HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 546
64
Step Command Remarks
5. Configure
non-user-defined
Option 82.
• Configure the padding format for
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex }...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-545.png "Page 546
64
Step Command Remarks
5. Configure
non-user-defined
Option 82.
• Configure the padding format for
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex }...")
![Page 547
65
Task Command Remarks
Display statistics about bindings of
DHCP relay agents. display dhcp relay security
statistics [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display information about the
refreshing interval for entries of
dynamic IP-to-MAC bindings. display dhcp relay security
tracker [ | { begin
| exclude | include } regular-expression ] Available in any view
Display information about the
configuration of a specified DHCP
server group...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-546.png "Page 547
65
Task Command Remarks
Display statistics about bindings of
DHCP relay agents. display dhcp relay security
statistics [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display information about the
refreshing interval for entries of
dynamic IP-to-MAC bindings. display dhcp relay security
tracker [ | { begin
| exclude | include } regular-expression ] Available in any view
Display information about the
configuration of a specified DHCP
server group...")
![Page 548
66
Configurations on the DHCP server are also required to guarantee the client-server communication via
the DHCP relay agent. For DHCP server configuration information, see Configuring DHCP server.
# S
pecify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
system-view
[SwitchA] dhcp enable
# A d d D H C P s e r v e r 1 0 .1.1.1 i n t o D H C P s e r v e r g r o u p 1.
[SwitchA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-547.png "Page 548
66
Configurations on the DHCP server are also required to guarantee the client-server communication via
the DHCP relay agent. For DHCP server configuration information, see Configuring DHCP server.
# S
pecify IP addresses for the interfaces. (Details not shown.)
# Enable DHCP.
system-view
[SwitchA] dhcp enable
# A d d D H C P s e r v e r 1 0 .1.1.1 i n t o D H C P s e r v e r g r o u p 1.
[SwitchA] dhcp relay server-group 1 ip 10.1.1.1
# Enable the DHCP relay agent on...")
![Page 549
67
[SwitchA-Vlan-interface1] dhcp relay information enable
[SwitchA-Vlan-interface1] dhcp relay information strategy replace
[SwitchA-Vlan-interface1] dhcp relay information circuit-id string compa\
ny001
[SwitchA-Vlan-interface1] dhcp relay information remote-id string device\
001
Troubleshooting DHCP relay agent configuration
Symptom
DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.
Analysis
Problems may occur with the DHCP relay agent or server configuration....](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-548.png "Page 549
67
[SwitchA-Vlan-interface1] dhcp relay information enable
[SwitchA-Vlan-interface1] dhcp relay information strategy replace
[SwitchA-Vlan-interface1] dhcp relay information circuit-id string compa\
ny001
[SwitchA-Vlan-interface1] dhcp relay information remote-id string device\
001
Troubleshooting DHCP relay agent configuration
Symptom
DHCP clients cannot obtain any configuration parameters via the DHCP relay agent.
Analysis
Problems may occur with the DHCP relay agent or server configuration....")
![Page 551
69
Displaying and maintaining the DHCP client
Task Command Remarks
Display specified
configuration information. display dhcp client
[ verbose ] [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
DHCP client configuration example
Network requirements
As shown in Figure 35
, on a L A N, Swi tch B c ontacts the D HC P ser ver via VL A N - i nter fac e 2 to o btai n a n
IP address, DNS server address, and...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-550.png "Page 551
69
Displaying and maintaining the DHCP client
Task Command Remarks
Display specified
configuration information. display dhcp client
[ verbose ] [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
DHCP client configuration example
Network requirements
As shown in Figure 35
, on a L A N, Swi tch B c ontacts the D HC P ser ver via VL A N - i nter fac e 2 to o btai n a n
IP address, DNS server address, and...")
![Page 552
70
# Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address,
and a static route to subnet 20.1.1.0/24.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] expired day 10
[SwitchA-dhcp-pool-0] dns-list 20.1.1.1
[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02
2. Configure Switch B:
# Enable the DHCP client on VLAN-interface 2.
system-view
[SwitchB] interface vlan-interface 2...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-551.png "Page 552
70
# Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address,
and a static route to subnet 20.1.1.0/24.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] expired day 10
[SwitchA-dhcp-pool-0] dns-list 20.1.1.1
[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02
2. Configure Switch B:
# Enable the DHCP client on VLAN-interface 2.
system-view
[SwitchB] interface vlan-interface 2...")
69
Displaying and maintaining the DHCP client
Task Command Remarks
Display specified
configuration information. display dhcp client
[ verbose ] [ interface
interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
DHCP client configuration example
Network requirements
As shown in Figure 35
, on a L A N, Swi tch B c ontacts the D HC P ser ver via VL A N - i nter fac e 2 to o btai n a n
IP address, DNS server address, and static route information. The IP address resides on network
10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to network 20.1.1.0/24
is 10.1.1.2.
