H3C S3600-EI, S3600-EI,S3600-SI,S5600,S3610,S5510,S5500-SI,S5100,S3100, S3600-SI, S5600, S3610 User Manual

DHCP
H3C Low-End Ethernet Switches Configuration Examples Table of Contents

Table of Contents

Chapter 1 DHCP Functions Overview .........................................................................................1-1

1.1 Supported DHCP Functions ..............................................................................................1-1

1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches...................1-1

1.2 Configuration Guide...........................................................................................................1-2

1.2.1 Configuring the DHCP Server.................................................................................1-2

1.2.2 Configuring the DHCP Relay Agent........................................................................1-8

1.2.3 Configuring DHCP Snooping ..................................................................................1-9

Chapter 2 Configuration Examples .............................................................................................2-1

2.1 DHCP Server Configuration Example................................................................................2-1

2.1.1 Network Requirements............................................................................................ 2-1

2.1.2 Network Diagram.....................................................................................................2-2

2.1.3 Configuration Procedure......................................................................................... 2-2

2.2 DHCP Relay Agent/Snooping Configuration Examples ....................................................2-4

2.2.1 Network Requirements............................................................................................ 2-4

2.2.2 Network Diagram.....................................................................................................2-5

2.2.3 Configuration Procedure......................................................................................... 2-6

2.3 Precautions......................................................................................................................2-11

2.3.1 Cooperation Between DHCP Relay Agent and IRF..............................................2-11

Chapter 3 Related Documents..................................................................................................... 3-1

3.1 Protocols and Standards ...................................................................................................3-1

i

DHCP
H3C Low-End Ethernet Switches Configuration Examples Abstract

DHCP Configuration Examples

Keywords: DHCP, Option 82

Abstract: This document describes DHCP configuration and application on Ethernet

switches in specific networking environments. Based on the different roles
played by the devices in the network, the functions and applications of DHCP
server, DHCP relay agent, DHCP snooping, and DHCP Option 82 are covered.

Acronym: DHCP (Dynamic Host Configuration Protocol).

ii

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Chapter 1 DHCP Functions Overview

1.1 Supported DHCP Functions

1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches

Table 1-1 DHCP functions supported by the H3C low-end ethernet switches

Function

Model

S3600-EI

DHCP server

z

S3600-SI —
S5600
S3610
S5510

z

z

z

S5500-SI —
S5100 — —
S3100 — —

DHCP relay

agent

z

z

z

z

z

z

DHCP snooping

z

z

z

z

z

z

z

z

Depending on the models, the H3C low-end switches can support part or all of the
following DHCP functions:

DHCP server:

z DHCP server using global address pool/interface address pool
z IP address lease configuration
z Allocation of gateway addresses, DNS server addresses, WINS server addresses

to DHCP clients

z Static bindings for special addresses
z DHCP server security functions: detection of unauthorized DHCP servers and

detection of duplicate IP addresses

DHCP relay agent:

z DHCP relay agent
z DHCP relay agent security functions: address checking , DHCP server handshake,

and periodic update of client address entries

z DHCP Option 82

DHCP snooping:

z DHCP snooping

1-1

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

z DHCP snooping security functions: DHCP snooping entry update and ARP source

checking

z DHCP Option 82

 Note:

Refer to respective user manuals for detailed descriptions of the DHCP functions
supported by different models.

1.2 Configuration Guide

 Note:

z The configuration varies with product models. The following configuration ta kes the

S3600 series as an example. Refer to respective operation manuals for the
configurations on other models.

z Only basic configuration steps are listed below. Refer to respective operation and

command manuals for the operating principles and applications of the functions.

1.2.1 Configuring the DHCP Server

The DHCP server can be configured to assign IP addresses from a global or interface
address pool. These two configuration methods are applicable to the following
environments:

z If the DHCP server and DHCP clients are on the same network segment, both

methods can be applied.

z If the DHCP server and DHCP clients are on different network segments, the

DHCP server can only be configured to assign IP addresses from a global address
pool.

1) Use the following commands to configure the DHCP server to assign IP addresse s
from a global address pool.

Table 1-2 Configure IP address allocation from a global address pool

Operation Command Description

Enter system view

Enable the DHCP
service

system-view

dhcp enable

—
Optional

By default, the DHCP
service is enabled.

1-2

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Create a DHCP address
pool and enter DHCP
address pool view

Configure an IP address
range for dynamic
allocation

Configure the lease
period of dynamically
allocated IP addresses

Configure a domain
name for DHCP clients

Configure DNS server
addresses for DHCP
clients

dhcp server ip-pool pool-name

network ip-address
[ mask-length | mask mask ]

expired { day day [ hour hour
[ minute minute ] ] | unlimited }

domain-name domain-name

dns-list ip-address&<1-8>

Required
By default, no global

DHCP address pool
is created.

Required
By default, no IP

address range is
configured for
dynamic allocation.

Optional
IP address lease

period defaults to
one day.

Required
By default, no

domain name is
configured for DHCP
clients.

Required
By default, no DNS

server addresses are
configured.

