DHCP

i
Table of Contents
1 DHCP Client Configuration1-1
Introduction to DHCP Client1-1
Enabling the DHCP Client on an Interface 1-1
Displaying and Maintaining the DHCP Client 1-2
DHCP Client Configuration Example1-2
2 DHCP Snooping Configuration 2-1
DHCP Snooping Overview2-1
Functions of DHCP Snooping2-1
Application Environment of Trusted Ports2-2
DHCP Snooping Support for Option 822-3
Configuring DHCP Snooping Basic Functions2-4
Configuring DHCP Snooping to Support Option 822-5
Prerequisites2-5
Configuring DHCP Snooping to Support Option 822-5
Displaying and Maintaining DHCP Snooping2-6
DHCP Snooping Configuration Examples 2-7
DHCP Snooping Configuration Example2-7
DHCP Snooping Option 82 Support Configuration Example2-7
3 BOOTP Client Configuration 3-1
Introduction to BOOTP Client 3-1
BOOTP Application3-1
Obtaining an IP Address Dynamically3-2
Protocols and Standards3-2
Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP3-2
Displaying and Maintaining BOOTP Client Configuration3-2
BOOTP Client Configuration Example3-3

1-1
This document is organized as follows:
DHCP Client Configuration
DHCP Snooping Configuration
BOOTP Client Configuration
1 DHCP Client Configuration
When configuring the DHCP client, go to these sections for information you are interested in:
Introduction to DHCP Client
Enabling the DHCP Client on an Interface
Displaying and Maintaining the DHCP Client
DHCP Client Configuration Example

When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a
relay agent, the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server.

Introduction to DHCP Client
With the DHCP client enabled, an interface will use DHCP to obtain configuration parameters such as
an IP address from the DHCP server.
Enabling the DHCP Client on an Interface
Follow these steps to enable the DHCP client on an interface:
To do Use the command Remarks
Enter system view system-view
Enter interface view
interface interface-type
interface-number

Enable the DHCP client on the
interface
ip address dhcp-alloc
[ client-identifier mac interface-type
interface-number ]
Required
Disabled by default.

1-2

An interface can be configured to acquire an IP address in multiple ways, but these ways are
mutually exclusive. The latest configuration will overwrite the previous one.
After the DHCP client is enabled on an interface, no secondary IP address can be configured for
the interface.
If the IP address assigned by the DHCP server is on the same network segment as the IP
addresses of other interfaces on the device, the DHCP client will not request any IP address from
the DHCP server, unless you delete the conflicting IP address and bring up the interface again by
first executing the shutdown command and then the undo shutdown command or re-enable the
DHCP client on the interface by executing the undo ip address dhcp-alloc command and then
the ip address dhcp-alloc command.

Displaying and Maintaining the DHCP Client
Display specified
configuration information
display dhcp client [ verbose ] [ interface
interface-type interface-number ]
Available in any view

DHCP Client Configuration Example
Network requirements
As shown in Figure 1-1, on a LAN, Switch A contacts the DHCP server via VLAN-interface 1 to obtain
an IP address.
Figure 1-1 DHCP network diagram

Configuration procedure
The following is the configuration on Switch A shown in Figure 1-1.
#Enable the DHCP client on VLAN-interface 1.
<Swi t chA> syst em- vi ew
[ Swi t chA] i nt er f ace vl an- i nt er f ace 1
[ Swi t chA- Vl an- i nt er f ace1] i p addr ess dhcp- al l oc

2-1
2 DHCP Snooping Configuration
When configuring DHCP snooping, go to these sections for information you are interested in:
DHCP Snooping Overview
Configuring DHCP Snooping Basic Functions
Configuring DHCP Snooping to Support Option 82
Displaying and Maintaining DHCP Snooping
DHCP Snooping Configuration Examples

The DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP
server, and it can work when it is between the DHCP client and relay agent or between the DHCP client
and server.

