DHCP
Agenda
DHCP Overview

DHCP Basic


DHCP Relay

DHCP Snooping

DHCP Server
DHCP Additional


DHCP Security

SAVI

ND Snooping
1
Concepts of DHCP

DHCP


DHCP server


A DHCP server allocates IP addresses to clients. A client sends a packet to the server to
request for configurations such as the IP address, subnet mask, and default gateway. After
receiving the packet, the server replies with a packet carrying the corresponding
configurations according to policies. Both the Request and Reply packets are encapsulated in
UDP packets.
DHCP relay agent


Dynamic Host Configuration Protocol (DHCP) enables a client to dynamically obtain a valid IP
address.
A DHCP relay agent transparently transmits DHCP broadcast packets between the DHCP
clients and DHCP server that are on different network segments.
DHCP snooping

DHCP snooping is introduced to protect DHCP servers and clients against attacks through
ARP, IP, or DHCP packets with IP and MAC addresses of other valid users.
DHCP Feature
BASIC
DHCP SERVER
ADDITIONAL
DHCP RELAY
2
DHCP SNOOPING
DHCP SERCURITY
DHCP Usage and RFC Comply Table
The S9700 can be used as
① A DHCP server
② A DHCP relay agent
Document
RFC 1533
RFC 1534
RFC 2131
RFC 2132
RFC 3046
RFC 2460
RFC 3315
RFC 4649
Description
Remarks
DHCP Options and BOOTP Vendor
Extensions
Interoperation Between DHCP and BOOTP
Dynamic Host Configuration Protocol
DHCP Options and BOOTP Vendor
Extensions
DHCP Relay Agent Information Option
Internet Protocol, Version 6 (IPv6)
Specification
Dynamic Host Configuration Protocol for
The functions of the DHCPv6 client and
IPv6 (DHCPv6)
DHCPv6 server are not supported.
Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Relay Agent Remote-ID
Option
3
DHCP Usage and RFC Comply Table
Document
RFC3319
RFC3633
RFC3646
Description
Remarks
DHCPv6 Options for Session Initiation Protocol (SIP) Servers
IPv6 Prefix Options for Dynamic Host Configuration Protocol
(DHCP) version 6
DNS Configuration options for DHCPv6
RFC3898
Network Information Service (NIS) Configuration Options for
DHCPv6
RFC4075
Simple Network Time Protocol (SNTP) Configuration Option
for DHCPv6
RFC2461
Neighbor Discovery for IPv6
draft-bi-savi-stateless-00
SAVI Solution for Stateless Address
draft-ietf-savi-dhcp-02
draft-ietf-savi-dhcp-09
SAVI Solution for DHCP(only support DHCPv6)
draft-kaippallimalil-savi-dhcp- SAVI Solution for Delegated IPv6 Prefixes
pd-01
4
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
5
DHCP Server – Principle #1

Three Modes for the Interaction Between the DHCP Client and Server.
MODE1:The DHCP client accesses the
network for the first time.
DHCP
CLIENT
MODE3:The DHCP client
extends the IP address lease.
MODE2:The DHCP client accesses the
network for the second time.
DHCP
SERVER
DHCP
CLIENT
DHCP
SERVER
DHCP
CLIENT
DHCP
SERVER
½L
¾L
OR
Selecting Stage
Trigger condition:
Selecting Stage
Four Stage:
① Discovering stage
② Offering stage
③ Selecting stage
④ Acknowledging stage
6
① Client Started release
② Server supply longer lease
③ If no reply at ½ L from
server,client release at ¾ L
with broadcast packet
④ Available Server supply new
lease with dhcp_ack
DHCP Server – Principle #2

Static and Dynamic Allocation of IP Addresses
DHCP server provides the following
address allocation policies
Manual address allocation: An administrator
assigns fixed IP addresses to a few specific
hosts, such as the WWW server.
Automatic address allocation: The server
assigns fixed IP addresses to some hosts when
they are connected to the network for the first
time. These IP addresses can be used by the
hosts for a long time.
Dynamic address allocation: The server
assigns IP addresses with leases to clients. The
clients need to apply for new IP addresses
when the leases expire. This address allocation
policy is widely accepted by most clients.
7
Sequence of IP address allocation
IP address that is in the database of the DHCP
server and is statically bound to the client's MAC
address
IP address assigned to the client before, that is, the
IP address in the requested IP Address option of the
DHCP DISCOVER packet sent by the client
IP address first found when the server searches for
available IP addresses in the DHCP address pool
If the DHCP address pool has no available IP
address, the DHCP server searches for the expired IP
addresses and conflicting IP addresses in turn for an
available IP address. If an available address is found,
the server allocates the IP address to the client;
otherwise, the server sends an error message.
Why we use S9700 as DHCP Server?

Purpose

With the rapid growth in network scales and increment of complexity, for example, the location
of hosts frequently changes (for portable computers or wireless networks) and the number of
hosts exceeds the number of assignable IP addresses, network configurations become more
complicated. To properly and dynamically assign IP addresses to hosts, DHCP is applied.

