [ username username [ password { cipher \| simple } string ] ] }	By default, the DHCP snooping device does not back up DHCP snooping entries. With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. This command automatically creates the file if you specify a non-existent file.
3. (Optional.) Manually save DHCP snooping entries to the backup file.	dhcp snooping binding database update now	N/A
4. (Optional.) Set the waiting time after a DHCP snooping entry change for the DHCP snooping device to update the backup file.	dhcp snooping binding database update interval interval	The default waiting time is 300 seconds. When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the specified waiting period is reached. All changed entries during the period will be saved to the backup file. If no DHCP snooping entry changes, the backup file is not updated.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format."

You can prevent DHCP starvation attacks in the following ways:

· If the forged DHCP requests contain different sender MAC addresses, use the mac-address max-mac-count command to set the MAC learning limit on a Layer 2 port. For more information about the command, see Layer 2—LAN Switching Command Reference.

· If the forged DHCP requests contain the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This feature compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded.

To enable MAC address check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable MAC address check.	dhcp snooping check mac-address	By default, MAC address check is disabled.

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses.

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses.

To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.

· If a matching entry is found for a message, this feature compares the entry with the message information.

? If they are consistent, the message is considered as valid and forwarded to the DHCP server.

? If they are different, the message is considered as a forged message and is discarded.

· If no matching entry is found, the message is considered valid and forwarded to the DHCP server.

To enable DHCP-REQUEST check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Enable DHCP-REQUEST check.	dhcp snooping check request-message	By default, DHCP-REQUEST check is disabled. You can enable DHCP-REQUEST check only on Layer 2 Ethernet interfaces, and Layer 2 aggregate interfaces.

Setting the maximum number of DHCP snooping entries

Perform this task to prevent the system resources from being overused.

To set the maximum number of DHCP snooping entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the maximum number of DHCP snooping entries for the interface to learn.	dhcp snooping max-learning-num max-number	By default, the number of DHCP snooping entries for an interface to learn is unlimited.

Configuring DHCP packet rate limit

Perform this task to set the maximum rate at which an interface can receive DHCP packets. This feature discards exceeding DHCP packets to prevent attacks that send large numbers of DHCP packets.

To configure DHCP packet rate limit:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Set the maximum rate at which the interface can receive DHCP packets.	dhcp snooping rate-limit rate	By default, incoming DHCP packets are not rate limited. You can configure this command only on Layer 2 Ethernet interfaces, and Layer 2 aggregate interfaces. The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.

Configuring a DHCP packet blocking port

Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all incoming DHCP requests.

To configure a DHCP packet blocking port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure the port to block DHCP requests.	dhcp snooping deny	By default, the port does not block DHCP requests.

Enabling DHCP snooping logging

The DHCP snooping logging feature enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. For information about the log destination and output rule configuration in the information center, see Network Management and Monitoring Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

To enable DHCP snooping logging:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DHCP snooping logging.	dhcp snooping log enable	By default, DHCP snooping logging is disabled.

Displaying and maintaining DHCP snooping

Execute display commands in any view, and reset commands in user view.

Task	Command	Remarks
Display DHCP snooping entries.	display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ]	Available in any view.
Display Option 82 configuration information on the DHCP snooping device.	display dhcp snooping information { all \| interface interface-type interface-number }	Available in any view.
Display DHCP packet statistics on the DHCP snooping device.	display dhcp snooping packet statistics [ slot slot-number ]	Available in any view.
Display information about trusted ports.	display dhcp snooping trust	Available in any view.
Display information about the file that stores DHCP snooping entries.	display dhcp snooping binding database	Available in any view.
Clear DHCP snooping entries.	reset dhcp snooping binding { all \| ip ip-address [ vlan vlan-id ] }	Available in user view.
Clear DHCP packet statistics on the DHCP snooping device.	reset dhcp snooping packet statistics [ slot slot-number ]	Available in user view.