DHCP Snooping Overview
Functions of DHCP Snooping
As a DHCP security feature, DHCP snooping can implement the following:
1) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
2) Recording IP-to-MAC mappings of DHCP clients
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses
and network configuration parameters, and cannot normally communicate with other network devices.
With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the
clients to obtain IP addresses from authorized DHCP servers.
Trusted: A trusted port forwards DHCP messages normally.
Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any
DHCP server.
You should configure ports that connect to authorized DHCP servers or other DHCP snooping devices
as trusted, and other ports as untrusted. With such configurations, DHCP clients obtain IP addresses
from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP addresses to
DHCP clients.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to
record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the

2-2
clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping
entries, DHCP snooping can implement the following:
ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details,
refer to ARP Configuration in the IP Services Volume.
IP Source Guard: IP Source Guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis, and thus prevents unauthorized packets from traveling through.
For details, refer to IP Source Guard Configuration in the Security Volume.
Application Environment of Trusted Ports
Configuring a trusted port connected to a DHCP server
Figure 2-1 Configure trusted and untrusted ports
Trusted
DHCP server
DHCP snooping
Untrusted Untrusted
Unauthorized
DHCP server
DHCP client
DHCP reply messages

As shown in Figure 2-1, a DHCP snooping devices port that is connected to an authorized DHCP
server should be configured as a trusted port to forward reply messages from the DHCP server, so that
the DHCP client can obtain an IP address from the authorized DHCP server.
Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP
snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly connected to DHCP
clients, from recording clients IP-to-MAC bindings upon receiving DHCP requests.

2-3
Figure 2-2 Configure trusted ports in a cascaded network

Table 2-1 describes roles of the ports shown in Figure 2-2.
Table 2-1 Roles of ports
Device Untrusted port
Trusted port disabled from
recording binding entries
Trusted port enabled to
record binding entries
Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2
Switch B
GigabitEthernet 1/0/3
and GigabitEthernet
1/0/4
GigabitEthernet 1/0/1 GigabitEthernet 1/0/2
Switch C GigabitEthernet 1/0/1
GigabitEthernet 1/0/3 and

DHCP Snooping Support for Option 82
Option 82 records the location information of the DHCP client. The administrator can locate the DHCP
client to further implement security control and accounting.
If DHCP snooping supports Option 82, it will handle a clients request according to the contents defined
in Option 82, if any. The handling strategies are described in the table below.
If a reply returned by the DHCP server contains Option 82, the DHCP snooping device will remove the
Option 82 before forwarding the reply to the client. If the reply contains no Option 82, the DHCP
snooping device forwards it directly.
If a clients
requesting
message has
Handling
strategy
Padding
format
The DHCP snooping device will
Drop Random Drop the message. Option 82
Keep Random
Forward the message without changing
Option 82.

2-4
If a clients
requesting
message has
Handling
strategy
Padding
format
The DHCP snooping device will
normal
Forward the message after replacing the
original Option 82 with the Option 82
padded in normal format.
verbose
original Option 82 with the Option 82
padded in verbose format.
Replace
user-defined
original Option 82 with the user-defined
Option 82.
normal
Forward the message after adding the
Option 82 padded in normal format.
verbose
Option 82 padded in verbose format.
no Option 82
user-defined
user-defined Option 82.

The handling strategy and padding format for Option 82 on the DHCP snooping device are the same as
those on the relay agent.

Configuring DHCP Snooping Basic Functions
Follow these steps to configure DHCP snooping basic functions:
Enable DHCP snooping dhcp-snooping
Required
Enter Ethernet interface view
interface-number

Specify the port as trusted
dhcp-snooping trust
[ no-user-binding ]
Required
Untrusted by default.

2-5

You need to specify the ports connected to the authorized DHCP servers as trusted to ensure that
DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP
client must be in the same VLAN.
You can specify Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces as trusted ports. For
details about aggregate interfaces, refer to Link Aggregation Configuration in the Access Volume.
If a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration
of the interface will not take effect. After the interface quits the aggregation group, the configuration
will be effective.

Prerequisites
You need to enable the DHCP snooping function before configuring DHCP snooping to support Option
82.
Follow these steps to configure DHCP snooping to support Option 82:
interface-number

Enable DHCP snooping to support
Option 82
dhcp-snooping
information enable
Required
Configure the handling strategy for
requesting messages containing
Option 82
dhcp-snooping
information strategy
{drop | keep | replace }
Optional
replace by default.
Configure the
padding format for
Option 82
dhcp-snooping
information format
{normal | verbose
[ node-identifier {mac |
sysname | user-defined
node-identifier }] }
Optional
normal by default.
Configure
non-user-defined
Option 82
Configure the code
type for the circuit
ID sub-option
dhcp-snooping
information circuit-id
format-type {ascii |
hex }
Optional
By default, the code type
depends on the padding
format of Option 82. Each
field has its own code type.
This code type configuration
applies to non-user-defined
Option 82 only.

