Home > HP > Printer > HP 5500 Ei 5500 Si Switch Series Configuration Guide

HP 5500 Ei 5500 Si Switch Series Configuration Guide

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 2513
    Add page 561 to Favourites
    image text
    Enable zoom 
    							 79 
Enabling DHCP-REQUEST message attack 
protection 
Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP 
clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing 
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources. 
To prevent such attacks, you can enable DHCP-R EQUEST message check on DHCP snooping devices. 
With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks 
up local DHCP snooping entries for the corresponding  entry of the message. If an entry is found, the 
DHCP snooping device compares the entry with the message information. If they are consistent, the 
DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server. 
If they are not consistent, the message is considered a forged lease renewal request and discarded. If no 
corresponding entry is found, the message is cons idered valid and forwarded to the DHCP server.  
Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate 
interfaces. 
To enable DHCP-REQUEST message check: 
 
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Enter interface view. 
interface interface-type interface-number  N/A 
3.  Enable DHCP-REQUEST message 
check.  dhcp-snooping check request-message 
Disabled by default 
 
Configuring DHCP packet rate limit 
Configuration guidelines 
•  You can configure DHCP packet rate limit only on Layer 2 Ethernet ports and Layer 2 aggregate 
interfaces.  
•   If a Layer 2 Ethernet port belongs to an aggregation group, it uses the DHCP packet maximum rate 
configured on the corresponding Layer 2 aggregate interface. 
•   To identify DHCP packets from unauthorized DHCP servers, DHCP snooping delivers all incoming 
D HC P  packets to  the  C PU. I f  a mal icious  user  sends  a l arg e  nu mber  of  D HC P  re quests  to  the  D HC P 
snooping device, the CPU of the device will be overloaded, and the device may even crash. To 
solve this problem, you can configure DHCP packet rate limit on relevant interfaces. 
Configuration procedure 
To configure DHCP packet rate limit:   
Step Command Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enter Layer 2 Ethernet port view or Layer 
2 aggregate interface view.  interface 
interface-type 
interface-number   N/A
    Add page 562 to Favourites
    image text
    Enable zoom 
    							 80 
Step Command Remarks 
3.  Configure the maximum rate of 
incoming DHCP packets.  dhcp-snooping rate-limit 
rate  Not configured by default 
 
Displaying and maintaining DHCP snooping 
 
Task Command Remarks 
Display DHCP snooping entries.  display dhcp-snooping
 [ ip ip-address  ] 
[ |  { begin |  exclude | include } 
regular-expression  ]  Available in any view 
Display Option 82 configuration 
information on the DHCP snooping 
device.  display dhcp-snooping information 
{ all  | 
interface  interface-type 
interface-number  } [ | { begin  | exclude  | 
include  } regular-expression  ]  Available in any view
 
Display DHCP packet statistics on the 
DHCP snooping device.  display dhcp-snooping packet statistics 
[
 slot slot-number  ] [ | { begin  | exclude | 
include  } regular-expression  ]  Available in any view 
Display information about trusted ports. 
display dhcp-snooping trust
 [ | { begin | 
exclude  | include  } regular-expression  ]  Available in any view 
Display the DHCP snooping entry file 
information.  display dhcp-snooping binding database
 
[ |  { begin |  exclude | include } 
regular-expression  ]  Available in any view 
Clear DHCP snooping entries. 
reset dhcp-snooping { all | ip  ip-address  }  Available in user view 
Clear DHCP packet statistics on the 
DHCP snooping device.  reset dhcp-snooping packet statistics 
[
 slot slot-number  ]   Available in user view 
 
DHCP snooping configuration examples 
DHCP snooping configuration example 
Network requirements 
As shown in 
Figure 38, S witch B is connected to a DHCP server through GigabitEthernet 1/0/1, and to 
two DHCP clients through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. GigabitEthernet 1/0/1 
forwards DHCP server responses while the other two do not. 
Switch B records clients’ IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK 
messages received from trusted ports.
    Add page 563 to Favourites
    image text
    Enable zoom 
    							 81 
Figure 38 Network diagram 
 