DHCP snooping configuration examples

Basic DHCP snooping configuration example

Network requirements

As shown in Figure 26:

· Configure the port GigabitEthernet 1/0/1 connected to the DHCP server as a trusted port.

· Configure other ports as untrusted ports.

· Enable DHCP snooping to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and DHCP-REQUEST messages.

Figure 26 Network diagram

Configuration procedure

# Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

# Enable DHCP snooping.

<AC> system-view

[AC] dhcp snooping enable

# Configure GigabitEthernet 1/0/1 as a trusted port.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] dhcp snooping trust

[AC-GigabitEthernet1/0/1] quit

# Enable DHCP snooping to record clients' IP-to-MAC bindings on GigabitEthernet 1/0/2.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] dhcp snooping binding record

[AC-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client.

[AC] display dhcp snooping binding

Configuring the BOOTP client

BOOTP client configuration applies only to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces, and VLAN interfaces.

BOOTP application

An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.

To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches for the BOOTP parameter file and returns the corresponding configuration information.

BOOTP is usually used in relatively stable environments. In network environments that change frequently, DHCP is more suitable.

Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client. You do not need to configure a BOOTP server.

Obtaining an IP address dynamically

A BOOTP client dynamically obtains an IP address from a BOOTP server as follows:

1. The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.

2. Upon receiving the request, the BOOTP server searches the configuration file for the IP address and other information according to the BOOTP client's MAC address.

3. The BOOTP server returns a BOOTP response to the BOOTP client.

4. The BOOTP client obtains the IP address from the received response.

A DHCP server can take the place of the BOOTP server in the following dynamic IP address acquisition.

Protocols and standards

· RFC 951, Bootstrap Protocol (BOOTP)

· RFC 2132, DHCP Options and BOOTP Vendor Extensions

· RFC 1542, Clarifications and Extensions for the Bootstrap Protocol

Configuring an interface to use BOOTP for IP address acquisition

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	interface interface-type interface-number	N/A
3. Configure an interface to use BOOTP for IP address acquisition.	ip address bootp-alloc	By default, an interface does not use BOOTP for IP address acquisition.

Displaying and maintaining BOOTP client

Execute display command in any view.

Task	Command
Display BOOTP client information.	display bootp client [ interface interface-type interface-number ]

Configuring DNS

Overview

Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry.

DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.

Static domain name resolution

Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

Dynamic domain name resolution

Resolution process

1. A user program sends a name query to the resolver of the DNS client.

2. The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server.

3. The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.

4. After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.

Figure 27 shows the relationship between the user program, DNS client, and DNS server.

The DNS client includes the resolver and cache. The user program and DNS client can run on the same device or different devices. The DNS server and the DNS client usually run on different devices.

Figure 27 Dynamic domain name resolution

Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.

DNS suffixes

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.

For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters:

· If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers the domain name as a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.

· If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

· If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

The device supports static and dynamic DNS client services.

If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.

DNS proxy

As shown in Figure 28, the DNS proxy performs the following operations:

· Forwards the request from the DNS client to the designated DNS server.

· Conveys the reply from the DNS server to the client.

The DNS proxy simplifies network management. When the DNS server address is changed, you can change the configuration only on the DNS proxy instead of on each DNS client.

Figure 28 DNS proxy application

A DNS proxy operates as follows:

1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy.

2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client.

3. If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution.

4. After receiving a reply from the DNS server, the DNS proxy records the IP address-to-domain name mapping and forwards the reply to the DNS client.

If no DNS server is designated or no route is available to the designated DNS server, the DNS proxy does not forward DNS requests.

DNS spoofing

DNS spoofing is applied to the dial-up network, as shown in Figure 29.

· The device connects to a PSTN/ISDN network through a dial-up interface. The device triggers the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface.

· The device acts as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established, the device dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism.

Figure 29 DNS spoofing application

The DNS proxy does not have the DNS server address or cannot reach the DNS server after startup. A host accesses the HTTP server in the following steps:

1. The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address.

2. Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. Because no match is found, the device spoofs the host by replying a configured IP address. The device must have a route to the IP address with the dial-up interface as the output interface.