2-6
Configure the code
type for the remote
ID sub-option
dhcp-snooping
information remote-id
format-type {ascii |
hex }
Optional
hex by default.
The code type configuration
applies to non-user-defined
Option 82 only.
Configure the
padding content for
the circuit ID
sub-option
dhcp-snooping
information [ vlan
vlan-id ] circuit-id string
circuit-id
Optional
By default, the padding
content depends on the
padding format of Option 82.
Configure
user-defined
Option 82 Configure the
padding content for
the remote ID
sub-option
dhcp-snooping
information [ vlan
vlan-id ] remote-id string
{remote-id | sysname }
Optional
By default, the padding
content depends on the
padding format of Option 82.

You can enable DHCP snooping to support Option 82 on Layer 2 Ethernet interfaces and Layer 2
aggregation interfaces only.
If the handling strategy of the DHCP-snooping-enabled device is configured as replace, you need
to configure a padding format for Option 82. If the handling strategy is keep or drop, you need not
configure any padding format.
If the Option 82 is padded with the device name (sysname) of a node, the device name must
contain no spaces. Otherwise, the DHCP-snooping-enabled device will drop the message.

Displaying and Maintaining DHCP Snooping
Display DHCP snooping entries
display dhcp-snooping [ ip
ip-address ]
Display Option 82 configuration
information on the DHCP snooping
device
display dhcp-snooping
information {all | interface
interface-type interface-number }
Display DHCP packet statistics on the
DHCP snooping device
display dhcp-snooping packet
statistics
Display information about trusted ports display dhcp-snooping trust Available in any view
Clear DHCP snooping entries
reset dhcp-snooping {all | ip
ip-address }
Available in user view
Clear DHCP packet statistics on the
DHCP snooping device
reset dhcp-snooping packet
statistics
Available in user view

2-7
DHCP Snooping Configuration Examples
DHCP Snooping Configuration Example
As shown in Figure 2-3, Switch A is connected to a DHCP server through GigabitEthernet1/0/1, and to
two DHCP clients through GigabitEthernet1/0/2 and GigabitEthernet1/0/3. GigabitEthernet1/0/1
forwards DHCP server responses while the other two do not.
Switch A records clients IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK
messages received from trusted ports.
Figure 2-3 Network diagram for DHCP snooping configuration

#Enable DHCP snooping.
[ Swi t chA] dhcp- snoopi ng
#Specify GigabitEthernet1/0/1 as trusted.
[ Swi t chA] i nt er f ace Gi gabi t Et her net 1/ 0/ 1
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 1] dhcp- snoopi ng t r ust
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 1] qui t
DHCP Snooping Option 82 Support Configuration Example
As shown in Figure 2-3, enable DHCP snooping and Option 82 support on Switch A.
Configure the handling strategy for DHCP requests containing Option 82 as replace.
On GigabitEthernet1/0/2, configure the padding content for the circuit ID sub-option as
company001 and for the remote ID sub-option as device001.
On GigabitEthernet1/0/3, configure the padding format as verbose, access node identifier as
sysname, and code type as ascii for Option 82.
Switch A forwards DHCP requests to the DHCP server after replacing Option 82 in the requests,
so that the DHCP clients can obtain IP addresses.