Benefit

HOT BACKUP : For a S9700 with two MPUs/SRUs, DHCP data on the two MPUs is backed
up in real time. Therefore, after the master/slave switchover is performed, the slave MPU
becomes the master MPU; therefore, the DHCP server can function and allocate IP addresses
to clients normally.
8
DHCP Server – Packet Flow
DHCP
Packet
export
process
4
SRU
Internal HDR+
DHCP Packet
LPU
Memory
CPU
LC
CPU
IP : MAC :PORT
Mapping table
Address Pool
Timing Table ……
5
DHCP Offer/
Reply/ ACK/
NAK Datagram
3
Control Channel
2
Packet Processor
1
DHCP Discover/ Requrest
Packet
9
DHCP Server – Feature Implementation
Subcategory
Item
Specifications
Assigning addresses randomly
256 global address pools are
through the global address pool supported.
MAC addresses and the IP
Binding addresses statically
addresses can be bound.
Remarks
Assign specific IP address to
specific MAC address
Setting user-defined DHCP
options
Supporting detection of DHCP
server address conflicts
DHCP server
Number of DHCP server groups
When detecting an address
conflict, the DHCP server
monitors the status of the
addresses until they are idle.
This function can be enabled or
disabled.
key command:
•dhcp server ping packet
number
•dhcp server ping timeout
milliseconds
64
Number of DHCP servers in each
20
DHCP server group
Maximum number of IP relay
addresses that can be configured 20
on a VLANIF interface
Number of DHCP server groups
1
on a VLANIF interface
User online or offline rate
supported by the DHCP relay
10
85 users per second
8*10G board: 60 users per
second
DHCP Server – Feature Implementation
Subcategory
Item
Specifications
Address allocation by two- A client multicasts a Solicit packet to find the server that can allocate
message exchanges
addresses and configuration parameters. After receiving the Solicit
packet, the server responds with a Reply packet carrying the IP address
and configuration parameters allocated to the client.
Address allocation by
A client first multicasts a Solicit packet to find the servers that can
four-message exchanges provide DHCPv6 services. After receiving Advertise packets from
multiple servers, the client selects one server according to server
priorities. Then the client and the selected server complete address
application and allocation by exchanging Request and Reply packets.
DHCPv6 server
Stateful DHCPv6 mode
The server allocates IP address and configuration, such as DNS, SIP, NIS,
and SNTP server configurations, to the client.
Stateless DHCPv6 mode
The server allocates configuration, such as DNS, SIP, NIS, and SNTP
server configurations, to the client.
Prefix allocation by twomessage exchanges
A client multicasts a Solicit packet to find the server that can provide
services. After receiving the Solicit packet, the server responds with a
Reply packet carrying the prefix allocated to the client.
Prefix allocation by fourmessage exchanges
A client first multicasts a Solicit packet to find the servers that can
provide services. After receiving Advertise packets from multiple
servers, the client selects one server according to server priorities. Then
the client and the selected server complete prefix application and
allocation by exchanging Request and Reply packets.
11
Remarks
DHCP Server – Feature Implementation
Subcategory
Item
Specifications
Supporting address pools of
VPNs
Each address pool supporting
two DNS server addresses and
the DNS suffix
Each address pool supporting
two NetBIOS server addresses
Address pool and the NetBIOS server type
management Assigning IP addresses based on
MAC addresses
Setting the address pool lease
Locking the address pool
Setting user-defined options for
address pools 1 to 254
Reclaiming addresses manually
12
Remarks
key command:
•interface vlanif vlan-id
Enable dhcp server on VLAN IF •ip address ip-address { mask
| mask-length
•dhcp select interface
key command:
lease { day day [ hour hour [
minute minute ] ] | unlimited }
The option can be in the IP
address format, in the
character string, or in
hexadecimal notation.
DHCP Server – Feature 1
Feature 1 : Supporting detection of DHCP server address conflicts
Usage Scenario
The dhcp server ping command is applicable to DHCP servers. Repetitive IP address
assignment will cause IP address conflicts. To solve this problem, before assigning an IP
address to a client, the DHCP server needs to send ping packets by using the dhcp
server ping command to check whether the IP address is in use. The DHCP server first
sends a ping packet to the IP address. If there is no response to the ping packet within a
specified period, the DHCP server continues to send ping packets to the IP address until
the number of sent ping packets reaches the maximum value. If there is still no
response, the DHCP server considers that this IP address is not in use and can be
assigned to the client. This ensures that a unique IP address is assigned to the client.
Example
# Set the maximum number of ping packets to be sent to 10 and the maximum response time of each
ping packet to 100 ms.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp server ping packet 10
[Quidway] dhcp server ping timeout 100
13
DHCP Server – Feature 2
Feature 2 : Locking the address pool
Usage Scenario
The lock command is applicable to DHCP servers. When a DHCP server needs to be
migrated, you simply need to migrate address pools on the DHCP server to another