The IP address configured for DNS spoofing is not the actual IP address of the requested domain name. Therefore, the TTL field is set to 0 in the DNS reply. When the DNS client receives the reply, it creates a DNS entry and ages it out immediately.

3. Upon receiving the reply, the host sends an HTTP request to the replied IP address.

4. When forwarding the HTTP request through the dial-up interface, the device performs the following operations:

? Establishes a dial-up connection with the network.

? Dynamically obtains the DNS server address through DHCP or another autoconfiguration mechanism.

5. Because the DNS entry ages out immediately upon creation, the host sends another DNS request to the device to resolve the HTTP server domain name.

6. The device operates the same as a DNS proxy. For more information, see "DNS proxy."

7. After obtaining the IP address of the HTTP server, the host can access the HTTP server.

Without DNS spoofing, the device forwards the DNS requests from the host to the DNS server if it cannot find a matching local DNS entry. However, the device cannot obtain the DNS server address, because no dial-up connection is established. Therefore, the device cannot forward or answer the requests from the client. DNS resolution fails, and the client cannot access the HTTP server.

DNS configuration task list

Tasks at a glance
Perform one of the following tasks: · Configuring the IPv4 DNS client · Configuring the IPv6 DNS client
(Optional.) Configuring the DNS proxy
(Optional.) Configuring DNS spoofing
(Optional.) Specifying the source interface for DNS packets
(Optional.) Configuring the DNS trusted interface
(Optional.) Setting the DSCP value for outgoing DNS packets

Configuring the IPv4 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.

Follow these guidelines when you configure static domain name resolution:

· Each host name maps to only one IPv4 address. The most recent configuration for a host name takes effect.

· You can configure a maximum of 1024 IPv4 DNS entries.

To configure static domain name resolution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a mapping between a host name and an IPv4 address.	ip host host-name ip-address	By default, no mapping between a host name and an IPv4 address is configured.

Configuring dynamic domain name resolution

To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

· You can specify a maximum of six DNS server IPv4 addresses.

· You can specify a maximum of six DNS server IPv6 addresses.

An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent to the DNS server IPv6 addresses.

· You can specify a maximum of 16 DNS suffixes.

Configuration procedure

To configure dynamic domain name resolution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a DNS server.	· Specify a DNS server IPv4 address: dns server ip-address · Specify a DNS server IPv6 address: ipv6 dns server ipv6-address [ interface-type interface-number ]	By default, no DNS server is specified. You can specify both the IPv4 and IPv6 addresses.
3. (Optional.) Configure a DNS suffix.	dns domain domain-name	By default, no DNS suffix is configured and only the provided domain name is resolved.

Configuring the IPv6 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses.

Follow these guidelines when you configure static domain name resolution:

· Each host name maps to only one IPv6 address. The most recent configuration for a host name takes effect.

· You can configure a maximum of 1024 IPv6 DNS entries.

To configure static domain name resolution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure a mapping between a host name and an IPv6 address.	ipv6 host host-name ipv6-address	By default, no mapping between a host name and an IPv6 address is configured.

Configuring dynamic domain name resolution

To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

· You can specify a maximum of six DNS server IPv4 addresses.

· You can specify a maximum of six DNS server IPv6 addresses.

An IPv6 name query is first sent to the IPv6 DNS servers. If no reply is received, it is sent to the IPv4 DNS servers.

· You can specify a maximum of 16 DNS suffixes.

Configuration procedure

To configure dynamic domain name resolution:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a DNS server.	· Specify a DNS server IPv4 address: dns server ip-address · Specify a DNS server IPv6 address: ipv6 dns server ipv6-address [ interface-type interface-number ]	By default, no DNS server is specified. You can specify both the IPv4 and IPv6 addresses.
3. (Optional.) Configure a DNS suffix.	dns domain domain-name	By default, no DNS suffix is configured. Only the provided domain name is resolved.

