HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 536
54
[SwitchA] dhcp server forbidden-ip 10.1.1.126
[SwitchA] dhcp server forbidden-ip 10.1.1.254
# Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address).
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] domain-name aabbcc.com
[SwitchA-dhcp-pool-0] dns-list 10.1.1.2
[SwitchA-dhcp-pool-0] quit
# Configure DHCP address pool 1 (subnet, gateway, lease duration, and WINS server).
[SwitchA] dhcp server...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-535.png "Page 536
54
[SwitchA] dhcp server forbidden-ip 10.1.1.126
[SwitchA] dhcp server forbidden-ip 10.1.1.254
# Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address).
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] domain-name aabbcc.com
[SwitchA-dhcp-pool-0] dns-list 10.1.1.2
[SwitchA-dhcp-pool-0] quit
# Configure DHCP address pool 1 (subnet, gateway, lease duration, and WINS server).
[SwitchA] dhcp server...")
![Page 537
55
Configuration procedure
1. Specify IP addresses for the interfaces. (Details not shown.)
2. Configure the DHCP server:
# Enable DHCP.
system-view
[SwitchA] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select server global-pool
[SwitchA-Vlan-interface2] quit
# Configure DHCP address pool 0.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] option...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-536.png "Page 537
55
Configuration procedure
1. Specify IP addresses for the interfaces. (Details not shown.)
2. Configure the DHCP server:
# Enable DHCP.
system-view
[SwitchA] dhcp enable
# Enable the DHCP server on VLAN-interface 2.
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] dhcp select server global-pool
[SwitchA-Vlan-interface2] quit
# Configure DHCP address pool 0.
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-0] option...")
![Page 546
64
Step Command Remarks
5. Configure
non-user-defined
Option 82.
• Configure the padding format for
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex }...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-545.png "Page 546
64
Step Command Remarks
5. Configure
non-user-defined
Option 82.
• Configure the padding format for
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex }...")
59 Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP relay agent on the current interface. dhcp select relay With DHCP enabled, interfaces operate in the DHCP server mode. Correlating a DHCP server group with a relay agent interface To improve reliability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server gr oup. When the interface receives request messages from clients, the relay agent will forward them to all the DHCP servers of the group. Configuration guidelines Follow these guidelines when you correlate a DHCP server group with a relay agent interface: • You can specify up to twenty DHCP server groups on the relay agent. • By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP server addresses for each DHCP server group. • The IP addresses of DHCP servers and those of rela y agent’s interfaces that connect DHCP clients cannot be on the same subnet. Otherwise, the client cannot obtain an IP address. • A DHCP server group can correlate with one or mu ltiple DHCP relay agent interfaces, while a relay agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select command repeatedly overwrites the previous config uration. However, if the specified DHCP server group does not exist, the interface still uses the previous correlation. • The group-id argument in the dhcp relay server-select command is configured by using the dhcp relay server-group command. Configuration procedure To correlate a DHCP server group with a relay agent interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a DHCP server group and add a server into the group. dhcp relay server-group group-id ip ip-address Not created by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Correlate the DHCP server group with the current interface. dhcp relay server-select group-id By default, no interface is correlated with any DHCP server group.
60 Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings after they obtain IP addresses through DHCP. This feature also supports static bindings. You can also configure static IP-to-MAC bindings on the DHCP relay agent, so users can access external networks using fixed IP addresses. Upon receiving a packet from a host, the DHCP rela y agent checks the source IP and MAC addresses in the packet against the recorded dynamic and static bind ings. If no match is found, the DHCP relay agent does not learn the ARP entry of the host, and will not forward any reply to the host, so the host cannot access external networks via the DHCP relay agent. Configuration guidelines Follow these guidelines when you create a static binding and enable address check: • The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet ports and VLAN interfaces. • Before enabling address check on an interface, you must enable the DHCP service, and enable the DHCP relay agent on the interface; otherwise, the address check configuration is ineffective. • The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces. • When using the dhcp relay security static command to bind an interface to a static binding entry, make sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may occur. Configuration procedure To create a static binding and enable address check: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a static binding. dhcp relay security static ip-address mac-address [ interface interface-type interface-number ] Optional. No static binding is created by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable address check. dhcp relay address-check enable Disabled by default. Configuring periodic refresh of dynamic client entries A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client.