DHCP server on the live network. To retain the addresses that have been assigned to
clients from a global address pool, run the lock command to lock the global address
pool. When new users get online, they apply for IP addresses from a new address pool.
Precautions
After the lock command is run, the specified IP address pool is locked and IP addresses
in this address pool cannot be assigned to clients. Only the created address pools can be
locked.
Example
# Lock the address pool global1.
<Quidway> system-view
[Quidway] ip pool global1
[Quidway-ip-pool-global1] lock
14
DHCP Server – Feature 3
Feature 3 : Reclaiming addresses manually
Usage Scenario
The reset ip pool command manually recycles the IP addresses that cannot be released
in an IP address pool. If an IP address conflict occurs because two clients use the same
IP address, run the reset ip pool command to set the IP address to idle.
Precautions
User information cannot be restored after you clear it. Exercise caution when running
the reset ip pool command. DHCP clients must release their old IP addresses before
obtaining new IP addresses.
Configuration Impact
After the reset ip pool command is run, a user may be disconnected if its IP address is
within the address range specified in this command.
Example
# Set all conflicting IP addresses in the IP address pool test to idle.
<Quidway> reset ip pool name test conflict
15
DHCP Server – Configuration Example #1
Example for Configuring a DHCP Server Based on the Global Address Pool
Configuration Roadmap
STEP 1 : Enable the DHCP server function on SwitchA.
<Quidway> system-view
[Quidway] dhcp enable
16
DHCP Server – Configuration Example #2
STEP 2 : Create a global address pool on SwitchA and set the attributes of the address pool,
including the range of the address pool, egress gateway, NetBIOS address, and address
lease.
# Set the attributes of IP address pool 1
[Quidway] ip pool 1
[Quidway-ip-pool-1] network 10.1.1.0 mask 255.255.255.128
[Quidway-ip-pool-1] dns-list 10.1.1.2
[Quidway-ip-pool-1] gateway-list 10.1.1.126
[Quidway-ip-pool-1] excluded-ip-address 10.1.1.2
[Quidway-ip-pool-1] excluded-ip-address 10.1.1.4
[Quidway-ip-pool-1] lease day 10
[Quidway-ip-pool-1] quit
# Set the attributes of IP address pool 2
[Quidway] ip pool 2
[Quidway-ip-pool-2] network 10.1.1.128 mask 255.255.255.128
[Quidway-ip-pool-2] dns-list 10.1.1.2
[Quidway-ip-pool-2] nbns-list 10.1.1.4
[Quidway-ip-pool-2] gateway-list 10.1.1.254
[Quidway-ip-pool-2] lease day 2
[Quidway-ip-pool-2] quit
17
DHCP Server – Configuration Example #3
STEP 3 : Configure VLANIF interfaces to use the global address pool to allocate IP
addresses.
# Add GE 1/0/1 to VLAN 10 and GE 1/0/2 to VLAN 20.
[Quidway] vlan batch 10 20
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[Quidway-GigabitEthernet1/0/1] quit
[Quidway] interface gigabitethernet 1/0/2
[Quidway-GigabitEthernet1/0/2] port hybrid pvid vlan 20
[Quidway-GigabitEthernet1/0/2] port hybrid untagged vlan 20
[Quidway-GigabitEthernet1/0/2] quit
# Configure the clients on VLANIF 10 to obtain IP addresses from the global address pool.
[Quidway] interface vlanif 10
[Quidway-Vlanif10] ip address 10.1.1.1 255.255.255.128
[Quidway-Vlanif10] dhcp select global
[Quidway-Vlanif10] quit
# Configure the clients on VLANIF 20 to obtain IP addresses from the global address pool.
[Quidway] interface vlanif 20
[Quidway-Vlanif20] ip address 10.1.1.129 255.255.255.128
[Quidway-Vlanif20] dhcp select global
[Quidway-Vlanif20] quit
18
DHCP Server – Configuration Example #4
STEP 4 : Verify Configuration
[Quidway] display ip pool
---------------------------------------------------------------------------------------------------------------Pool-name : 2
Pool-No : 0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.254
Mask : 255.255.255.128
VPN instance : ----------------------------------------------------------------------------------------------------------------Pool-name : 1
Pool-No : 2
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.126
Mask : 255.255.255.128
VPN instance : -IP address Statistic
Total :250
Used :0
Expired :0
Idle :248
Conflict :0
Disable :2
19
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
20
DHCP Relay - Principle #1
DHCP client obtaining an address through the DHCP relay agent for the first time
DHCP
CLIENT
DHCP
RELAY
DHCP
SERVER
STEP 1
STEP 2
STEP 3
STEP 4
DHCP client extending the IP address lease through a DHCP relay agent
DHCP
CLIENT
DHCP
RELAY
DHCP
SERVER
STEP 1
STEP 2
21
DHCP Relay - Principle #2
S9700 DHCP Relay Agent Supporting VPNs
To forward DHCP packets on a VPN, you need to configure the DHCP relay agent to
support VPNs. Once a private route exists, a DHCP REQUEST packet can be sent to the
DHCP server to apply for an IP address. The DHCP relay agent sends a DHCP REQUEST
packet from the client on a VPN (or on the public network) to the DHCP server on the
local VPN, and then sends a DHCP REPLY packet from the server to the client.
DHCP
SERVER 1
Client 1
VPN
A
VPN B
VPN C
VPN B
DHCP
RELAY
MPLS VPN NETWORK
Client 2
VPN B
DHCP
RELAY
Client 3
Currently, the scenario, CE-PE-PE-CE, is applicable. Both the DHCP server and the client
can be deployed on the same CE, or the DHCP server is deployed on a PE while the DHCP
client is deployed on a CE.
22
DHCP Relay - Scenario

