HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 559
77
Step Command Remarks
5. Configure Option
82 i n t h e
non-user-defined
padding format.
• Configure the padding format for
Option 82:
dhcp-snooping information format
{ normal | private | standard
| verbose [ node-identifier { mac |
sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp-snooping information
circuit-id format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-558.png "Page 559
77
Step Command Remarks
5. Configure Option
82 i n t h e
non-user-defined
padding format.
• Configure the padding format for
Option 82:
dhcp-snooping information format
{ normal | private | standard
| verbose [ node-identifier { mac |
sysname | user -defined
node-identifier } ] }
• Configure the code type for the
circuit ID sub-option:
dhcp-snooping information
circuit-id format-type { ascii | hex }
• Configure the code type for the
remote ID sub-option:...")
![Page 562
80
Step Command Remarks
3. Configure the maximum rate of
incoming DHCP packets. dhcp-snooping rate-limit
rate Not configured by default
Displaying and maintaining DHCP snooping
Task Command Remarks
Display DHCP snooping entries. display dhcp-snooping
[ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ] Available in any view
Display Option 82 configuration
information on the DHCP snooping
device. display dhcp-snooping information
{ all |
interface...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-561.png "Page 562
80
Step Command Remarks
3. Configure the maximum rate of
incoming DHCP packets. dhcp-snooping rate-limit
rate Not configured by default
Displaying and maintaining DHCP snooping
Task Command Remarks
Display DHCP snooping entries. display dhcp-snooping
[ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ] Available in any view
Display Option 82 configuration
information on the DHCP snooping
device. display dhcp-snooping information
{ all |
interface...")
![Page 563
81
Figure 38 Network diagram
Configuration procedure
# Enable DHCP snooping.
system-view
[SwitchB] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as trusted.
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
DHCP snooping Option 82 support configuration example
Network requirements
As shown in Figure 38, ena ble DHCP snooping and Option 82 support on Switch B.
• Configure the handling strategy for DHCP...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-562.png "Page 563
81
Figure 38 Network diagram
Configuration procedure
# Enable DHCP snooping.
system-view
[SwitchB] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as trusted.
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
DHCP snooping Option 82 support configuration example
Network requirements
As shown in Figure 38, ena ble DHCP snooping and Option 82 support on Switch B.
• Configure the handling strategy for DHCP...")
![Page 564
82
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id stri\
ng company001
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id strin\
g device001
[SwitchB-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 to support Option 82.
[SwitchB] interface GigabitEthernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replac\
e
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-563.png "Page 564
82
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id stri\
ng company001
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id strin\
g device001
[SwitchB-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 to support Option 82.
[SwitchB] interface GigabitEthernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replac\
e
[SwitchB-GigabitEthernet1/0/3] dhcp-snooping...")
79 Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources. To prevent such attacks, you can enable DHCP-R EQUEST message check on DHCP snooping devices. With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the DHCP snooping device compares the entry with the message information. If they are consistent, the DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is considered a forged lease renewal request and discarded. If no corresponding entry is found, the message is cons idered valid and forwarded to the DHCP server. Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate interfaces. To enable DHCP-REQUEST message check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable DHCP-REQUEST message check. dhcp-snooping check request-message Disabled by default Configuring DHCP packet rate limit Configuration guidelines • You can configure DHCP packet rate limit only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces. • If a Layer 2 Ethernet port belongs to an aggregation group, it uses the DHCP packet maximum rate configured on the corresponding Layer 2 aggregate interface. • To identify DHCP packets from unauthorized DHCP servers, DHCP snooping delivers all incoming D HC P packets to the C PU. I f a mal icious user sends a l arg e nu mber of D HC P re quests to the D HC P snooping device, the CPU of the device will be overloaded, and the device may even crash. To solve this problem, you can configure DHCP packet rate limit on relevant interfaces. Configuration procedure To configure DHCP packet rate limit: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet port view or Layer 2 aggregate interface view. interface interface-type interface-number N/A
80
Step Command Remarks
3. Configure the maximum rate of
incoming DHCP packets. dhcp-snooping rate-limit
rate Not configured by default
Displaying and maintaining DHCP snooping
Task Command Remarks
Display DHCP snooping entries. display dhcp-snooping
[ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ] Available in any view
Display Option 82 configuration
information on the DHCP snooping
device. display dhcp-snooping information
{ all |
interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ] Available in any view
Display DHCP packet statistics on the
DHCP snooping device. display dhcp-snooping packet statistics
[
slot slot-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
Display information about trusted ports.
display dhcp-snooping trust
[ | { begin |
exclude | include } regular-expression ] Available in any view
Display the DHCP snooping entry file
information. display dhcp-snooping binding database
[ | { begin | exclude | include }
regular-expression ] Available in any view
Clear DHCP snooping entries.
reset dhcp-snooping { all | ip ip-address } Available in user view
Clear DHCP packet statistics on the
DHCP snooping device. reset dhcp-snooping packet statistics
[
slot slot-number ] Available in user view
DHCP snooping configuration examples
DHCP snooping configuration example
Network requirements
As shown in
Figure 38, S witch B is connected to a DHCP server through GigabitEthernet 1/0/1, and to
two DHCP clients through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3. GigabitEthernet 1/0/1
forwards DHCP server responses while the other two do not.