Configure WINS server
addresses for DHCP
clients

Specify a NetBIOS node
type for DHCP clients

nbns-list ip-address&<1-8>

netbios-type { b-node | h-node

| m-node | p-node }

Configure gateway
addresses for DHCP
clients

Configure a self-defined
DHCP option

gateway-list ip-address&<1-8>

option code { ascii ascii-string |
hex hex-string&<1-10> |
ip-address ip-address&<1-8> }

Required
By default, no WINS

server addresses are
configured.

Optional
By default, the DHCP

clients are h-nodes if
the command is not
specified.

Required
By default, no

gateway address is
configured.

Required
By default, no

self-defined option is
configured.

1-3

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Confi
gure
a
static
bindi
ng

Return to
system view

quit

Create an
address pool for
the static

dhcp server ip-pool pool-name

address binding
Specify the IP

address of the
static binding

Spe
cify
the
MA
C
addr

Specify
the MAC
address
of the
static
binding

static-bind ip-address

ip-address [ mask-length | mask
mask ]

static-bind mac-address

mac-address

ess
or
the
clie
nt
ID
of
the
stati

Specify
the client
ID of the
static
binding

static-bind client-identifier
client-identifier

c
bind
ing

Optional
By default, no MAC

address or client ID
is bound to an IP
address statically.

Note:

z To configure a

static binding, you
need to specify
the IP address
and the MAC
address or client
ID.

z A static address

pool can be
configured with
only one IP
address-to-MAC
or IP
address-to-client
ID binding.

Return to system view

Specify the IP
addresses to be
excluded from
automatic allocation

quit

dhcp server forbidden-ip

low-ip-address
[ high-ip-address ]

interface interface-type
interface-number

dhcp select global
quit

dhcp select global { interface

interface-type interface-number
[ to interface-type
interface-number ] | all }

Configure
the global
address
pool mode

On the
current
interface

On
multiple
interfaces
in system
view

—
Optional

By default, all the IP
addresses in a
DHCP address pool
are available for
dynamic allocation.

Optional
By default, an

interface operates in
the global address
pool mode.

1-4

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Required

Enable the detection of
unauthorized DHCP
servers

dhcp server detect

By default, the
detection of
unauthorized DHCP
servers is disabled.

Set the
maximum
number of

Optional
The default

maximum number is

2.

Configure
duplicate
IP
address
detection

ping
packets
sent by the
DHCP
server for
each IP
address

dhcp server ping packets
number

Set a
response
timeout for
each ping
packet

dhcp server ping timeout
milliseconds

Optional
The default timeout

is 500 milliseconds.

Enable the DHCP
server to support Option
82

dhcp server relay information
enable

Optional
By default, the DHCP

server supports
Option 82.

2) Use the following commands to configure IP address allocation through the
interface address pool.

Table 1-3 Configure IP address allocation through the interface address pool

Operation Command Description

Enter system view

Enable the DHCP
service

Configure multiple or all
the VLAN interfaces to
operate in interface
address pool mode

system-view

—
Optional

dhcp enable

By default, the DHCP
service is enabled.

dhcp select interface
{ interface interface-type

interface-number [ to
interface-type
interface-number ] | all }

Optional

Configure a VLAN
interface to operate in
interface address pool
mode

interface interface-type
interface-number

dhcp select interface

1-5

Required
By default, a VLAN

interface operates in
global address pool
mode.

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Bind an IP address
statically to a client MAC
address or client ID

Config
ure the

On the current
interface

lease
period
of
dynami
cally
allocat
ed IP

On multiple
interfaces in
system view

addres
ses

Return to system view

Specify the IP addresses
to be excluded from
automatic allocation

dhcp server static-bind
ip-address ip-address

{ client-identifier
client-identifier | mac-address
mac-address }

dhcp server expired { day day
[ hour hour [ minute minute ] ] |

unlimited }
quit
dhcp server expired { day day

[ hour hour [ minute minute ] ] |
unlimited } { interface

interface-type interface-number
[ to interface-type
interface-number ] | all }

quit

dhcp server forbidden-ip

low-ip-address
[ high-ip-address ]

Optional
By default, no static

binding is configured

Optional
IP address lease

period defaults to
one day.

—
Optional

By default, all the IP
addresses in an
interface address
pool are available for
dynamic allocation.

Configure
a domain
name for
DHCP
clients

Configure
DNS
server
addresses
for DHCP
clients

interface interface-type
interface-number

On one
interface

dhcp server domain-name

domain-name

quit
dhcp server domain-name

On multiple
interfaces

domain-name { interface
interface-type interface-number
[ to interface-type
interface-number ] | all }

interface interface-type
interface-number

On one
interface

dhcp server dns-list
ip-address&<1-8>

quit
dhcp server dns-list

On multiple
interfaces

ip-address&<1-8> { interface
interface-type interface-number
[ to interface-type
interface-number ] | all }

Optional
By default, no

domain name is
configured for DHCP
clients.

Optional
By default, no DNS

server address is
configured.