 
Configuration procedure 
# Enable DHCP snooping. 
 system-view 
[SwitchB] dhcp-snooping 
# Specify GigabitEthernet 1/0/1 as trusted. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust 
[SwitchB-GigabitEthernet1/0/1] quit 
DHCP snooping Option 82 support configuration example 
Network requirements 
As shown in Figure 38, ena ble DHCP snooping and Option 82 support on Switch B. 
•   Configure the handling strategy for DHCP requests containing Option 82 as  replace. 
•   On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as 
company001  and for the remote ID sub-option as  device001. 
•   On GigabitEthernet 1/0/3, configure the padding format as  verbose, access node identifier as 
sysname , and code type as  ascii for Option 82. 
•   Switch B forwards DHCP requests to the DHCP server (Switch A) after replacing Option 82 in the 
requests, so that the DHCP clients can obtain IP addresses. 
Configuration procedure 
# Enable DHCP snooping. 
 system-view 
[SwitchB] dhcp-snooping 
# Specify GigabitEthernet 1/0/1 as trusted. 
[SwitchB] interface GigabitEthernet 1/0/1 
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust 
[SwitchB-GigabitEthernet1/0/1] quit 
# Configure GigabitEthernet 1/0/2 to support Option 82. 
[SwitchB] interface GigabitEthernet 1/0/2 
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information enable 
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information strategy replac\
e
    Add page 564 to Favourites
    image text
    Enable zoom 
    							 82 
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id stri\
ng company001 
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id strin\
g device001 
[SwitchB-GigabitEthernet1/0/2] quit 
# Configure GigabitEthernet 1/0/3 to support Option 82. 
[SwitchB] interface GigabitEthernet 1/0/3 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replac\
e 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information format verbose \
node-identifier 
sysname 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information circuit-id form\
at-type ascii 
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information remote-id forma\
t-type ascii
    Add page 565 to Favourites
    image text
    Enable zoom 
    							 83 
Configuring BOOTP client 
Overview 
BOOTP application 
After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get 
information (such as IP address) from the BOOTP server. 
To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the 
BOOTP server. The parameter file contains information such as MAC address and IP address of a 
BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches 
for the BOOTP parameter file and returns the corresponding configuration information. 
BOOTP is usually used in relatively stable environments. In network environments that change frequently, 
DHCP is more suitable. 
Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an 
IP address for the BOOTP client, without any BOOTP server. 
Obtaining an IP address dynamically 
A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps: 
1. The BOOTP client broadcasts a BOOTP requ est, which contains its own MAC address. 
2. The BOOTP server receives the request and searches the configuration file for the corresponding 
IP address and other information according to  the MAC address of the BOOTP client. The BOOTP 
server then returns a BOOTP response to the BOOTP client. 
3.  The BOOTP client obtains the IP addr ess from the received response. 
A DHCP server can take the place of the BOOTP server in the above mentioned dynamic IP address 
acquisition. 
Protocols and standards 
•   RFC 951, Bootstrap Protocol (BOOTP)  
•   RFC 2132,  DHCP Options and BOOTP Vendor Extensions  
•   RFC 1542,  Clarifications and Extensions  for the Bootstrap Protocol 
Configuration restrictions 
•  BOOTP client configuration only applies to Layer 3  Ethernet ports, Layer 3 aggregate interfaces and 
VLAN interfaces. 
•   If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP 
relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. 
•   You cannot configure an interface of an aggregation group as a BOOTP client.
    Add page 566 to Favourites
    image text
    Enable zoom 
    							 84 
Configuring an interface to dynamically obtain an 
IP address through BOOTP 
 
Step Command  Remarks 
1.  Enter system view. 
system-view N/A 
2.  Enter interface view.  interface
 interface-type 
interface-number  N/A 
3.
  Configure an interface to 
dynamically obtain an IP address 
through BOOTP.  ip address bootp-alloc 
By default, an interface does not use 
BOOTP to obtain an IP address. 
 