Configuring the DNS proxy

You can specify multiple DNS servers. The DNS proxy forwards a request to the DNS server that has the highest priority. If having not received a reply, it forwards the request to a DNS server that has the second highest priority, and so on.

A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers. If no reply is received, it forwards the request to IPv6 DNS servers.

A DNS proxy forwards an IPv6 name query first to IPv6 DNS servers. If no reply is received, it forwards the request to IPv4 DNS servers.

To configure the DNS proxy:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DNS proxy.	dns proxy enable	By default, DNS proxy is disabled.
3. Specify a DNS server.	· Specify a DNS server IPv4 address: dns server ip-address · Specify a DNS server IPv6 address: ipv6 dns server ipv6-address [ interface-type interface-number ]	By default, no DNS server is specified. You can specify both the IPv4 and IPv6 DNS addresses.

Configuring DNS spoofing

DNS spoofing is effective only when:

· The DNS proxy is enabled on the device.

· No DNS server or route to any DNS server is specified on the device.

You can configure only one replied IPv4 address and one replied IPv6 address. If you use the command multiple times, the most recent configuration takes effect.

To configure DNS spoofing:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable DNS proxy.	dns proxy enable	By default, DNS proxy is disabled.
3. Enable DNS spoofing and specify the IP address used to spoof DNS requests.	· Specify an IPv4 address: dns spoofing ip-address · Specify an IPv6 address: ipv6 dns spoofing ipv6-address	By default, DNS spoofing is disabled. You can specify both an IPv4 address and an IPv6 address.

Specifying the source interface for DNS packets

This task enables the device to always use the primary IP address of the specified source interface as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the source interface, no DNS packets can be sent out.

When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an IPv6 address of the source interface.

You can configure only one source interface.

To specify the source interface for DNS packets:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify the source interface for DNS packets.

dns source-interface interface-type interface-number

By default, no source interface for DNS packets is specified.

If you execute the command multiple times, the most recent configuration takes effect.

Configuring the DNS trusted interface

This task enables the device to use only the DNS suffix and domain name server information obtained through the trusted interface. The device can then obtain the correct resolved IP address. This feature protects the device against attackers that act as the DHCP server to assign incorrect DNS suffix and domain name server address.

To configure the DNS trusted interface:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify the DNS trusted interface.

dns trust-interface interface-type interface-number

By default, no DNS trusted interface is specified.

You can configure up to 128 DNS trusted interfaces.

Setting the DSCP value for outgoing DNS packets

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

To set the DSCP value for outgoing DNS packets:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the DSCP value for outgoing DNS packets.

· DSCP value for IPv4 DNS packets:
dns dscp dscp-value

· DSCP value for IPv6 DNS packets:
ipv6 dns dscp dscp-value

By default, the DSCP value for outgoing DNS packets is 0.

The configuration is available on DNS clients and DNS proxy devices.

Displaying and maintaining DNS

Execute display commands in any view and reset commands in user view.

Task	Command
Display the domain name resolution table.	display dns host [ ip \| ipv6 ]
Display IPv4 DNS server information.	display dns server [ dynamic ]
Display IPv6 DNS server information.	display ipv6 dns server [ dynamic ]
Display DNS suffixes.	display dns domain [ dynamic ]
Clear information about the dynamic domain name cache.	reset dns host [ ip \| ipv6 ]

IPv4 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 30, the host at 10.1.1.2 has the domain name host.com. Configure static IPv4 DNS on the AC so that the client can use the easy-to-remember domain name rather than the IP address to access the host.

Figure 30 Network diagram

Configuration procedure

# Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

# Configure a mapping between the host name host.com and the IP address 10.1.1.2.

<AC> system-view

[AC] ip host host.com 10.1.1.2

# Verify that the AC can use static domain name resolution to resolve the domain name host.com into the IP address 10.1.1.2.

[AC] ping host.com

Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=4 ttl=255 time=2.000 ms

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 31, configure the DNS server to store the mapping between the host's domain name host and IPv4 address 3.1.1.1/16 in the com domain. Configure dynamic IPv4 DNS and the DNS suffix com on the AC so that the client can use the domain name host to access the host.