1-6

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

interface interface-type
interface-number

Configure
WINS
server
addresses
for DHCP
clients

On one
interface

On multiple
interfaces

dhcp server nbns-list

ip-address&<1-8>
quit
dhcp server nbns-list

ip-address&<1-8> { interface
interface-type interface-number

[ to interface-type

Optional
By default, no WINS

server addresses are
configured.

interface-number ] | all }
interface interface-type

interface-number

Define a
NetBIOS
node type
for DHCP
clients

Configure
a
self-define
d DHCP
option

On one
interface

dhcp server netbios-type
{ b-node | h-node | m-node |

p-node }
quit
dhcp server netbios-type

{ b-node | h-node | m-node |
On multiple
interfaces

p-node } { interface

interface-type interface-number

[ to interface-type

interface-number ] | all }

interface interface-type

interface-number

On one
interface

dhcp server option code

{ ascii ascii-string | hex

hex-string&<1-10> | ip-address

ip-address&<1-8> }

quit

dhcp server option code

{ ascii ascii-string | hex
On multiple

interfaces

hex-string&<1-10> | ip-address

ip-address&<1-8> } { interface

interface-type interface-number

[ to interface-type

interface-number ] | all }

By default, no
NetBIOS node type
is specified and a
DHCP client uses the

Optional

h-node type.

Optional
By default, no

self-defined option is
configured.

Enable the detection of
unauthorized DHCP
servers

dhcp server detect

1-7

Optional
By default, the

detection of
unauthorized DHCP
servers is disabled.

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Set the
maximum
number of

Optional
The default

maximum number is

2.

Configure
duplicate
IP
address
detection

ping
packets
sent by the
DHCP
server for
each IP
address

dhcp server ping packets

number

Set a
response
timeout for
each ping
packet

dhcp server ping timeout

milliseconds

Optional
The default timeout

is 500 milliseconds.

Optional

Enable the DHCP server
to support Option 82

dhcp server relay information

enable

By default, the DHCP
server supports
Option 82.

1.2.2 Configuring the DHCP Relay Agent

Use the following commands to configure the DHCP relay agent.

Table 1-4 Configure DHCP relay agent

Operation Command Description

Enter system view

Enable the DHCP service

Configure DHCP server
IP addresses for a DHCP
server group

Configure a DHCP user
address entry

system-view

dhcp enable

dhcp-server groupNo ip
ip-address&<1-8>

dhcp-security static

ip-address mac-address

—
Optional

By default, the DHCP
service is enabled.

Required
By default, no DHCP

server IP address is
configured for a DHCP
server group.

Optional
By default, no DHCP user

address entry is
configured.

Enable DHCP relay agent
handshake

dhcp relay hand enable

1-8

Optional
By default, DHCP relay

agent handshake is
enabled.

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Optional

Configure the interval at
which the DHCP relay
agent updates dynamic
client address entries

dhcp-security tracker

{ interval | auto }

By default, the update
interval is calculated
automatically according to
the number of the DHCP
client entries.

Enable the detection on
unauthorized DHCP
servers

Enable the DHCP relay
agent to support Option
82

Configure a strategy for
the DHCP relay agent to
handle request packets
containing Option 82

Enter VLAN interface
view

Associate the interface to
a DHCP server group

dhcp-server detect

dhcp relay information
enable

dhcp relay information
strategy { drop | keep |
replace }

interface interface-type
interface-number

dhcp-server groupNo

Enable the address
checking function for the
DHCP relay agent

address-check enable

Required
By default, the detection

of unauthorized DHCP
servers is disabled.

Required
By default, the DHCP

relay agent does not
support Option 82.

Optional
By default, the strategy is

replace.

—

Required
By default, a VLAN

interface is not associated
to any DHCP server
group.

Required
By default, the address

checking function is
disabled for the DHCP
relay agent.

1.2.3 Configuring DHCP Snooping

Use the following commands to configure DHCP snooping:

Table 1-5 Configure DHCP snooping

Operation Command Description

Enter system view

Enable DHCP snooping

Enter Ethernet port view

system-view

dhcp-snooping

interface interface-type
interface-number

1-9

—
Required

By default, DHCP
snooping is disabled.

—

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Specify the port
connected to the DHCP
server as a trusted port

dhcp-snooping trust

Optional
By default, all the ports of

a switch are untrusted
ports.

1-10

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

Chapter 2 Configuration Examples

2.1 DHCP Server Configuration Example

2.1.1 Network Requirements

An S3600 switch serves as the DHCP server in the corporate headquarters (HQ) to
allocate IP addresses to the workstations in the HQ and Branch, a nd it also act s as the
gateway to forward packets from the HQ. The network requirements are as follows:

z Assign the HQ the IP addresses in the 10.214.10.0/24 network segment, with a

lease period of two days, and exclude the IP addresses of the DNS server, WINS
server, and mail server from allocation.

z Assign IP addresses to the DNS server, WINS server, and the mail server in HQ

through static bindings.

z Assign the workstations in the Branch the IP addresses in the 10.210.10.0/24

network segment, with a lease period of three days, and assign the file server in
the Branch an IP address through a static IP-to-MAC binding.

z Assign the addresses of the gateway, DNS server, and the WINS server along

with an IP address to each workstation in the HQ and Branch.

z Enable the detection of unauthorized DHCP servers to prevent any unauthorized

DHCP server from allocating invalid addresses.