With the rapid growth in network scales and increment of complexity, for
example, the location of hosts frequently changes (for portable
computers or wireless networks) and the number of hosts exceeds the
number of assignable IP addresses, network configurations become
more complicated. To properly and dynamically assign IP addresses to
hosts, DHCP is applied.
DHCP PACKET
L2/L3 Networks
DHCP
Client
DHCP
Relay
DHCP
Relay
23
DHCP
Server
DHCP Relay – Packet Flow
DHCP
Packet
export
process
4
SRU
Memory
CPU
DHCP Relay Related table
5
DHCP Relay
Packet (Unicast)
Internal HDR+
DHCP Packet
LPU
LC
CPU
3
Control Channel
2
Packet Processor
1
DHCP Server / Client
Packet
24
DHCP Relay - Feature Implementation
Subcategory
Item
Configuring DHCP relay on the VLANIF
interface
Configuring DHCP relay on the subDHCP relay
interface
Configuring DHCP relay on VPNs
Configuring DHCPv6 relay on
VLANIFs
VLANIF interface-based relay agent
DHCPv6 relay DHCPv6 Option 37 (remote-id)
DHCPv6 Option 18 (interface-id)
25
Specifications
Remarks
DHCP Relay – Feature 1
Feature 1 : Configuring DHCP relay on the VLANIF interface
When functioning as a DHCP relay agent, the S9700 forwards the DHCP
Request packets from DHCP clients to the DHCP server. After the DHCP relay
function is enabled on the VLANIF interface, set the DHCP server address on
the VLANIF interface in either of the following ways:
Configure a destination DHCP server group and bind the group to the
interface. For details, see Configuring a Destination DHCP Server Group
and Binding an Interface to a DHCP Server Group.
Run the dhcp relay server-ip ip-address command in the VLANIF
interface view to configure the destination DHCP server address.
26
DHCP Relay – Feature 2
Feature 2 : Configuring DHCP relay on VPNs
An enterprise establishes a VPN for employees to
communicate with each other. The DHCP server is not in the
VPN. Users in the VPN need to obtain IP addresses from the
DHCP server.
As shown in Figure left, the DHCP clients are located in
VPNA, which is in network segment 20.20.20.0/24; the DHCP
server is located in network segment 10.10.10.0/24. The
DHCP packets need to be relayed by the Switch enabled
with the DHCP relay function. The DHCP clients on the VPN
then can apply for IP addresses from the DHCP server.
An address pool containing network segment 20.20.20.0/24
is configured on the DHCP server. The DHCP server has a
reachable route to 20.20.20.0/24.
27
DHCP Relay – Configuration Example #1
Configuration Roadmap
STEP 1 : Create a DHCP server group and add
a DHCP server to the group.
STEP 2 : Enable DHCP relay on VLANIF 100 so
that the Switch functions as the DHCP relay
agent.
STEP 3 : Create a VPN instance and bind the
DHCP server group and VLANIF interface to
the VPN instance.
STEP 4 : Bind the specified DHCP server group
to VLANIF 100 so that the packets passing
VLANIF 100 are forwarded to the specified
server.
28
DHCP Relay - Configuration Example #2
1. Create a DHCP server group and add DHCP server to the group.
<Quidway> system-view
[Quidway] sysname Switch
[Switch] dhcp server group dhcpgroup1
[Switch-dhcp-server-group-dhcpgroup1] dhcp-server 10.10.10.1
[Switch-dhcp-server-group-dhcpgroup1] quit
2. Enable the DHCP relay function on the VLANIF interface.
[Switch] vlan 100
[Switch-Vlan100] quit
[Switch] interface gigabitethernet 1/0/0
[Switch-GigabitEthernet1/0/0] port link-type trunk
[Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
[Switch-GigabitEthernet1/0/0] quit
[Switch] dhcp enable
[Switch] interface vlanif 100
[Switch-Vlanif100] dhcp select relay
[Switch-Vlanif100] quit
29
DHCP Relay - Configuration Example #3
3. Create a VPN instance and bind the DHCP server group and VLANIF interface to the
VPN instance.
# Create a VPN instance.
[Switch] ip vpn-instance vpna
[Switch-vpn-instance-vpna] route-distinguisher 1:1
[Switch-vpn-instance-vpna] vpn-target 2:2 both
[Switch-vpn-instance-vpna] quit
# Bind the DHCP server group to the VPN instance.
[Switch] dhcp server group dhcpgroup1
[Switch-dhcp-server-group-dhcpgroup1] vpn-instance vpna
[Switch-dhcp-server-group-dhcpgroup1] quit
# Bind the VLANIF interface to the VPN instance.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip binding vpn-instance vpna
4.Bind the VLANIF interface to the specified DHCP server group.
# Set the IP address of the VLANIF interface.
[Switch] interface vlanif 100
[Switch-Vlanif100] ip address 20.20.20.1 24
# Specify a DHCP server for the VLANIF interface.
[Switch-Vlanif100] dhcp relay server-select dhcpgroup1
30
DHCP Relay - Configuration Example #4
5. Configure the DHCP server and PE.
<Quidway> system-view
[Quidway] sysname SERVER
[SERVER] ip pool 1
[SERVER-ip-pool-1] network 20.20.20.0 mask 255.255.255.0
[SERVER-ip-pool-1] gateway-list 20.20.20.1
[SERVER-ip-pool-1] quit
[SERVER] ip route-static 20.20.20.0 255.255.255.0 10.10.10.2
<Quidway> system-view
[Quidway] sysname PE
[PE] vlan 101
[PE-Vlan101] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] port link-type trunk
[PE-GigabitEthernet1/0/0] port trunk allow-pass vlan 101
[PE-GigabitEthernet1/0/0] quit
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] route-distinguisher 1:1
[PE-vpn-instance-vpna] vpn-target 2:2 both
[PE-vpn-instance-vpna] quit
[PE] interface vlanif 101
[PE-Vlanif101] ip binding vpn-instance vpna
[PE-Vlanif101] ip address 10.10.10.2 24
[PE-Vlanif101] quit
31
Page 31
DHCP Relay - Configuration Example #5
6. Configure MP-IBGP to exchange VPN routing information.
[PE] bgp 100
[PE-bgp] peer 1.1.1.1 as-number 100
[PE-bgp] peer 1.1.1.1 connect-interface loopback 1
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 1.1.1.1 enable
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
[Switch] bgp 100
[Switch-bgp] peer 2.2.2.2 as-number 100
[Switch-bgp] peer 2.2.2.2 connect-interface loopback 1
[Switch-bgp] ipv4-family vpnv4
[Switch-bgp-af-vpnv4] peer 2.2.2.2 enable
[Switch-bgp-af-vpnv4] quit
After the configuration, run the display bgp peer command on the PE, and you can see that the
BGP peer relationship between the PEs is in Established state.
[PE] display bgp peer
BGP local router ID : 2.2.2.2
Local AS number : 100
Total number of peers : 1
Peers in established state : 1
Peer
V AS MsgRcvd MsgSent OutQ Up/Down
State
1.1.1.1
4 100
12
6 0 00:02:21
Established
0
32
PrefRcv
DHCP Relay - Configuration Example #6
7. Verify the configuration.
[Switch] display dhcp relay interface vlanif100
DHCP relay agent running information of interface Vlanif100 :
DHCP server group name : dhcpgroup1
DHCP server IP [0] :10.10.10.1
DHCP server IP [1] :255.255.255.255
DHCP server IP [2] :255.255.255.255
DHCP server IP [3] :255.255.255.255
DHCP server IP [4] :255.255.255.255
DHCP server IP [5] :255.255.255.255
DHCP server IP [6] :255.255.255.255
DHCP server IP [7] :255.255.255.255
DHCP server IP [8] :255.255.255.255
DHCP server IP [9] :255.255.255.255
DHCP server IP [10] :255.255.255.255
DHCP server IP [11] :255.255.255.255
DHCP server IP [12] :255.255.255.255
DHCP server IP [13] :255.255.255.255
DHCP server IP [14] :255.255.255.255
DHCP server IP [15] :255.255.255.255
DHCP server IP [16] :255.255.255.255
DHCP server IP [17] :255.255.255.255
DHCP server IP [18] :255.255.255.255
DHCP server IP [19] :255.255.255.255
33
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
34
DHCP Snooping – Principle