Figure 31 Network diagram

Configuration procedure

Before performing the following configuration, make sure the following requirements are met:

· The AC and the host can reach each other.

· The IP addresses of the interfaces are configured as shown in Figure 31.

1. Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

2. Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2.

a. Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 32.

b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 32 Creating a zone

c. On the DNS server configuration page, right-click zone com and select New Host.

Figure 33 Adding a host

d. On the page that appears, enter the host name host and the IP address 3.1.1.1.

e. Click Add Host.

The mapping between the IP address and host name is created.

Figure 34 Adding a mapping between domain name and IP address

3. Configure the DNS client:

# Specify the DNS server 2.1.1.2.

<AC> system-view

[AC] dns server 2.1.1.2

# Specify com as the name suffix.

[AC] dns domain com

Verifying the configuration

# Verify that the AC can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 3.1.1.1.

[AC] ping host

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

--- Ping statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

DNS proxy configuration example

Network requirements

As shown in Figure 35, configure the AC as the DNS proxy to forward DNS packets between DNS clients and the DNS server at 4.1.1.1.

Figure 35 Network diagram

Configuration procedure

Before performing the following configuration, make sure the following requirements are met:

· The AC, the DNS server, and the host can reach one another.

· The IP addresses of the interfaces are configured as shown in Figure 35.

1. Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

2. Configure the DNS server:

The configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information.

3. Configure the DNS proxy:

# Specify the DNS server 4.1.1.1.

<AC> system-view

[AC] dns server 4.1.1.1

# Enable DNS proxy.

[AC] dns proxy enable

4. Configure DNS clients and specify the DNS server 2.1.1.2 for the clients. (Details not shown.)

Verifying the configuration

# Verify that DNS proxy on the AC functions.

C:\Users\ss> ping host.com

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

IPv6 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 36, the host at 1::2 has the domain name host.com. Configure static IPv6 DNS on the AC so that the client can use the easy-to-remember domain name rather than the IPv6 address to access the host.

Figure 36 Network diagram

Configuration procedure

# Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

# Configure a mapping between the host name host.com and the IPv6 address 1::2.

<AC> system-view

[AC] ipv6 host host.com 1::2

# Verify that the AC can use static domain name resolution to resolve the domain name host.com into the IPv6 address 1::2.

[AC] ping ipv6 host.com

Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break

56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=4 hlim=128 time=0.000 ms

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 37, configure the DNS server to store the mapping between the host's domain name host and IPv6 address 1::1/64 in the com domain. Configure dynamic IPv6 DNS and the DNS suffix com on the AC so that the client can use the domain name host to access the host.

Figure 37 Network diagram

Configuration procedure

Before performing the following configuration, make sure the following requirements are met:

· The AC and the host can reach each other.

· The IPv6 addresses of the interfaces are configured as shown in Figure 37.

1. Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

2. Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2. Make sure the DNS server supports IPv6 DNS so that the server can process IPv6 DNS packets and its interfaces can forward IPv6 packets.

a. Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 38.

b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 38 Creating a zone

c. On the DNS server configuration page, right-click zone com and select New Host.

Figure 39 Adding a host

d. On the page that appears, enter the host name host and the IPv6 address 1::1.

e. Click Add Host.

The mapping between the IPv6 address and host name is created.

Figure 40 Adding a mapping between domain name and IPv6 address

3. Configure the DNS client:

# Specify the DNS server 2::2.

<AC> system-view

[AC] ipv6 dns server 2::2

# Configure com as the DNS suffix.

[AC] dns domain com

Verifying the configuration

# Verify that the AC can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.

[AC] ping ipv6 host

Ping6(56 data bytes) 3::1 --> 1::1, press CTRL_C to break

56 bytes from 1::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=4 hlim=128 time=0.000 ms

--- Ping6 statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

DNS proxy configuration example

Network requirements

As shown in Figure 41, configure the AC as the DNS proxy to forward DNS packets between DNS clients and the DNS server at 4000::1.