2-1

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

2.1.2 Network Diagram

DHCP

Client1

DHCP Relay

DHCP

Client2

000d-88f8-4e71

Branch

File Server

10.210.10.4

10.214.10.5

002e-8d20-54c6

VLAN-int10

IP network

000d-85c7-4e20

Mail

Server

10.214.10.3

DNS

Server

Gateway

VLAN-int100

Figure 2-1 Network diagram for DHCP server configuration

10.214.10.4

0013-4ca8-9b71

WINS

Server

HQ

DHCP

Client

2.1.3 Configuration Procedure

I. Software Version Used

The S3600 Ethernet switches running software version Release 1510 are used in this
example.

II. Configuring DHCP server

z Configure address allocation for the devices in the HQ.

# Configure the IP address of VLAN-interface10 on the DHCP server in the HQ.

<H3C> system-view
[H3C] interface Vlan-interface 10
[H3C-Vlan-interface10] ip address 10.214.10.1 24

# Configure the interface to operate in the interface address pool mode, assigning the
IP addresses in the 10.214.10.0/24 network segment to the devices in the HQ.

[H3C-Vlan-interface10] dhcp select interface

# Configure the address lease period of the address pool, and configure the IP
addresses of the DNS server and WINS server.

[H3C-Vlan-interface10] dhcp server expired day 2
[H3C-Vlan-interface10] dhcp server dns-list 10.214.10.3

2-2

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[H3C-Vlan-interface10] dhcp server nbst-list 10.214.10.4

No gateway needs to be configured for the clients be cause an interface operating in the
interface address pool mode automatically serves as the gateway for DHCP client s and
sends the requested information to the clients.

# Assign IP addresses to the DNS server, WINS server, and mail server through
IP-to-MAC bindings.

[H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.3
mac-address 000d-85c7-4e20
[H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.4
mac-address 0013-4ca8-9b71
[H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.5
mac-address 002e08d20-54c6

# Exclude the static IP addresses of the DNS server , WINS server , and mail server from
allocation.

[H3C-Vlan-interface10] quit
[H3C] dhcp server forbidden-ip 10.214.10.3 10.214.10.5

z Configure address allocation for the devices in the Branch.

# Create a global address pool named “br” for the Branch, and specify the range and
lease period of the IP addresses for allocation.

[H3C] dhcp server ip-pool br
[H3C-dhcp-pool-br] network 10.210.10.0 mask 255.255.255.0
[H3C-dhcp-pool-br] expired day 3

# Create a static binding address pool named “br-static”, and assign the file server in
the Branch an IP address through an IP-to-MAC bindi ng.

[H3C-dhcp-pool-br] quit
[H3C] dhcp server ip-pool br-static
[H3C-dhcp-pool-br-static] static-bind ip-address 10.214.10.4 mask

255.255.255.0
[H3C-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71

# Specify the gateway address, DNS server address, and the WINS server address fo r
the workstations in the Branch.

[H3C-dhcp-pool-br-static] quit
[H3C] dhcp server ip-pool br
[H3C-dhcp-pool-br] gateway-list 10.210.10.1
[H3C-dhcp-pool-br] dns-list 10.214.10.3
[H3C-dhcp-pool-br] nbst-list 10.214.10.4

# Exclude the static IP address of the gateway in the Branch from allocation.

[H3C-dhcp-pool-br] quit
[H3C] dhcp server forbidden-ip 10.210.10.1

2-3

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

# Enable the detection of unauthorized DHCP servers.

[H3C] dhcp server detect

# Configure VLAN-interface100 to operate in the global address pool mode.

[H3C] interface Vlan-interface 100
[H3C-Vlan-interface100] dhcp select global

Note that:
After DHCP configuration is complete, IP addresses can be assigned to the

workstations in the Branch only when a route is active between the HQ and the Branch.

III. Configuring the DHCP relay agent

This section mainly describes the DHCP server configuration. The following shows the
basic DHCP relay agent configuration that ensures the DHCP relay agent to relay
DHCP requests to the DHCP server. For details about DHCP relay agent configuration,
see section

<H3C> system-view
[H3C] dhcp-server 1 ip 10.214.10.1
[H3C] interface Vlan-interface 5
[H3C-Vlan-interface5] dhcp-server 1

2.2 "DHCP Relay Agent/Snooping Configuration Examples".