DHCP snooping is a security feature of DHCP. The S9700 creates and
maintains the DHCP snooping binding table to filter out untrusted DHCP
information that is sent from untrusted zones. The DHCP snooping binding
table contains the MAC address, IP address, lease, VLAN ID, interface
number of each user in an untrusted zone.

When DHCP snooping is enabled on an S9700, the S9700 listens on DHCP
packets and records the IP addresses and MAC addresses in the received
DHCP Request packets or Ack messages. A physical interface can be
configured as a trusted interface or an untrusted interface. A trusted
interface can forward received DHCP Reply packets, whereas an untrusted
interface discards the received DHCP reply packets. By using DHCP
snooping, the S9700 can prevent bogus DHCP servers and ensure that
clients obtain IP addresses from valid DHCP servers.
35
DHCP Snooping - Scenario

Purpose


DHCP snooping prevents the following attacks:
•
Bogus DHCP server attack
•
Man-in-the-middle attack and IP/MAC spoofing attack
•
Denial of Service (DoS) attack
•
DoS attack by changing the value of the Client Hardware Address (CHADDR)
Benefits

DHCP snooping ensures that:
•
Clients obtain IP addresses from valid DHCP servers.
•
The IP addresses and MAC addresses of DHCP clients are recorded, and the
binding entries can be used by other Feature.
36
DHCP Snooping – Packet Flow
DHCP
Packet
export
process
Y
SRU
DROP
4
N
Memory
CPU
DHCP Snooping table
Trust port
or not ?
DHCP Snooping
Packet (Unicast)
Internal HDR+
DHCP Packet
LPU
5
LC
CPU
3
Control Channel
2
Packet Processor
1
DHCP Server Packet
37
DHCP Snooping - Feature Implementation
Subcategory
Item
Specifications
Remarks
Enabling or disabling DHCP
snooping globally or on an interface
Configuring the trusted interface for
Prevent unauthorized servers
the DHCP server
When the static entry of DHCP
snooping is configured, the IP DHCP Snooping binding table
Configuring static entries of DHCP
address and VLAN ID must be consists static bind-table and
snooping
set. The MAC address and port dynamic bind-table
number are optional.
The transmission rate of DHCP key command:dhcp
Preventing DHCP starvation attacks packets on an interface or in a snooping check dhcp-rate
VLAN is limited.
rate
DHCP
Preventing attackers from sending
Key command: dhcp
snooping bogus DHCP messages for extending
snooping check user-bind
IP address leases
enable
Supporting DHCP snooping in the
VPLS
DHCP snooping over VPLS is
enabled by enabling DHCP
snooping on a physical
interface or in a VLAN.
Supporting DHCPv6 snooping
DHCP snooping static binding table
DHCP snooping dynamic binding table
Rate of creating/deleting DHCP snooping
binding table
38
85 entries per second
DHCP Snooping - Feature Implementation
Subcategory
Item
Global DHCPv6 snooping
Specifications
Interface-based DHCPv6 snooping
VLAN-based DHCPv6 snooping
DHCPv6 trusted interface
Dynamic DHCPv6 snooping binding
table
DHCPv6
snooping
The trusted interface can receive packets from the
DHCP server. The switch discards the DHCP packets
received from untrusted interfaces.
The switch dynamically generates DHCPv6 snooping
binding entries by capturing and analyzing DHCP
packets received from the DHCPv6 server. A binding
entry contains the IPv6 address, MAC address,
double-layer VLAN IDs, and interface number.
Static DHCPv6 snooping binding table You can manually configure DHCP snooping binding
entries. A static binding entry contains the IP
address, MAC address, VLAN ID, and interface
number.
DHCPv6 snooping binding table
You can add, delete, modify, and query dynamic and
management
static DHCP snooping binding entries by using
commands.
Preventing bogus DHCPv6 Request
If unauthorized users send a large number of bogus
message
DHCP Request messages with variable MAC
addresses to extend IP addresses, expired IPv6
addresses cannot be withdrawn.
1:1 VLAN mapping
Super VLAN
Batch configurations take effect in sub-VLANs.
Port flapping
Port flapping for binding table
Interface- or VLAN-based PD
snooping
39
Remarks
DHCP Snooping – Feature 1
Feature 1 : Supporting DHCP snooping in the VPLS
Binding Relationship
PHY IF 1
VLAN 10
VPLS VSI 100
PHY IF 2
VLAN 20
VPLS VSI 200
PHY IF 3
VLAN 30
VPLS VSI 100
VPLS VSI 200
E series
FA series
VLANIF 10
VLANIF 20
VLANIF 30
FC series
LPUs
PHY IF 1
ACCESS
PHY IF 2
PHY IF 3
VLAN
VLAN
10
30
VLAN 10 VLAN 20
Take effect
×
Do not take effect
DHCP snooping in the VPLS
BC series
PWs
Take effect
Global & PHYIF Enable
W series
Normal DHCP snooping
40
S series
×
Do not support
DHCP Snooping in
VPLS
DHCP Snooping - Limitation