Switch B records clients’ IP-to-MAC address bindings in DHCP-REQUEST messages and DHCP-ACK
messages received from trusted ports.
81
Figure 38 Network diagram
Configuration procedure
# Enable DHCP snooping.
system-view
[SwitchB] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as trusted.
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
DHCP snooping Option 82 support configuration example
Network requirements
As shown in Figure 38, ena ble DHCP snooping and Option 82 support on Switch B.
• Configure the handling strategy for DHCP requests containing Option 82 as replace.
• On GigabitEthernet 1/0/2, configure the padding content for the circuit ID sub-option as
company001 and for the remote ID sub-option as device001.
• On GigabitEthernet 1/0/3, configure the padding format as verbose, access node identifier as
sysname , and code type as ascii for Option 82.
• Switch B forwards DHCP requests to the DHCP server (Switch A) after replacing Option 82 in the
requests, so that the DHCP clients can obtain IP addresses.
Configuration procedure
# Enable DHCP snooping.
system-view
[SwitchB] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as trusted.
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 to support Option 82.
[SwitchB] interface GigabitEthernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information enable
[SwitchB-GigabitEthernet1/0/2] dhcp-snooping information strategy replac\
e
82 [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information circuit-id stri\ ng company001 [SwitchB-GigabitEthernet1/0/2] dhcp-snooping information remote-id strin\ g device001 [SwitchB-GigabitEthernet1/0/2] quit # Configure GigabitEthernet 1/0/3 to support Option 82. [SwitchB] interface GigabitEthernet 1/0/3 [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information enable [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information strategy replac\ e [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information format verbose \ node-identifier sysname [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information circuit-id form\ at-type ascii [SwitchB-GigabitEthernet1/0/3] dhcp-snooping information remote-id forma\ t-type ascii
83 Configuring BOOTP client Overview BOOTP application After you specify an interface of a device as a BOOTP client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server. To use BOOTP, an administrator must configure a BOOTP parameter file for each BOOTP client on the BOOTP server. The parameter file contains information such as MAC address and IP address of a BOOTP client. When a BOOTP client sends a request to the BOOTP server, the BOOTP server searches for the BOOTP parameter file and returns the corresponding configuration information. BOOTP is usually used in relatively stable environments. In network environments that change frequently, DHCP is more suitable. Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to configure an IP address for the BOOTP client, without any BOOTP server. Obtaining an IP address dynamically A BOOTP client dynamically obtains an IP address from a BOOTP server in the following steps: 1. The BOOTP client broadcasts a BOOTP requ est, which contains its own MAC address. 2. The BOOTP server receives the request and searches the configuration file for the corresponding IP address and other information according to the MAC address of the BOOTP client. The BOOTP server then returns a BOOTP response to the BOOTP client. 3. The BOOTP client obtains the IP addr ess from the received response. A DHCP server can take the place of the BOOTP server in the above mentioned dynamic IP address acquisition. Protocols and standards • RFC 951, Bootstrap Protocol (BOOTP) • RFC 2132, DHCP Options and BOOTP Vendor Extensions • RFC 1542, Clarifications and Extensions for the Bootstrap Protocol Configuration restrictions • BOOTP client configuration only applies to Layer 3 Ethernet ports, Layer 3 aggregate interfaces and VLAN interfaces. • If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. • You cannot configure an interface of an aggregation group as a BOOTP client.
84
Configuring an interface to dynamically obtain an
IP address through BOOTP
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3.
Configure an interface to
dynamically obtain an IP address
through BOOTP. ip address bootp-alloc
By default, an interface does not use
BOOTP to obtain an IP address.
Displaying and maintaining BOOTP client
configuration
Task Command Remarks
Display BOOTP client information. display bootp client
[ interface interface-type
interface-number ] [ | { begin | exclude |
include } regular-expression ] Available in any view
BOOTP client configuration example
Network requirements
As shown in Figure 30
, Switch B’s port belonging to VLAN 1 is connected to the LAN. VLAN-interface
1 obtains an IP address from the DHCP server by using BOOTP.
Configuration procedure
The following describes only the configuration on Switch B serving as a client.
# Configure VLAN-interface 1 to dynamically obtain an IP address from the DHCP server.
system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address bootp-alloc
# Use the display bootp client command to view the IP address assigned to the BOOTP client.
To make the BOOTP client obtain an IP address from the DHCP server, you must perform additional
configurations on the DHCP server. For more information, see Configuring DHCP server.