Displaying and maintaining BOOTP client 
configuration 
 
Task Command  Remarks 
Display BOOTP client information.  display bootp client
 [ interface interface-type 
interface-number  ] [ | { begin  | exclude  | 
include  } regular-expression  ]  Available in any view 
 
BOOTP client configuration example 
Network requirements 
As shown in Figure 30
, Switch B’s port belonging to VLAN 1 is connected to the LAN. VLAN-interface 
1 obtains an IP address from the DHCP server by using BOOTP. 
Configuration procedure 
The following describes only the configuration on Switch B serving as a client. 
# Configure VLAN-interface 1 to dynamically obtain an IP address from the DHCP server. 
 system-view 
[SwitchB] interface vlan-interface 1 
[SwitchB-Vlan-interface1] ip address bootp-alloc 
# Use the  display bootp client  command to view the IP address assigned to the BOOTP client. 
To make the BOOTP client obtain an IP address from the DHCP server, you must perform additional 
configurations on the DHCP server. For more information, see  Configuring DHCP server.
    Add page 567 to Favourites
    image text
    Enable zoom 
    							 85 
Configuring IPv4 DNS 
Overview 
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain 
names into corresponding IP addresses. With DNS,  you can use easy-to-remember domain names in 
some applications and let the DNS server translate them into correct IP addresses.  
DNS services can be static or dynamic. After a user specifies a name, the device checks the local static 
name resolution table for an IP address. If no IP  address is available, it contacts the DNS server for 
dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you 
can put frequently queried name-to-IP address mappings in the local static name resolution table.  
Static domain name resolution 
Static domain name resolution means setting up ma ppings between domain names and IP addresses. IP 
addresses of the corresponding domain names can be fo und in the static domain resolution table when 
you use applications such as Telnet. 
Dynamic domain name resolution 
1.  A user program sends a name query to the resolver of the DNS client. 
2. The DNS resolver looks up the local domain name ca che for a match. If the resolver finds a match, 
it sends the corresponding IP address back. If not, it sends a query to the DNS server. 
3.  The DNS server looks up the corresponding IP address of the domain name in its DNS database. 
If no match is found, the server sends a query to a higher level DNS server. This process continues 
until a result, whether succe ssful or not, is returned. 
4. After receiving a response from the DNS server, the  DNS client returns the resolution result to the 
application. 
Figure 39  Dynamic domain name resolution 
  
 
Figure 39 shows the relationship between the user program, DNS client, and DNS server. 
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the 
same device or different devices, but the DNS server and the DNS client usually run on different devices. 
Request
Response Response
Request
Save
Read
DNS client DNS server
Resolver
Cache
User 
program
    Add page 568 to Favourites
    image text
    Enable zoom 
    							 86 
Dynamic domain name resolution allows the DNS client to store latest mappings between domain names 
and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request 
to the DNS server for a repeated query next time. The aged mappings are removed from the cache after 
some time, and latest entries are required from the DNS server. The DNS server decides how long a 
mapping is valid, and the DNS client gets the aging information from DNS messages. 
DNS suffixes 
The DNS client holds a list of suffixes which the user sets. The resolver can use the list to supply the missing 
part of incomplete names. 
For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc 
to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing 
the name to the DNS server. 
•   If there is no dot (.) in the domain name (for ex ample, aabbcc), the resolver considers this a host 
name and adds a DNS suffix before the query. If no match is found after all the configured suffixes 
are used, the original domain name (for example, aabbcc) is used for the query. 
•   If there is a dot (.) in the domain name (for example, www.aabbcc), the resolver directly uses this 
domain name for the query. If the query fails, the resolver adds a DNS suffix for another query. 
•   If the dot (.) is at the end of the domain name (for example, aabbcc.com.), the resolver considers 
it a Fully Qualified Domain Name (FQDN) and returns the query result, successful or failed. The dot 
(.) is considered a terminating symbol.  
The device supports static and dynamic DNS client services. 
 
  NOTE: 
If an alias is configured for a domain name on the  DNS server, the device can resolve the alias into the IP
address of the host. 
 