Figure 41 Network diagram

Configuration procedure

Before performing the following configuration, make sure the following requirements are met:

· The AC, the DNS server, and the host can reach to one another.

· The IPv6 addresses of the interfaces are configured as shown in Figure 41.

1. Configure WLAN access on the AC. For more information about WLAN access configuration, see WLAN Configuration Guide. (Details not shown.)

2. Configure the DNS server:

This configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information.

3. Configure the DNS proxy:

# Specify the DNS server 4000::1.

<AC> system-view

[AC] ipv6 dns server 4000::1

# Enable DNS proxy.

[AC] dns proxy enable

4. Configure DNS clients and specify the DNS server 2000::2 for the clients. (Details not shown.)

Verifying the configuration

# Verify that DNS proxy on the AC functions.

C:\Users\ss> ping host.com

Ping6(56 data bytes) 2000::1 --> 3000::1, press CTRL_C to break

56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=4 hlim=128 time=0.000 ms

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Troubleshooting IPv4 DNS configuration

Failure to resolve IPv4 addresses

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IP address.

Solution

To resolve the problem:

1. Use the display dns host ip command to verify that the specified domain name is in the cache.

2. If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.

3. If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS client has the correct IP address of the DNS server.

4. Verify that the mapping between the domain name and IP address is correct on the DNS server .

Troubleshooting IPv6 DNS configuration

Failure to resolve IPv6 addresses

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IPv6 address.

Solution

To resolve the problem:

1. Use the display dns host ipv6 command to verify that the specified domain name is in the cache.

2. If the specified domain name does not exist, check that dynamic domain name resolution is enabled, and that the DNS client can communicate with the DNS server.

3. If the specified domain name is in the cache, but the IPv6 address is incorrect, check that the DNS client has the correct IPv6 address of the DNS server.

4. Verify that the mapping between the domain name and IPv6 address is correct on the DNS server.

Configuring DDNS

Overview

DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails.

Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.

DDNS is supported only by IPv4 DNS, and it is used to update the mappings between domain names and IPv4 addresses.

DDNS application

As shown in Figure 42, DDNS works on the client-server model.

· DDNS client—A device that needs to update the mapping between its domain name and IP address dynamically on the DNS server when its IP address changes. An Internet user typically accesses an application layer server such as an HTTP server or an FTP server by using the server's domain name. When its IP address changes, the application layer server runs as a DDNS client. It sends a request to the DDNS server for updating the mapping between its domain name and its

06-Layer 3 - IP Services

Configuring ARP

Overview

ARP message format

Dynamic ARP entry

Static ARP entry

Configuring a static ARP entry

Setting the maximum number of dynamic ARP entries for an interface

Setting the aging timer for dynamic ARP entries

Configuration procedure

Enabling IP conflict notification

Configuring proxy ARP

Enabling common proxy ARP

Configuring IP addressing

Assigning an IP address to an interface

IP address allocation process

IP address lease extension

DHCP options

Vendor-specific option (Option 43)

Protocols and standards

Configuring the DHCP server

Overview

Address assignment mechanisms

Principles for selecting an address pool

Configuring an address pool on the DHCP server

Creating a DHCP address pool

Specifying IP address ranges for a DHCP address pool

Specifying a primary subnet and multiple address ranges for a DHCP address pool

Specifying a primary subnet and multiple secondary subnets for a DHCP address pool

Configuring a static binding in a DHCP address pool

Enabling DHCP

Applying an address pool on an interface

Configuring IP address conflict detection

Configure the DHCP server to ignore BOOTP requests

Configuring the DHCP server to send BOOTP responses in RFC 1048 format

Configuration procedure

Verifying the configuration

Network requirement

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Symptom

Overview

DHCP relay agent configuration task list

Enabling the DHCP relay agent on an interface

Specifying DHCP servers on a relay agent

Enabling periodic refresh of dynamic relay entries

Configuring Option 82

Displaying and maintaining the DHCP relay agent