If DHCP relay is enabled in a super-VLAN, DHCP snooping
cannot be enabled in this super-VLAN.

DHCP snooping over VPLS is not supported by the Physical
interface and NONE VPLS VLAN interfaces. It can be enabled
only on VPLS VLAN interfaces.

DHCP snooping over VPLS cannot be enabled on PWs.

S series LPUs do not support DHCP snooping in the VPLS.
41
DHCP Snooping – Configuration Example #1
Example for Preventing Bogus DHCP Server Attacks
Configuration Roadmap
STEP 1 : Enable DHCP snooping
globally and on the interface.
STEP 2: Configure the interface
connected to the DHCP server as the
trusted interface.
STEP 3 : Configure the user-side
interface as an untrusted interface.
The DHCP Request messages
including Offer, ACK, and NAK
messages received from the
untrusted interface are discarded.
STEP 4 : Configure the alarm function
for discarded packets.
Configure the interface as the trusted interface or an untrusted interface.
# Configure the interface on the DHCP server side as the trusted interface.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping trusted
[Quidway-GigabitEthernet1/0/0] quit
42
DHCP Snooping – Configuration
Example #2
Example for Limiting the Rate of Sending DHCP Messages
Configuration Roadmap
STEP 1 : Enable DHCP snooping
STEP 2 : globally and in the
interface view.
STEP 3 : Set the rate of sending
DHCP Request messages to the
protocol stack.
STEP 4 : Configure the alarm
function for discarded packets.
Limit the rate of sending DHCP messages.
# Enable the function of checking the rate of sending DHCP Request messages.
[Quidway] dhcp snooping check dhcp-rate enable # Set the rate of sending DHCP
Request messages.
[Quidway] dhcp snooping check dhcp-rate 90
43
DHCP Snooping – Configuration
Example #3
Example for Applying DHCP Snooping on a Layer 2 Network #1
Configuration Roadmap
STEP 1 : Enable DHCP snooping globally and in the
interface view.
STEP 2 : Configure interfaces to be trusted or
untrusted to prevent bogus DHCP server attacks.
STEP 3 : Configure the DHCP snooping binding table
and check DHCP Request messages by matching them
with entries in the binding table to prevent attackers
from sending bogus DHCP messages for extending IP
address leases.
STEP 4 : Configure the function of checking the
CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP
Request messages.
STEP 5 : Set the rate of sending DHCP Request
messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request
messages.
STEP 6 : Configure the Option 82 function and
create the binding table that contains information
about the interface.
STEP 7 : Configure the alarm function for discarded
packets and the alarm function for checking the rate
of sending packets.
44
DHCP Snooping – Configuration
Example #3
Example for Applying DHCP Snooping on a Layer 2 Network #2
Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
# Enable DHCP snooping on the interface at the user side. The configuration procedure
of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not
mentioned here.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping enable
[Quidway-GigabitEthernet1/0/0] quit
Configure the interface as trusted.
# Configure the interface connecting to the DHCP server as the trusted interface and
enable DHCP snooping on all the interfaces connecting to the DHCP client. If the
interface on the client side is not configured as trusted, the default mode of the interface
is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP
server attacks.
[Quidway] interface gigabitethernet 2/0/0
[Quidway-GigabitEthernet2/0/0] dhcp snooping trusted
[Quidway-GigabitEthernet2/0/0] quit
45
DHCP Snooping – Configuration
Example #4
Example for Applying DHCP Snooping on a Layer 2 Network #3
Configure the checking for certain types of packets.
# Enable the checking of DHCP Request messages on the interfaces on the DHCP client
side to prevent attackers from sending bogus DHCP messages for extending IP address
leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is
not mentioned here.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
[Quidway-GigabitEthernet1/0/0] quit
# Enable the checking of the CHADDR field on the interfaces on the DHCP client side to
prevent attackers from changing the CHADDR field in DHCP Request messages. The
configuration of GE 1/0/1 is the same as the configuration of GE1/0/0, and is not
mentioned here.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
[Quidway-GigabitEthernet1/0/0] quit
46
DHCP Snooping – Configuration
Example #5
Example for Applying DHCP Snooping on a Layer 2 Network #4
Limit the rate of sending DHCP messages.
# Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request
messages.
[Quidway] dhcp snooping check dhcp-rate enable
[Quidway] dhcp snooping check dhcp-rate 90
Configure the Option 82 function.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable
[Quidway-GigabitEthernet1/0/0] quit
Configure the alarm function for discarded packets.
[Quidway] interface gigabitethernet 1/0/0
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120
[Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120