2.2 DHCP Relay Agent/Snooping Configuration Examples

2.2.1 Network Requirements

A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server to
assign IP addresses to the workstations in the Office branch. The branches are
connected to an IRF (intelligent resilient framework) Fabric that serves as the central
node and the DHCP relay agent to forward the DHCP requests from the workstations.
Meanwhile, a lab DHCP server is used to assign IP addresses to the devices in the labs.
The network requirements are as follows:

z Configure the DHCP server in the HQ to assign the IP addresses in the

192.168.10.0/24 network segment to the workstations in the Office branch, with a
lease period of 12 hours. Configure the IP addresses of the DNS server and WINS
server as 192.169.100.2 and 192.168.100.3 respectively.

z The IRF Fabric is connected to the branches and is comprised of four switches. It

serves as the DHCP relay agent to forward the DHCP requests from the
workstations in the Office and the devices in the labs. It is enabled to detect
unauthorized DHCP servers.

z An Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP

addresses in the 192.168.17.0/24 network segment to the devices in Lab1, with a
lease period of one day, and to assign the IP addresses in the 192.168.19.0/24
network segment to Lab2, with a lease period of two days. The lab DHCP server

2-4

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

and the IRF Fabric are interconnected through the 172.16.2.4/30 network
segment.

z Configure the address checking function on the DHCP relay agent so that only the

devices that are assigned legal IP addresses from the DHCP server are allowed to
access the external network.

z Configure address entry update on the DHCP relay agent so that it updates the

address entries by sending requests to the DHCP server every one minute.

z Enable DHCP snooping to support DHCP Option 82, adding local port information

to the Option 82 field in DHCP messages.

z Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP relay

agent keeps the original filed unchanged upon receiving DHCP messages
carrying Option 82.

z Enable the DHCP server to support DHCP Option 82 so that it assigns the IP

addresses 192.168.10.2 through 192.168.10.25 to the DHCP clients conne cted to
Ethernet1/0/11 on the DHCP snooping switch and assigns 192.168.10.100
through 192.168.10.150 to the DHCP clients connected to Ethernet1/0/12 of the
DHCP snooping switch.

2.2.2 Network Diagram

Lab2

VLAN-int 25

192.168.19.1

SwitchD

(Unit4)

DHCP Snooping

Eth1/0/1

Eth1/0/11

Eth1/0/12

SwitchA
(Master)

IRF Fabric

DHCP Relay

VLAN-int 10

192.168.10.1

Eth1/0/13

VLAN-int 17

172.16.2.4/30

Cisco Catalyst

3745

192.168.0.3

HQ

IP network

SwitchB

(Unit2)

SwitchC

(Unit3)

Lab DHCP Server

VLAN-int 15

192.168.17.1

0010-5ce9-1dea

Office Lab1

Figure 2-2 Network diagram for DHCP relay agent/snooping integrated configuration

2-5

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

2.2.3 Configuration Procedure

In this example, the IRF Fabric is comprised of S3600 switches running software
version Release 1510, a Quidway S3552 switch running software version Release
0028 is used as the DHCP snooping-capable switch, and a Quidway S3528 switch
running software version Release 0028 is used as the Lab DHCP server.

For better readability:

z The devices in the IRF Fabric are SwitchA, SwitchB, SwitchC, and SwitchD.
z The DHCP snooping-capable device is referred to as “Snooping”.
z The device serving as the Lab DHCP server is referred to as “LAB”.

I. Configuring IRF Fabric

The S3600 series support IRF Fabric. You can interconnect four devices to form a
Fabric for centralized management of the devices in the Fabric. For det ails, see related
sections in the operation manuals for the S3600 series.

II. Configuring the DHCP relay agent

Figure 2-3 Network diagram for DHCP relay agent configuration

Within the IRF Fabric, configuration made on a device can be synchronized to the other
devices. Therefore, configuration is performed on Switch A only in this example.

# Configure to forward the DHCP requests from the Office to the DHCP server in the
HQ.

<SwitchA> system-view
[SwitchA] dhcp-server 1 ip 192.168.0.3
[SwitchA] interface vlan-interface10
[SwitchA-Vlan-interface10] ip address 192.168.10.1 24
[SwitchA-Vlan-interface10] dhcp-server 1

# Configure to forward the DHCP requests from Lab2 to the Lab DHCP server.

[SwitchA-Vlan-interface10] quit
[SwitchA] dhcp-server 2 ip 192.168.17.1
[SwitchA] interface Vlan-interface 25
[SwitchA-Vlan-interface25] ip address 192.168.19.1 24

2-6

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[SwitchA-Vlan-interface25] dhcp-server 2

# Configure the IP address of VLAN-interface17 as 172.16.2.5/30 for forwarding DHCP
packets from the Lab DHCP Server to a non-local segment.

[SwitchA-Vlan-interface25] quit
[SwitchA] interface Vlan-interface 17
[SwitchA-Vlan-interface17] ip add 172.16.2.5 30

# Configure the address checking function on the DHCP relay agent. Make sure you
configure the IP addresses and MAC addresses of the two DHCP servers as static
entries for the security function.

[SwitchA-Vlan-interface17] quit
[SwitchA] dhcp-security static 192.168.0.3 000D-88F8-4E71
[SwitchA] dhcp-security static 192.168.17.1 0010-5ce9-1dea
[SwitchA] interface Vlan-interface 10
[SwitchA-Vlan-interface10] address-check enable
[SwitchA-Vlan-interface10] quit
[SwitchA] interface vlan-interface 25
[SwitchA-Vlan-interface25] address-check enable
[SwitchA-Vlan-interface25] quit

# Configure the address entry update interval on the DHCP relay agent.

[SwitchA] dhcp relay hand enable
[SwitchA] dhcp-security tracker 60

# Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy of
keeping the original filed upon receiving DHCP messages carrying Option 82.