85 Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table. Static domain name resolution Static domain name resolution means setting up ma ppings between domain names and IP addresses. IP addresses of the corresponding domain names can be fo und in the static domain resolution table when you use applications such as Telnet. Dynamic domain name resolution 1. A user program sends a name query to the resolver of the DNS client. 2. The DNS resolver looks up the local domain name ca che for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server. 3. The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to a higher level DNS server. This process continues until a result, whether succe ssful or not, is returned. 4. After receiving a response from the DNS server, the DNS client returns the resolution result to the application. Figure 39 Dynamic domain name resolution Figure 39 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Request Response Response Request Save Read DNS client DNS server Resolver Cache User program
86 Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time. The aged mappings are removed from the cache after some time, and latest entries are required from the DNS server. The DNS server decides how long a mapping is valid, and the DNS client gets the aging information from DNS messages. DNS suffixes The DNS client holds a list of suffixes which the user sets. The resolver can use the list to supply the missing part of incomplete names. For example, a user can configure com as the suffix for aabbcc.com. The user only needs to type aabbcc to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing the name to the DNS server. • If there is no dot (.) in the domain name (for ex ample, aabbcc), the resolver considers this a host name and adds a DNS suffix before the query. If no match is found after all the configured suffixes are used, the original domain name (for example, aabbcc) is used for the query. • If there is a dot (.) in the domain name (for example, www.aabbcc), the resolver directly uses this domain name for the query. If the query fails, the resolver adds a DNS suffix for another query. • If the dot (.) is at the end of the domain name (for example, aabbcc.com.), the resolver considers it a Fully Qualified Domain Name (FQDN) and returns the query result, successful or failed. The dot (.) is considered a terminating symbol. The device supports static and dynamic DNS client services. NOTE: If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host. DNS proxy A DNS proxy forwards DNS requests and replies between DNS clients and a DNS server. As shown in Figure 40 , a D NS client sends a DNS request to the DNS proxy, which forwards the request to the designated DNS server, and conveys the reply from the DNS server to the client. The DNS proxy simplifies network management. When the DNS server address is changed, you can change the configuration on only the DNS proxy instead of on each DNS client. Figure 40 DNS proxy networking application
87 A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the requ est is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3. If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution. 4. After receiving a reply from the DNS server, the DNS proxy records the IP address-to-domain name mapping and forwards the reply to the DNS client. With no DNS server or route to a DNS server spec ified, the DNS proxy does not forward DNS requests, or answer requests from the DNS clients. DNS spoofing DNS spoofing is applied to the dial-up network, as shown in Figure 41 . • T he device connects to the PSTN/ISDN network through a dial-up interface and triggers the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface. • The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up inte rface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. Figure 41 Application of DNS spoofing Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table. However, without any dial-up connection established, the device cannot obtain the DNS server address, so it cannot forward or answer the requests from the clients. The domain name cannot be resolved and no traffic triggers the establishment of a dial-up connection. DNS spoofing can solve this problem. DNS spoofing enables the device to reply the DNS client with a configured IP address when the device does not have a DNS server address or route to a DNS server. Subsequent packets sent by the DNS client trigger the establishment of a dial-up connection with the network. In the network of Figure 41, a ho st accesses the HTTP server in following these steps:
88 1. The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address. 2. Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. If no match is found and the device does know the DNS server address, the device spoofs the host by replying a configured IP address. The TTL of the DNS reply is 0. The device must have a route to the IP address with the dial-up interface as the outgoing interface. 3. Upon receiving the reply, the host sends an HTTP request to the replied IP address. 4. When forwarding the HTTP reques t through the dial-up interface, the device establishes a dial-up connection with the network and dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. 5. When the DNS reply ages out, the host se nds a DNS request to the device again. 6. Then the device operates the same as a DNS proxy. For more information, see A DNS proxy operates as follows: . 7. After obtaining the IP address of the HTTP server, the host can access the HTTP server. Because the IP address configured with DNS spoofing is not the actual IP address of the requested domain name, the TTL of the DNS reply is set to 0 to prevent the DNS client from generating incorrect domain name-to-IP address mappings. Configuring the IPv4 DNS client Configuring static domain name resolution Configuring static domain name resolution refers to specifying the mappings between host names and IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. Follow these guidelines when you config ure static domain name resolution: • The IPv4 address you last assign to the host name will overwrite the previous one if there is any. • You may create up to 50 static mappings between domain names and IPv4 addresses. To configure static domain name resolution: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a mapping between a host name and an IPv4 address. ip host hostname ip-address Not configured by default Configuring dynamic domain name resolution To send DNS queries to a correct server for resolu tion, dynamic domain name resolution needs to be enabled and a DNS server needs to be configured. In addition, you can configure a DNS suffix that the system will automatically add to the provided domain name for resolution.