[Quidway-GigabitEthernet1/0/0] quit
# Enable the alarm function for checking the rate of sending DHCP messages, and set the alarm
threshold for checking the rate of sending DHCP messages.
[Quidway] dhcp snooping check dhcp-rate alarm enable
[Quidway] dhcp snooping check dhcp-rate alarm threshold 80
47
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
48
DHCP Security – Feature Implementation
Subcategory
Item
Specifications
The default format, the format
Setting the format of Option 82 conforming to the DSLAM standard, and
the user-defined format are supported.
Setting the policy for processing The Option 82 field in a packet can be
Option 82 on an interface
kept or replaced.
Binding an IP address to the
MAC address, VLAN ID, or
interface flexibly
Enabling or disabling the
function of checking the DHCP
relay address based on the
DHCP security
binding
Restoring entries in the DHCP
snooping/relay/server binding
table after restart
Match certain entries in the binding
table, for example, IP address or MAC
address, which are irrelevant to the
DHCP relay.
It can be configured.
Supporting static binding
Enabling or disabling the
detection on bogus DHCP
servers
Limiting the transmission rate of
DHCP packets sent to the host
49
The server address is recorded and the
administrator checks whether it is the
address is invalid by using the trusted
interface. An alarm is generated if the
address is invalid.
Remarks
Note: This version
does not support
removing of the
Option 82 field.
Restoring entries in the DHCP after restart
S9700 Memory
DHCP
DATA
S9700 Memory
×
Restart
DHCP
DATA
Command dhcp server database enable
dhcp server database write-delay XXX
DHCP
DATA
Lease.txt
Conflict.txt
CF Card
50
√
dhcp server database recover
DHCP Security – Feature 1
Feature 1 : Restoring entries in the DHCP snooping/relay/server binding table after
restart
Usage Scenario
When the S9700 functions as a DHCP server, run the dhcp server database command
to enable the S9700 to save DHCP data to storage devices. This avoids data loss caused
by device faults. Then the system generates lease.txt and conflict.txt files in the CF
card. The two files save address lease information and address conflict information
respectively. After the dhcp server database command is run, the current DHCP data is
automatically saved at the specified interval, and previous data files are overwritten. The
interval can be set by using the dhcp server database write-delay interval command.
If a fault occurs on the S9700, run the dhcp server database recover command to
recover DHCP data from storage devices after the system restarts.
Example
# Enable the S9700 to save the current DHCP data to storage devices and set the
interval at which DHCP data is saved to 36000s.
<Quidway> system-view
[Quidway] dhcp server database enable
[Quidway] dhcp server database write-delay 36000
# Recover DHCP configuration by using the DHCP data saved on storage devices.
<Quidway> system-view
[Quidway] dhcp server database recover
51
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
52
SAVI– Feature Implementation
Subcategory
Item
Specifications
Enabling and disabling global SAVI Source Address Validation Improvements (SAVI) creates
address-port binding entries to verify the source
addresses of the packets received on the specified port.
Generating DHCPv6 snooping
The switch listens on DHCPv6 address allocation process,
binding entries
dynamically generates binding entries, or uses static
binding entries.
Protocol packet check based on
The switch can verify DHCPv6 and ND packets based on
DHCPv6 snooping binding entries DHCPv6 snooping entries.
Generating ND snooping binding The switch listens on ND address allocation process and
entries
generates dynamic binding entries.
Protocol packet check based on ND The switch can verify DHCPv6 and ND packets based on
snooping binding entries
ND snooping entries.
SAVI
Generating PD snooping binding
entries
The switch listens on DHCPv6 PD prefix allocation
process, dynamically generates prefix binding entries, or
uses static prefix binding entries.
Protocol packet check based on PD The switch can verify DHCPv6 and ND packets based on
snooping binding entries
PD snooping entries.
Delivering IPSGv6 entries based on If IPSGv6 is enabled, the switch requests the IPSGv6
DHCPv6, ND snooping, and PD
module to deliver binding entries to the forwarding plane
snooping binding entries.
to verify the forwarded data packets.
Checking DHCPv6 snooping trusted
interface
Checking ND snooping trusted
interface
53
The switch discards the RA packets received from
untrusted interfaces.
Remarks
SAVI: Source Address Validation Improvement
Source Address Validation Improvements (SAVI) creates address-port
binding entries to verify the source addresses of the packets received on the
specified port.
Based on duplicate address detection, SAVI listens on address allocation
control packets, and creates binding entries. After a binding entry is created,
the switch verifies the data and protocol packets received on the specified
port. The switch forwards valid packets and discards invalid packets.