2-8
#Enable DHCP snooping.
[ Swi t chA] dhcp- snoopi ng
#Specify GigabitEthernet1/0/1 as trusted.
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 1] dhcp- snoopi ng t r ust
#Configure GigabitEthernet1/0/2 to support Option 82.
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 2] dhcp- snoopi ng i nf or mat i on enabl e
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 2] dhcp- snoopi ng i nf or mat i on st r at egy r epl ace
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 2] dhcp- snoopi ng i nf or mat i on ci r cui t - i d st r i ng company001
[ Swi t chA- Gi gabi t Et her net 1/ 0/ 2] dhcp- snoopi ng i nf or mat i on r emot e- i d st r i ng devi ce001
#Configure gigabitethernet 1/0/3 to support Option 82.
[ Swi t chA] i nt er f ace gi gabi t et her net 1/ 0/ 3
[ Swi t chA- gi gabi t et her net 1/ 0/ 3] dhcp- snoopi ng i nf or mat i on enabl e
[ Swi t chA- gi gabi t et her net 1/ 0/ 3] dhcp- snoopi ng i nf or mat i on st r at egy r epl ace
[ Swi t chA- gi gabi t et her net 1/ 0/ 3] dhcp- snoopi ng i nf or mat i on f or mat ver bose node- i dent i f i er
sysname
[ Swi t chA- gi gabi t et her net 1/ 0/ 3] dhcp- snoopi ng i nf or mat i on ci r cui t - i d f or mat - t ype asci i
[ Swi t chA- gi gabi t et her net 1/ 0/ 3] dhcp- snoopi ng i nf or mat i on r emot e- i d f or mat - t ype asci i

3-1
3 BOOTP Client Configuration
While configuring a BOOTP client, go to these sections for information you are interested in:
Introduction to BOOTP Client
Configuring an Interface to Dynamically Obtain an IP Address Through BOOTP
Displaying and Maintaining BOOTP Client Configuration

If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay
agent, the BOOTP server cannot be a Windows 2000 Server or Windows 2003 Server.

Introduction to BOOTP Client
This section covers these topics:
BOOTP Application
Obtaining an IP Address Dynamically
Protocols and Standards
BOOTP Application
After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get
information (such as IP address) from the BOOTP server, which simplifies your configuration.
Before using BOOTP, an administrator needs to configure a BOOTP parameter file for each BOOTP
client on the BOOTP server. The parameter file contains information such as MAC address and IP
address of a BOOTP client. When a BOOTP client originates a request to the BOOTP server, the
BOOTP server will search for the BOOTP parameter file and return the corresponding configuration
information.
Because you need to configure a parameter file for each client on the BOOTP server, BOOTP usually
runs under a relatively stable environment. If the network changes frequently, DHCP is more suitable.

Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure
an IP address for the BOOTP client, without any BOOTP server.

3-2
Obtaining an IP Address Dynamically

A DHCP server can take the place of the BOOTP server in the following dynamic IP address
acquisition.

A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps:
1) The BOOTP client broadcasts a BOOTP request, which contains its own MAC address.
2) The BOOTP server receives the request and searches the configuration file for the corresponding
IP address and other information according to the MAC address of the BOOTP client. The BOOTP
server then returns a BOOTP response to the BOOTP client.
3) The BOOTP client obtains the IP address from the received response.
Protocols and Standards
Some protocols and standards related to BOOTP include:
RFC 951: Bootstrap Protocol (BOOTP)
RFC 2132: DHCP Options and BOOTP Vendor Extensions
RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
Configuring an Interface to Dynamically Obtain an IP Address
Through BOOTP
Follow these steps to configure an interface to dynamically obtain an IP address:
interface-number

Configure an interface to
dynamically obtain an IP
address through BOOTP
ip address bootp-alloc
Required
By default, an interface does
not use BOOTP to obtain an IP
address.

Displaying and Maintaining BOOTP Client Configuration
Display BOOTP client
information
display bootp client
[ interface interface-type
interface-number ]

3-3
BOOTP Client Configuration Example
Network requirement
As shown in,Figure 3-1 Switch As port belonging to VLAN 1 is connected to the LAN. VLAN-interface 1
obtains an IP address from the DHCP server by using BOOTP.
Figure 3-1 BOOTP network diagram

DHCP server Gateway A
WINS server
10.1.1.4/25
Client
Switch A
Client
DNS server
10.1.1.2/25
Vlan-int1
10.1.1.1/25
Vlan-int1
10.1.1.126/25

The following describes only the configuration on Switch A serving as a client.
#Configure VLAN-interface 1 to dynamically obtain an IP address from the DHCP server.
[ Swi t chA] i nt er f ace vl an- i nt er f ace 1
[ Swi t chA- Vl an- i nt er f ace1] i p addr ess boot p- al l oc

DHCP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DHCP

Uploaded by

Copyright:

Available Formats

i

You might also like