The DHCP server uses Option 121 to assign static route information to DHCP clients. The destination
descriptor field comprises two parts, subnet mask length and destination network address. In this
example, the value of the destination descriptor field takes 18 14 01 01, a hexadecimal number
indicating that the subnet mask length is 24 and de stination network address is 20.1.1.0. The value of the
next hop address field takes 0A 01 01 02, a hexadecima l number indicating that the next hop is 10.1.1.2.
Figure 35 Network diagram
Configuration procedure
1. Configure Switch A:
# Specify the IP address of VLAN-interface 2.
system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 10.1.1.1 24
[SwitchA-Vlan-interface2] quit
# Enable the DHCP service.
[SwitchA] dhcp enable
# Exclude an IP address from automatic allocation.
[SwitchA] dhcp server forbidden-ip 10.1.1.2
70
# Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address,
and a static route to subnet 20.1.1.0/24.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] expired day 10
[SwitchA-dhcp-pool-0] dns-list 20.1.1.1
[SwitchA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02
2. Configure Switch B:
# Enable the DHCP client on VLAN-interface 2.
system-view
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address dhcp-alloc
Verifying the configuration
# Use the display dhcp client command to view the IP address an d other network parameters assigned
to Switch B.
[SwitchB-Vlan-interface2] display dhcp client verbose
Vlan-interface2 DHCP client information:
Current machine state: BOUND
Allocated IP: 10.1.1.3 255.255.255.0
Allocated lease: 864000 seconds, T1: 432000 seconds, T2: 756000 seconds\
Lease from 2009.02.20 11:06:35 to 2009.03.02 11:06:35
DHCP server: 10.1.1.1
Transaction ID: 0x410090f0
Classless static route:
Destination: 20.1.1.0, Mask: 255.255.255.0, NextHop: 10.1.1.2
DNS server: 20.1.1.1
Client ID: 3030-3066-2e65-3230-
302e-3030-3032-2d45-
7468-6572-6e65-7430-
2f30
T1 will timeout in 4 days 23 hours 59 minutes 50 seconds.
# Use the display ip routing-table command to view the route informatio n on Switch B. A static route to
network 20.1.1.0/24 is added to the routing table.
[SwitchB-Vlan-interface2] display ip routing-table
Routing Tables: Public
Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Direct 0 0 10.1.1.3 Vlan2
10.1.1.3/32 Direct 0 0 127.0.0.1 InLoop0
20.1.1.0/24 Static 70 0 10.1.1.2 Vlan2
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0
127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0
71 Configuring DHCP snooping The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. DHCP snooping functions DHCP snooping can: 1. Ensure that DHCP clients obtain IP addr esses from authorized DHCP servers. 2. Record IP-to-MAC mappings of DHCP clients. Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to make sure that clients obtain IP addresses only from authorized DHCP servers. • Trusted —A trusted port forwards DHCP messages norm ally to ensure the clients get IP addresses from an authorized DHCP server. • Untrusted —An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to avoid IP address allocation from any unauthorized server. Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted, and configure other ports as untrusted. Recording IP-to-MAC mappings of DHCP clients DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client, the port that connects to the DHCP client, and the VLAN of the port. Using DHCP snooping entries, DHCP snooping can implement the following functions: • ARP detection —Whether ARP packets are sent from an au thorized client is determined based on DHCP snooping entries. This feat ure prevents ARP attacks from unauthorized clients. For more information, see the Security Configuration Guide. • IP source guard —IP source guard uses dynamic binding entries generated by DHCP snooping to filter packets on a per-port basis. This prevents unauthorized packets from traveling through. For more information, see the Security Configuration Guide . • VLAN mapping —The device replaces service provider VLANs (SVLANs) in packets with customer VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide .
72 Application environment of trusted ports Configuring a trusted port connected to a DHCP server As shown in Figure 36, the DHCP snooping device por t that is connected to an authorized DHCP ser ver should be configured as a trusted port. The trusted port forwards reply messages from the authorized DHCP server to the client, but the untrusted port does not forward reply messages from the unauthorized DHCP ser ver. This ensures that the DHCP client obtains an IP address from the authorized DHCP server. Figure 36 Configuring trusted and untrusted ports Configuring trusted ports in a cascaded network In a cascaded network involving multiple DHCP snoop ing devices, the ports connected to other DHCP snooping devices should be conf igured as trusted ports. To save system resources, you can disable the trus ted ports, which are indirectly connected to DHCP clients, from recording client IP-to-MAC bindings upon receiving DHCP requests. Trusted DHCP server DHCP snooping Untrusted Untrusted Unauthorized DHCP server DHCP client DHCP reply messages
73 Figure 37 Configuring trusted ports in a cascaded network Table 4 Roles of ports Device Untrusted port Trusted port disabled from recordin g binding entries Trusted port enabled to record bindin g entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 Switch B GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 Switch C GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 GigabitEthernet 1/0/2 DHCP snooping support for Option 82 Option 82 records the location information of the DH CP client so the administrator can locate the DHCP client for security control and accounting purposes. For more information, see Configuring DHCP relay agent . If DHCP sn ooping supports Option 82, it handles a cl ient’s request according to the contents defined in Option 82, if any. The handling strategies are described in Tabl e 5. If a r eply returned by the DHCP server contains Option 82, the DHCP snooping device removes the Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP snooping device forwards it directly. Table 5 Handling strategies of DHCP snooping If a client’s requesting message has… Handling strategy Padding format The DHCP snooping device will… Option 82 Drop N/A Drop the message. Keep Random Forward the message without changing Option 82.
74 If a client’s requesting message has… Handling strategy Padding format The DHCP snooping device will… Replace normal Forward the message after replacing the original Option 82 with the Option 82 padded in normal format. verbose Forward the message after replacing the original Option 82 with the Option 82 padded in verbose format. user-defined Forward the message after replacing the original Option 82 with the user-defined Option 82. Append normal Forward the message without changing Option 82. verbose Forward the message without changing Option 82. private Forward the message after adding sub-option 9 to option 82 or adding content to sub-option 9 that option 82 contains. standard Forward the message without changing Option 82. user-defined Forward the message without changing Option 82. no Option 82 N/A normal Forward the message after adding the Option 82 padded in normal format. N/A private Forward the message after adding the Option 82 padded in private format. N/A standard Forward the message after adding the Option 82 padded in standard format. N/A verbose Forward the message after adding the Option 82 padded in verbose format. N/A user-defined Forward the message after adding the user-defined Option 82. The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as those on the relay agent. DHCP snooping configuration task list Task Remarks Configuring DHCP snooping basic functions Required Configuring DHCP snooping to support Option 82 Optional Configuring DHCP snooping entries backup Optional Enabling DHCP starvation attack protection Optional
75 Task Remarks Enabling DHCP-REQUEST message attack protection Optional Configuring DHCP packet rate limit Optional Configuring DHCP snooping basic functions Configuration guidelines Follow these guidelines when configure DHCP snooping basic functions: • You must specify the ports connected to the authorized DHCP servers as trusted to make sure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN. • You can specify Layer 2 Ethernet ports and Layer 2 aggregate interfaces as trusted ports. For more information about aggregate interfaces, see the Layer 2—LAN Switching Configuration Guide. • If a Layer 2 Ethernet port is added to an aggregation group, the DHCP snooping configuration of the interface will not take effect. After the interface quits the aggregation group, the configuration will be effective. • DHCP snooping can work with basic QinQ or flexible QinQ. When receiving a packet without any VLAN tag from the DHCP client to the DHCP server, the DHCP snooping device adds a VLAN tag to the packet. If the packet has one VLAN tag, the device adds another VLAN tag to the packet and records the two VLAN tags in a DHCP snooping en try. The newly added VLAN tag is the outer tag. If the packet has two VLAN tags, the device directly forwards the packet to the DHCP server without adding any tag. • If you need to add a new VLAN tag and meanwhile modify the original VLAN tag for the packet, DHCP snooping cannot work with flexible QinQ. Configuration procedure To configure DHCP snooping basic functions: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP snooping. dhcp-snooping Disabled by default. 3. Enter Ethernet interface view. interface interface-type interface-number The interface connects to the DHCP server. 4. Specify the port as a trusted port that records the IP-to -MAC bindings of clients. dhcp-snooping trust After DHCP snooping is enabled, a port is an untrusted port by default 5. Return to system view. quit N/A 6. Enter interface view. interface interface-type interface-number The interface indirectly connects to the DHCP client. 7. Specify the port as a trusted port that does not record the IP-to-MAC bindings of clients. dhcp-snooping trust no-user-binding Optional. After DHCP snooping is enabled, a port is an untrusted port by default.
76
Configuring DHCP snooping to support Option 82
Configuration guidelines
Follow these guidelines when configure DHCP snooping to support Option 82:
• You can only enable DHCP snooping to support Opti on 82 on Layer 2 Ethernet ports, and Layer 2
aggregate interfaces.
• If a Layer 2 Ethernet port is added to an aggreg ation group, enabling DHCP snooping to support
Option 82 on the interface will not take effect. After the interface quits the aggregation group, the
configuration will be effective.
• Option 82 support requires configuration on both the DHCP server and the device enabled with
DHCP snooping. See Configuring DHCP server f
or DHCP server configuration of this kind.