[SwitchA] dhcp relay information enable
[SwitchA] dhcp relay information strategy keep

# Enable the DHCP relay agent to detect unauthorized DHCP servers.

[SwitchA] dhcp-server detect

# Enable UDP-Helper so that the IRF Fabric can operate in the DHCP relay agent
mode.

[SwitchA] udp-helper enable

# To ensure normal forwarding of DHCP packets across network segments, you need
configure a routing protocol and advertise the network segments of interfaces. The
following configuration uses RIP as an example. For the configuration of other routing
protocols, see the parts covering rout ing protocols in product manuals.

[SwitchA] rip
[SwitchA-rip] network 192.168.10.0
[SwitchA-rip] network 192.168.19.0
[SwitchA-rip] network 172.16.0.0

2-7

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

 Note:

For the DHCP relay agent using the IRF structure and the DHCP server in the HQ to
communicate with each other, an active route must also be configured between them.
This configuration is performed by the ISP or the user; therefore, it will not be covered
in this document.

III. Configuring the Lab DHCP server

VLAN-int 17

172.16.2.4/30
VLAN-int 15

192.168.17.1

0010-5ce9-1dea

Lab1

Figure 2-4 Network diagram for the Lab DHCP server configuration

# Configure an address pool for Lab2 and specify the address ran ge, lease period, and
the gateway address.

<LAB> system-view
[LAB] dhcp enable
[LAB] dhcp server ip-pool lab2
[LAB-dhcp-lab2] network 192.168.19.0 255.255.255.0
[LAB-dhcp-lab2] expired day 2
[LAB-dhcp-lab2] gateway-list 192.168.19.1

# Configure the IP address of VLAN-interface17 as 172.16.2.6/30 and enable it to
operate in global address pool mode.

[LAB-dhcp-lab2] quit
[LAB] interface Vlan-interface 17
[LAB-Vlan-interface17] ip address 172.16.2.6 30
[LAB-Vlan-interface17] dhcp select global

# Lab1 is connected to VLAN-interface15. Therefore, to assign the IP addresses in the

192.168.17.0/24 network segment to the devices in Lab1, you only need to configure
VLAN-interface15 to operate in the interface address pool mode.

[LAB-Vlan-interface17] quit
[LAB] interface vlan-interface 15
[LAB-Vlan-interface15] ip address 192.168.17.1 24

2-8

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[LAB-Vlan-interface15] dhcp select interface
[LAB-Vlan-interface15] quit

# To ensure that the lab DHCP server forwards DHCP packets normally, you need
configure a routing protocol. The following configuration uses RIP as an example. For
the configuration of other routing protocols, see the related parts i n product manuals.

[LAB] rip
[LAB-rip] network 192.168.17.0
[LAB-rip] network 172.16.0.0

IV. Configuring DHCP snooping

Eth1/0/11

Eth1/0/1

Eth1/0/12

Office

Eth1/0/13

DHCP Snooping

Figure 2-5 Network diagram for DHCP snooping configuration

# Enable DHCP snooping and enable Option 82 support for DHCP snooping.

<Snooping> system-view
[Snooping] dhcp-snooping
[Snooping] dhcp-snooping information enable
[Snooping] dhcp-packet redirect Ethernet 0/11 to 0/13

V. Configuring the DHCP server in the HQ

# On the H3C series switches, port numbers, VLAN numbers, and the MAC addre sses
of the DHCP snooping device and the DHCP relay agent are added to DHCP Option 82.
A complete piece of Option 82 information is a combination of the values of two
suboptions:

Circuit ID suboption: It identifies the VLAN to which the clients belong and the port to
which the DHCP snooping device is connected.

0 31

Type(1)

VLAN ID

Length(6) 0 4

15

Port Index

Figure 2-6 Packet structure of Circuit ID suboption

2-9

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

For example, the DHCP messages from clients conne cted to Ethernet1/0/11 are added
with Option 82, whose Circuit ID suboption should be 0x010600040001000a, where
01060004 is a fixed value, 0001 indicates the access port’ s VLAN is VLAN 1, and 000a
is the absolute number of the port, which is 1 less than the actual port number,
indicating the actual port is Ethernet1/0/11.

Remote ID suboption: It identifies the MAC address of the DHCP snooping device
connected to the client.

0 31

Type(2)

Length(8) 0 6

15

Bridge MAC Address

Figure 2-7 Packet structure of Remote ID suboption

For example, the DHCP messages from clients connected to the DHCP snooping
device with MAC 000f-e234-bc66 are added with Option 82, whose Remote ID
suboption should be 02080006000fe234bc66, where 02080006 is a fixed value and
000fe234bc66 is the MAC address of the DHCP snooping device.

In this example, IP addresses are assigned based on port number only. Therefore, on
the DHCP server , only a matching port number field in the Circuit ID suboption needs to
be found.

 Note:

The following configuration is performed on the Cisco Catalyst 3745 switch running IOS
version 12.3(11)T2. If you are using any other models or devices running any other
version, see the user manuals provided with the devices.