61
When this feature is enabled, the DHCP relay agent uses the IP address of a client and the MAC address
o f t h e D H C P r e l a y i n t e r f a c e t o s e n d a D H C P- R E Q U EST m essage to the DHCP server at specified intervals.
• If the server returns a DHCP-ACK message or does not return any message within a specified
interval, the DHCP relay agent ages out the entry.
• If the server returns a DHCP-NAK message, the relay agent keeps the entry.
To configure periodic refresh of dynamic client entries:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable periodic refresh of
dynamic client entries. dhcp relay security refresh enable Optional.
Enabled by default.
3.
Configure the refresh
interval. dhcp relay security tracker
{ interval
| auto } Optional.
auto
by default. ( auto interval is
calculated by the relay agent
according to the number of client
entries.)
Enabling unauthorized DHCP server detection
Unauthorized DHCP servers may assign wrong IP addresses to DHCP clients.
With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request
contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records the IP address of
each detected DHCP server that assigned an IP address to a requesting DHCP client in the option, and
records the receiving interface. The administrator can use this information to check for unauthorized
DHCP servers.
The relay agent logs a DHCP server only once.
To enable unauthorized DHCP server detection:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable unauthorized DHCP server detection.
dhcp relay server-detect Disabled by default
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail
to work because of exhaustion of system resources.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP en tries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
62 • To prevent a DHCP starvation attack that uses DH CP requests encapsulated with the same source MAC address, enable MAC address check on the DHCP relay agent. With this function enabled, the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address field of the frame. If they are the same, the DHCP relay agent decides this request as valid and forwards it to the DHCP server; if not, it discards the DHCP request. To enable MAC address check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable MAC address check. dhcp relay check mac-address Disabled by default NOTE: DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you can enable MAC address check only on a DHCP rela y agent directly connected to DHCP clients. Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses. Enabling offline detection The DHCP relay agent checks whether a user is online by learning the ARP entry. When an ARP entry is aged out, the corresponding client is considered to be offline. With this function enabled on an interface, the DHCP relay agent removes a client’s IP-to-MAC entry when it is aged out, and sends a DHCP-RELEASE me ssage to the DHCP server to release the IP address of the client. Removing an ARP entry manually does not remove the corresponding client’s IP-to-MAC binding. When the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding manually. To e n ab l e of fl i n e d e te ct io n : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable offline detection. dhcp relay client-detect enable Disabled by default Configuring the DHCP relay agent to release an IP address You can configure the relay agent to release a client’s IP address. The relay agent sends a DHCP-RELEASE message that contains the IP address. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address; meanwhile, the client entry is removed from the DHCP relay agent. Dynamic client entries can be generated after you enable address check or IP source guard on the DHCP relay agent. For more information about IP source guard, see the Security Configuration Guide.
63
To configure the DHCP relay agent to send DHCP-RELEASE messages:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the DHCP relay agent to
release an IP address. dhcp relay release ip
client-ip The IP address must be in a
dynamic client entry.
Configuring the DHCP relay agent to support
Option 82
Configuration prerequisites
Before you perform this configuration, complete the following tasks:
• Enable DHCP.
• Enable the DHCP relay agent on the specified interface.
• Correlate a DHCP server group with relay agent interfaces.
Configuration guidelines
• To support Option 82, perform related configuration on both the DHCP server and relay agent. See
Configuring DHCP server
for DHCP server configuration of this kind.
• If the handling strategy of the DHCP relay agent is configured as replace, you must configure a
padding format for Option 82. If the handling strategy is keep or drop, you need not configure any
padding format.