• If the handling strategy of the DHCP-snooping-enabled device is configured as replace, you need
to configure a padding format for Option 82. If the handling strategy is keep or drop, you need not
configure any padding format.
• If the Option 82 is padded with the device name, the device name must contain no spaces.
Otherwise, the DHCP-snooping device will drop the message. You can use the sysname command
to specify the device name. For more information about this command, see the Fundamentals
Command Reference .
• I f D H C P s n o o pi n g a n d Q i n Q wo rk t o g e t h e r o r t h e D H C P s n o o pi n g d evic e re c eive s a D H C P p a cke t
with two VLAN tags, and the normal or verbose padding format is adopted for Option 82, DHCP
snooping fills the VLAN ID field of sub-option 1 with outer VLAN tag.inter VLAN tag. For example,
if the outer VLAN tag is 10 (a in hexadecimal) and the inner VLAN tag is 20 (14 in hexadecimal),
the VLAN ID is 000a.0014.
Configuration procedure
To configure DHCP snooping to support Option 82:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface
view. interface
interface-type
interface-number N/A
3.
Enable DHCP
snooping to
support Option 82. dhcp-snooping information enable
Disabled by default.
4. Configure the
handling strategy
for requests
containing Option
82. dhcp-snooping information strategy
{
append | drop | keep | replace } Optional.
replace
by default.
77
Step Command Remarks
5. Configure Option
82 i n t h e
non-user-defined
padding format.
• Configure the padding format for
Option 82:
dhcp-snooping information format
{ normal | private | standard
| verbose [ node-identifier { mac |
sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp-snooping information
circuit-id format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp-snooping information
remote-id format-type { ascii | hex }
• Enable sub-option 9:
dhcp-snooping information [ vlan
vlan-id ] sub-option sub-option-code
Optional.
By default,
• The padding format for Option 82 is
normal .
• The code type for the circuit ID
sub-option depends on the padding
f o r m a t o f O p t i o n 82. Ea c h f i e l d h a s i t s
own code type.
• The code type for the remote ID
sub-option is hex .
• Sub-option 9 is not enabled
Hex configuration applies to private
padding format only.
The code type configuration for the
circuit ID sub-option and remote ID
sub-option apply to non-user-defined
Option 82 only.
For sub-option 9, when append strategy
is adopted, the sysname and the primary
IP address of the Loopback0 interface
are padded. When some other strategy
is adopted, only the sysname is padded.
6. Configure
user-defined
Option 82.
• Configure the padding content for the
circuit ID sub-option:
dhcp-snooping information [ vlan
vlan-id ] circuit-id string circuit-id
• Configure the padding content for the
remote ID sub-option:
dhcp -snooping information [ vlan
vlan-id ] remote-id string { remote-id |
sysname }
• Configure the padding content for the
sub-option 9:
dhcp-snooping information [ vlan
vlan-id ] sub-option sub-option-code
[ string user-string & ] Optional.
By default,
•
The padding content for the circuit
ID sub-option depends on the
padding format of Option 82.
• The padding content for the
remote ID sub-option depends on
the padding format of Option 82.
• Sub-option 9 is not padded.
Configuring DHCP snooping entries backup
DHCP snooping entries cannot survive a reboot. If the DHCP snooping device is rebooted, security
modules (such as IP source guard) that use DHCP snooping entries to authenticate users will reject
requests from clients until new entries are learned.
The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When
the DHCP snooping device reboots, it reads DHCP snooping entries from this file.
After DHCP snooping is disabled with the undo dhcp-snooping command, the device will delete all
DHCP snooping entries, including those stored in the file.
78 To configure DHCP snooping entries backup: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the name of the file for storing DHCP snooping entries. dhcp-snooping binding database filename filename Not specified by default. DHCP snooping entries are stored immediately after this command is used and then updated at the interval set by the dhcp-snooping binding database update interval command. 3. Back up DHCP snooping entries to the file. dhcp-snooping binding database update now Optional. DHCP snooping entries will be stored to the file each time this command is used. 4. Set the interval at which the DHCP snooping entry file is refreshed. dhcp-snooping binding database update interval minutes Optional. By default, the file is not refreshed periodically. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail to work because of exhaustion of system resources. You can protect against starvation attacks in the following ways: • To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn. • To prevent a DHCP starvation attack that uses DH CP requests encapsulated with the same source MAC address, enable MAC address check on the DHCP snooping device. With this function enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with the source MAC address field of the frame. If they are the same, the request is considered valid and forwarded to the DHCP server; if not, the request is discarded. Enable MAC address check only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces. To enable MAC address check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable MAC address check. dhcp-snooping check mac-address Disabled by default