# Enable DHCP server and allocate IP addresses using Option 82 information.

Switch> enable
Switch(config)# configure terminal
Enter Configuration commands, one per line. End with CNTL/Z.
Switch(config)# service dhcp
Switch(config)# ip dhcp use class

# Create a DHCP class for the client connected to Ethernet1/0/11 of the DHCP
snooping device and match the port number in the Circuit ID suboption of Option82,
and replace the contents without match need with a wildcard "*".

Switch(config)# ip dhcp class office1
Switch(dhcp-class)# relay agent information hex 010600040001000a*

2-10

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

Switch(dhcp-class)# exit

# Configure a DHCP class for the client connected to Etherent1/0/12 of the DHCP
snooping device and match the port number in the Circuit ID suboption of Option82.

Switch(config)# ip dhcp class office2
Switch(dhcp-class)# relay agent information hex 010600040001000b*

# Create an address pool for Office and specify address ranges for the two DHCP
classes.

Switch(config)# ip dhcp pool office
Switch(dhcp-pool)# network 192.168.10.0
Switch(dhcp-pool)# class office1
Switch(dhcp-pool-class)# address range 192.168.10.2 192.168.10.25
Switch(dhcp-pool-class)# exit
Switch(dhcp-pool)# class office2
Switch(dhcp-pool-class)# address range 192.168.10.100 192.168.10.150
Switch(dhcp-pool-class)# exit

# Configure the lease period, gateway address, DNS server address, and WINS server
address for the address pool.

Switch(dhcp-pool)# lease 0 12
Switch(dhcp-pool)# default-router 192.168.10.1
Switch(dhcp-pool)# dns-server 192.168.100.2
Switch(dhcp-pool)# netbios-name-server 192.168.100.3

After the above-mentioned configuration, the DHCP server can automatically assi gn an
IP address, the gateway address, DNS server address, and the WINS server address
for each device in Office.

2.3 Precautions

2.3.1 Cooperation Between DHCP Relay Agent and IRF

z In an IRF network, the DHCP relay agent runs on all the units in the Fabric. But

only the DHCP relay agent running on the master unit can receive and send
packets to perform full DHCP relay agent functions. The DHCP relay agent
running on a slave unit, however, only serves as a backup for the master unit.

z DHCP is an application-layer protocol based on UDP. Once a slave unit receives a

DHCP request, UDP-Helper redirects the packet to the master unit. Then, the
DHCP relay agent running on the master unit gives a response back to the request
and sends the real time information to each slave unit for backup. In this way,
when the current master unit fails, one of the slaves becomes the new master and
operates as the DHCP relay agent immediately. Therefore, make sure you enable
UDP-Helper before using DHCP relay agent in an IRF system.

2-11

DHCP
H3C Low-End Ethernet Switches Configuration Examples Chapter 3 Related Documents

Chapter 3 Related Documents

3.1 Protocols and Standards

z RFC2131: Dynamic Host Configuration Protocol
z RFC2132: DHCP Options and BOOTP Vendor Extensions
z RFC3046: DHCP Relay Agent Information Option

3-1

QACL
H3C Low-End Ethernet Switches Configuration Examples Table of contents

Table of Contents

Chapter 1 QACL Overview............................................................................................................ 1-1

1.1 Supported QACL Functions...............................................................................................1-1

1.1.1 ACL/QoS Functions Supported by H3C Low-End Ethernet Switches....................1-1

1.2 Configuration Guide........................................................................................................... 1-3

Chapter 2 Examples of QACL Configuration.............................................................................. 2-1

2.1 Network Environment ........................................................................................................ 2-1

2.2 Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example............2-2

2.2.1 Network Requirements............................................................................................ 2-2

2.2.2 Network Diagram.....................................................................................................2-2

2.2.3 Configuration Procedure......................................................................................... 2-2

2.3 Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus

Congestion Avoidance plus Packet Priority Trust....................................................................

2.3.1 Network Requirements............................................................................................ 2-4

2.3.2 Network Diagram.....................................................................................................2-4

2.3.3 Configuration Procedure......................................................................................... 2-4

2.4 Configuration Example of Traffic Measurement plus Port Redirection.............................. 2-5

2.4.1 Network Requirements............................................................................................ 2-5

2.4.2 Network Diagram.....................................................................................................2-6

2.4.3 Configuration Procedure......................................................................................... 2-6

2.5 Configuration Example of Local Traffic Mirroring .............................................................. 2-7

2.5.1 Network Requirements............................................................................................ 2-7

2.5.2 Network Diagram.....................................................................................................2-7

2.5.3 Configuration Procedure......................................................................................... 2-8

2.6 Precautions........................................................................................................................ 2-8

2.7 Other Functions Referencing ACL Rules .......................................................................... 2-9

2-4

Chapter 3 Configuration Example of WEB Cache Redirection................................................. 3-1

3.1 Configuration Example of WEB Cache Redirection ..........................................................3-1

3.1.1 Network Requirements............................................................................................ 3-1

3.1.2 Network Diagram.....................................................................................................3-2

3.1.3 Configuration Procedure......................................................................................... 3-2

i

QACL
H3C Low-End Ethernet Switches Configuration Examples Abstract

QACL Configuration Examples

Key words: ACL, and QoS

Abstract: This document describes QACL configurations on Ethernet switches in actual

networking environments. To satisfy different user needs, the document covers
various functions and applications like time-based ACLs, traffic policing, priority
re-marking, queue scheduling, traffic measurement, port redirection, local traffic
mirroring, and WEB Cache redirection.