• If sub-option 1 (node identifier) of Option 82 is padded with the device name (sysname) of a node,
the device name must contain no spaces. Otherwis e, the DHCP relay agent will drop the message.
Configuration procedure
To configure the DHCP relay agent to support Option 82:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Enable the relay
agent to support
Option 82. dhcp relay information enable
Disabled by default.
4. Configure the
handling strategy for
requesting messages
containing Option
82. dhcp relay information strategy
{ drop
| keep | replace } Optional.
replace
by default.
64
Step Command Remarks
5. Configure
non-user-defined
Option 82.
• Configure the padding format for
Option 82:
dhcp relay information format
{ normal | verbose [ node-identifier
{ mac | sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp relay information circuit-id
format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:
dhcp relay information remote-id
format-type { ascii | hex } Optional.
By default,
•
The padding format for Option 82
is normal .
• The code type for the circuit ID
sub-option depends on the padding
format of Option 82. Each field has
its own code type.
• The code type for the remote ID
sub-option is hex.
The code type configurations for the
circuit ID sub-option and remote ID
sub-option apply to non-user-defined
Option 82 only.
6. Configure
user-defined Option
82.
• Configure the padding content for
the circuit ID sub-option:
dhcp relay information circuit-id
string circuit-id
• Configure the padding content for
the remote ID sub-option:
dhcp relay information remote-id
string { remote-id | sysname } Optional.
By default, the padding content
depends on the padding format of
Option 82.
Setting the DSCP value for DHCP packets
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Set the DSCP value for DHCP
packets sent by the DHCP relay
agent. dhcp dscp
dscp-value Optional.
By default, the DSCP value is 56.
Displaying and maintaining the DHCP relay agent
Task Command Remarks
Display information about DHCP
server groups correlated to a
specified interface or all interfaces. display dhcp relay
{ all | interface
interface-type interface-number } [ | { begin |
exclude | include } regular-expression ] Available in any view
Display Option 82 configuration
information on the DHCP relay
agent. display dhcp relay information
{ all |
interface interface-type interface-number } [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display information about bindings
of DHCP relay agents. display dhcp relay security
[ ip-address |
dynamic | static ] [ | { begin | exclude |
include } regular-expression ] Available in any view
65
Task Command Remarks
Display statistics about bindings of
DHCP relay agents. display dhcp relay security
statistics [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display information about the
refreshing interval for entries of
dynamic IP-to-MAC bindings. display dhcp relay security
tracker [ | { begin
| exclude | include } regular-expression ] Available in any view
Display information about the
configuration of a specified DHCP
server group or all DHCP server
groups. display dhcp relay server-group
{ group-id |
all } [ | { begin | exclude | include }
regular-expression ] Available in any view
Display packet statistics on relay
agent. display dhcp relay statistics
[ server-group
{ group-id | all } ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Clear packet statistics from relay
agent. reset dhcp relay statistics
[ server-group
group-id ] Available in user view
DHCP relay agent configuration examples
DHCP relay agent configuration example
Network requirements
As shown in Figure 34, D HCP clients reside on network 10.10.1.0/24. The IP address of the DHCP server
is 10.1.1.1/24. Because the DHCP clients reside on a different network than the DHCP server, a DHCP
relay agent is deployed to forward messages between DHCP clients and the DHCP server.
VLAN-interface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients reside.
The IP address of VLAN-interface 1 is 10.10.1.1/24 and the IP address of VLAN-interface 2 is
1 0 .1.1. 2 / 2 4 .
Figure 34 Network diagram
Configuration procedure
The DHCP relay agent and server are on different subn ets, so configure a static route or dynamic routing
protocol to make them reachable to each other.