DNS proxy 
A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. 
As shown in Figure 40 , a D
NS client sends a DNS request to the DNS proxy, which forwards the request 
to the designated DNS server, and conveys the reply from the DNS server to the client. 
The DNS proxy simplifies network management. When the DNS server address is changed, you can 
change the configuration on only the DNS proxy instead of on each DNS client. 
Figure 40  DNS proxy networking application
    Add page 569 to Favourites
    image text
    Enable zoom 
    							 87 
A DNS proxy operates as follows: 
1. A DNS client considers the DNS proxy as the DNS  server, and sends a DNS request to the DNS 
proxy. The destination address of the requ est is the IP address of the DNS proxy. 
2. The DNS proxy searches the local static domain  name resolution table and dynamic domain name 
resolution table after receiving the request. If  the requested information is found, the DNS proxy 
returns a DNS reply to the client. 
3.  If the requested information is not found, the DNS  proxy sends the request to the designated DNS 
server for domain name resolution. 
4.  After receiving a reply from the DNS server, the  DNS proxy records the IP address-to-domain name 
mapping and forwards the reply to the DNS client.  
With no DNS server or route to a DNS server spec ified, the DNS proxy does not forward DNS requests, 
or answer requests from the DNS clients. 
DNS spoofing 
DNS spoofing is applied to the dial-up network, as shown in  Figure 41 . 
•   T
he device connects to the PSTN/ISDN network through a dial-up interface and triggers the 
establishment of a dial-up connection only when  packets are to be forwarded through the dial-up 
interface. 
•   The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up 
connection is established through the dial-up inte rface, the device dynamically obtains the DNS 
server address through DHCP or other autoconfiguration mechanisms.  
Figure 41  Application of DNS spoofing 
 
 
Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the 
DNS server, if it cannot find a match in the local domain name resolution table. However, without any 
dial-up connection established, the device cannot obtain the DNS server address, so it cannot forward 
or answer the requests from the clients. The domain  name cannot be resolved and no traffic triggers the 
establishment of a dial-up connection.  
DNS spoofing can solve this problem. DNS spoofing  enables the device to reply the DNS client with a 
configured IP address when the device does not have a DNS server address or route to a DNS server. 
Subsequent packets sent by the DNS client trigger the establishment of a dial-up connection with the 
network. 
In the network of  Figure 41, a ho
 st accesses the HTTP server in following these steps:
    Add page 570 to Favourites
    image text
    Enable zoom 
    							 88 
1.
 
The host sends a DNS request to the device to resolve the domain name of the HTTP server into an 
IP address. 
2. Upon receiving the request, the device searches  the local static and dynamic DNS entries for a 
match. If no match is found and the device does  know the DNS server address, the device spoofs 
the host by replying a configured IP address. The TTL of the DNS reply is 0. The device must have 
a route to the IP address with the dial-up  interface as the outgoing interface.  
3. Upon receiving the reply, the host sends an HTTP request to the replied IP address.  
4. When forwarding the HTTP reques t through the dial-up interface, the device establishes a dial-up 
connection with the network and dynamically obtains the DNS server address through DHCP or 
other autoconfiguration mechanisms. 
5.  When the DNS reply ages out, the host se nds a DNS request to the device again. 
6. Then the device operates the same as a  DNS proxy. For more information, see A DNS proxy 
operates as follows: . 
7. After obtaining the IP address of  the HTTP server, the host can access the HTTP server.  
Because the IP address configured with DNS spoofing is not the actual IP address of the requested 
domain name, the TTL of the DNS reply is set to 0 to prevent the DNS client from generating incorrect 
domain name-to-IP address mappings. 
Configuring the IPv4 DNS client 
Configuring static domain name resolution 
Configuring static domain name resolution refers  to specifying the mappings between host names and 
IPv4 addresses. Static domain name resolution allows  applications such as Telnet to contact hosts by 
using host names instead of IPv4 addresses. 
Follow these guidelines when you config ure static domain name resolution: 
•   The IPv4 address you last assign to the host name will overwrite the previous one if there is any. 
•   You may create up to 50 static mappings between domain names and IPv4 addresses. 
To configure static domain name resolution: 
 
Step Command  Remarks 
1.  Enter system view. 
system-view N/A 
2.  Configure a mapping between a 
host name and an IPv4 address.  ip
 host  hostname  ip-address   Not configured by default 
 
Configuring dynamic domain name resolution 
To send DNS queries to a correct server for resolu tion, dynamic domain name resolution needs to be 
enabled and a DNS server needs to be configured. 
In addition, you can configure a DNS suffix that the system will automatically add to the provided 
domain name for resolution.
    All HP manuals Comments (0)

    Related Manuals for HP 5500 Ei 5500 Si Switch Series Configuration Guide