Acronyms: Access control list (ACL), and quality of servi ce (QoS)

ii

QACL
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Chapter 1 QACL Overview

1.1 Supported QACL Functions

1.1.1 ACL/QoS Functions Supported by H3C Low-End Ethernet Switches

Table 1-1 ACL/QoS functions supported by H3C low-end ethernet switches

Model

Function

Basic ACL
Advanced

ACL
Layer 2 ACL
User-defined

ACL
Software-bas

ed ACL
referenced by
upper-layer
software

Apply
hardware-bas
ed ACL to
hardware

Traffic
classification

S3600-EI S3600-SI S5600 S5100-EI S5100-SI

S3100-

SI

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

z

—

z

z

z

z

z

—

—

z

—

—

z

z

—

—

z

—

—

Priority
re-marking

Port rate
limiting

Traffic policing
Traffic

shaping
Port

redirection
Queue

scheduling
Congestion

avoidance

—

z

z

z

z

z

z

z

z

z

—

z

z

z

1-1

z

z

z

—

z

z

—

z

—

z

z

z

z

—

—

z

—

—

—

z

—

—

z

—

—

—

z

—

QACL
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Model

Function

Local traffic
mirroring

Traffic
measurement

WEB Cache
redirection

S3600-EI S3600-SI S5600 S5100-EI S5100-SI

z

z

z

z

z

—

z

z

—

z

z

—

—

—

—

S3100-

SI

—

—

—

 Note:
z means that the function is supported.

— means that the function is not supported.

 Note:

For details on ACL/QoS functions supported by different models, refer to
corresponding operation manuals.

1-2

QACL
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

1.2 Configuration Guide

 Note:

z ACL/QoS configuration varies with switch models. The configuration below takes an

H3C S3600 Ethernet Switch as an example. For ACL/QoS configuration on other
switches, refer to corresponding user manuals.

z The section below only lists basic configuration steps. For the operating principle

and detailed information of each function, refer to the operation manual and
command manual of each product.

Table 1-2 Configure ACL/QoS in system view

Configuration Command Remarks

By default, the matching

Create an ACL and
enter ACL view

acl number acl-number
[ match-order { config |
auto } ]

order is config.
Layer 2 ACLs and

user-defined ACLs do not
support match-order.

Define an ACL rule

Configure a queue
scheduling algorithm in
system view

Configure congestion
avoidance

rule [ rule-id ] { permit |
deny } rule-string

queue-scheduler
{ strict-priority | wfq

queue0-width
queue1-width
queue2-width
queue3-width
queue4-width
queue5-width
queue6-width
queue7-width | wrr
queue0-weight
queue1-weight
queue2-weight
queue3-weight
queue4-weight
queue5-weight
queue6-weight
queue7-weight }

wred queue-index qstart
probability

The parameters (criteria)
available for rule-string vary
with ACL types. For details,
refer to the corresponding
command manual.

z If the weight or minimum

bandwidth of a queue is
set to 0 in the WRR or
WFQ approach, strict
priority queuing applies
to the queue.

z By default, the WRR

queue scheduling
algorithm is used for all
outbound queues on a
port. Default weights
are 1:2:3:4:5:9:13:15.

z The queue scheduling

algorithm defined using
the queue-scheduler
command in system
view will work on all
ports.

—

1-3

QACL
H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Table 1-3 Configure ACL/QoS in port view

Configuration Command Remarks

Apply an ACL on a port

Configure the switch to
trust the priority of
received packets

Configure port-based rate
limit

Reference an ACL for
traffic identification, and
re-assign a priority to the
matching packets

Configure traffic policing

packet-filter { inbound |
outbound } acl-rule

—

Configure the switch to

priority trust

trust the priority carried in
received packets.

The granularity is 64
kbps. If an entered

line-rate { inbound |
outbound } target-rate

number is in the range
N×64 to (N+1)×64 (N is a
natural number), the
switch takes the value
(N+1)×64.

traffic-priority { inbound
| outbound } acl-rule
{ { dscp dscp-value |
ip-precedence
{ pre-value | from-cos } } |

cos { pre-value |
from-ipprec } |

You can re-mark the IP
priority, 802.1p priority,
DSCP priority of packets,
and the priority of local
queues.

local-precedence

pre-value }*

exceed action: specifies

the action taken on the
excess packets when the
packet traffic exceeds the

traffic-limit inbound

acl-rule target-rate

preset limit.

z drop: Drop the

[ exceed action ]

z remark-dscp value:

excess packets.

Re-set the DSCP
priority, and forward
the packets.

1-4