Switch B
DHCP server
Switch A
DHCP relay agent
DHCP client DHCP client DHCP client
DHCP client
Vlan-int2
10.1.1.2/24
Vlan-int1
10.10.1.1/24
Vlan-int2
10.1.1.1/24
66 Configurations on the DHCP server are also required to guarantee the client-server communication via the DHCP relay agent. For DHCP server configuration information, see Configuring DHCP server. # S pecify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [SwitchA] dhcp enable # A d d D H C P s e r v e r 1 0 .1.1.1 i n t o D H C P s e r v e r g r o u p 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1. [SwitchA-Vlan-interface1] dhcp relay server-select 1 After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network parameters through the DHCP relay agent from the DHCP server. You can use the display dhcp relay statistics command to view statistics of DHCP packets fo rwarded by DHCP relay agents. After you enable address check of the DHCP relay agents with the dhcp relay address-check enable command, use the display dhcp relay security command to view bindings of DHCP relay agents DHCP relay agent Option 82 support configuration example Network requirements • As shown in Figure 34, ena ble Option 82 on the DHCP relay agent (Switch A). • Configure the handling strategy for DHCP requests containing Option 82 as replace. • Configure the padding content for the circuit ID sub-option as company001 and for the remote ID sub-option as device001. • Switch A forwards DHCP requests to the DHCP server (Switch B) after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses. Configuration procedure Configurations on the DHCP server are also required to make the Option 82 configurations function normally. # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [SwitchA] dhcp enable # A d d D H C P s e r v e r 1 0 .1.1.1 i n t o D H C P s e r v e r g r o u p 1. [SwitchA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on VLAN-interface 1. [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] dhcp select relay # Correlate VLAN-interface 1 to DHCP server group 1. [SwitchA-Vlan-interface1] dhcp relay server-select 1 # Enable the DHCP relay agent to support Option 82, and perform Option 82-related configurations.
67 [SwitchA-Vlan-interface1] dhcp relay information enable [SwitchA-Vlan-interface1] dhcp relay information strategy replace [SwitchA-Vlan-interface1] dhcp relay information circuit-id string compa\ ny001 [SwitchA-Vlan-interface1] dhcp relay information remote-id string device\ 001 Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain any configuration parameters via the DHCP relay agent. Analysis Problems may occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Verify that: • The DHCP is enabled on the DHCP server and relay agent. • The address pool on the same subnet where DHCP clients reside is available on the DHCP server. • The DHCP server and DHCP relay agent are reachable to each other. • The relay agent interface connected to DHCP clients is correlated with a correct DHCP server group and the IP addresses of the group members are correct.
68 Configuring DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server. Configuration restrictions • The DHCP client configuration is supported only on Layer 3 Ethernet ports, Layer 3 aggregate interfaces, and VLAN interfaces. • When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition via a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003. • You cannot configure an interface of an aggregation group as a DHCP client. • Only HP 5500 EI switches support Layer 3 Ethernet port configuration. Enabling the DHCP client on an interface Follow these guidelines when you enable the DHCP client on an interface: • An interface can be configured to acquire an IP address in multiple ways. The latest configuration overwrites the previous one. • Secondary IP addresses cannot be configured on an interface that is enabled with the DHCP client. • If the IP address that interface A obtains from the DHCP server is on the same network segment as the IP address of interface B, inte rface A neither uses the IP address nor requests any IP address from the DHCP server unless you do the following: Delete the IP address of interface B and bring up interface A again by first executing the shutdown command and then the undo shutdown command, or, re-enable the DHCP client on interface A by executing the undo ip address dhcp-alloc command and then the ip address dhcp-alloc command. To enable the DHCP client on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. E n a b l e t h e D H C P c l i e n t o n t h e interface. ip address dhcp-alloc [ client-identifier mac interface-type interface-number ] Disabled by default Setting the DSCP value for DHCP packets Step Command Remarks 1. Enter system view. system-view N/A 2. Set the DSCP value for DHCP packets sent by the DHCP client. dhcp client dscp dscp-value Optional. By default, the DSCP value is 56.