Function:


Address Allocation Mode:DHCPv6,SLAAC
Scenarios:



DHCPv6-only:Only support DHCPv6 in
network
SLAAC-only: Only support SLAAC in network
Mix Scenario:DHCPv6+SLAAC
SLAAC-Stateless Address Auto-configuration
54
SAVI: DHCPv6 Mode
SAVI
DHCPv6
Server
Port 1 Switch Port 24
Downlink
Uplink
DHCPv6 Request
DHCPv6 Request
Host
(MAC1)
DHCPv6 Reply
DHCPv6 Reply
Get Address A
DAD NS
Data Packet(src=A)
Data Packet(src!=A)
55
Allot Address A
Add a item to table:
(Port 1, MAC1, A)
SAVI: SLAAC Mode
Host
(MAC1)
SAVI
Port 1 Switch Port 24
Downlink
Uplink
DAD NS
Add a item to table:
(Port 1, MAC1, A)
Data Packet(src=A)
Data Packet(src!=A)
DAD NS: Duplicate Address Detection Neighbor
Solicitation
56
DHCP-only :Configuration Example
•Global configuration
•[Quidway] savi enable
(Enable the SAVI feature globally)
•[Quidway] dhcp enable
(Enable the DHCP feature globally)
•[Quidway] dhcp snooping enable
(Enable the DHCP snooping feature globally)
•User side interface Ethernet0/0/10 configuration
•Enable the DHCP snooping feature on the interface
•[Quidway-Ethernet0/0/10] dhcp snooping enable
•The port which enabled this command called SAVI-Validation port. Users get online through
this port can create the DHCP binding table, but if you want to create filter table to filter the
packet by the source address of the IP packet, you need to configure “ip source check userbind enable” on this interface.
•Enable the IPSG feature on the interface
•[Quidway-Ethernet0/0/10] ip source check user-bind enable
•This command only can be configured on the SAVI-Validation port,and once configured
this port can filter IP packet passed through this port by the IP source address according the
binding table, only packets whose IP address and MAC, interface, VLAN match the binding
table can pass through this port, others will be dropped.
•Network side interface Ethernet0/0/20 configuration
•Configure the port as DHCP trust port
•[Quidway-Ethernet0/0/20] dhcp snooping trusted
The port which is configured as SAVI-DHCP-Trust can pass DHCP packets sent by server.
57
DHCP-SLAAC-MIX :Configuration Example
•Global configuration
•[Quidway] savi enable
( Enable the SAVI feature globally )
•[Quidway] dhcp enable
( Enable the DHCP feature globally )
•[Quidway] dhcp snooping enable
( Enable the DHCP snooping feature globally )
•[Quidway] nd snooping enable (Enable the ND snooping feature globally)
•User side interface Ethernet0/0/10 configuration
•Enable the DHCP snooping feature on the interface
•[Quidway-Ethernet0/0/10] dhcp snooping enable
•Enable the ND snooping feature on the interface
•[Quidway-Ethernet0/0/10] nd snooping enable
•Enable the IPSG feature on the interface
•[Quidway-Ethernet0/0/10] ip source check user-bind enable
•When configured the three commands,this port called SAVI-Validation port, and users get
online through this port can create DHCP binding table and SLAAC binding table, at the same
time create filter table according to the binding table to filter the IP packets by source address.
•Network side interface Ethernet0/0/20 configuration
•Configure the port as DHCP trust port
•[Quidway-Ethernet0/0/20] dhcp snooping trusted
•The port which is configured as SAVI-DHCP-Trust port can pass the DHCP packets sent from the
server.
•Configure the port as ND trust port
• [Quidway-Ethernet0/0/20] nd snooping trusted
The port which is configured as SAVI-RA-Trust port can pass the RA packets sent from the server.
58
Agenda
DHCP Overview

DHCP Basic


DHCP Server

DHCP Relay

DHCP Snooping
DHCP Additional


DHCP Security

SAVI

ND Snooping
59
ND Snooping– Feature Implementation
Subcategory
Item
Specifications
Global, interface-based, and VLANbased ND snooping.
ND Snooping
Maximum number of ND binding
entries
60
The value is the same as the maximum number of DHCPv6
binding entries.
Remarks
ND SNOOPING: ND User security

ND : Neighbor Discovery Protocol

Basic idea:



The IPv6 node which has passed the no-state address
distribution, will combine the address prefix of the notification
with the interface ID created by itself to make the address when
receiving the notification of link router.
The Ipv6 node will send NS packet for DAD detecting before
use the address, no matter the address is get through state, nostate or configured manually. The IPv6 node will receive relevant
NA packet when there is address conflict in the network.
Device creates or deletes the ND binding table by detecting the
NS packets and NA packets of the network.
61
ND SNOOPING
Nd snp
Switch Port 24
Port 1
uplink
downlink
ND RS
ND RS
Host
(MAC1)
ND prefix management
switch
Distribute prefix A
ND RA
Get
ND RA
address
A1
DAD NS(prefix=A)
Add a prefix to bind the table:
(Port 1,prefixA)
Add a prefix to bind the table:
(Port 1, MAC1, A1)
Data Packet(src=A1)
Data Packet(src!=A1)
62
ND SNOOP-INGConfiguration Example

Global configuration

[Quidway] savi enable (Enable the SAVI feature globally)

[Quidway] dhcp enable
(Enable the DHCP feature globally)

[Quidway] nd snooping enable
(Enable the ND snooping feature globally)

User side interface Ethernet0/0/10 configuration

Enable the ND snooping feature on the interface

[Quidway-Ethernet0/0/10] nd snooping enable

The port which enabled this command called SAVI-Validation port. Users get online through this port can get a
SLAAC binding table. But if you want to create filtration table to filter the IP packets by the source address,
you need to configure “ip source check user-bind enable” on the interface.

Enable the IPSG feature on the interface

[Quidway-Ethernet0/0/10] ip source check user-bind enable

this command has to be configured on the SAVI-Validation port,and once configured the IP packet passed
through this port will be filtered by the IP source address according to the binding table, only packets whose
source IP address and MAC, interface, VLAN accord with the binding table can pass through this port, others
will be dropped.

Network side interface Ethernet0/0/20 configuration

The interface configured as ND trust interface

[Quidway-Ethernet0/0/20] nd snooping trusted

The port configured as SAVI-RA-Trust port can pass the RA packets sent from the server
63
DHCP Feature Summary top 3~5

S9700 can only act as DHCP server and DHCP relay agent,
can’t act as an DHCP client.

DHCP server support global address pool and interface
address pool.

When S9700 deployed double SRUs and act as an DHCP
server, it can support DHCP server hot backup.

S9700 DHCP Relay Agent and DHCP Snooping Supporting
VPNs. Except the S series LPUs.

S9700 supports DHCPv6 server and DHCPv6 relay agent.
64
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and
operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to
differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and
constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.