H3C S3600-EI, S3600-EI,S3600-SI,S5600,S3610,S5510,S5500-SI,S5100,S3100, S3600-SI, S5600, S3610 User Manual

...

DHCP H3C Low-End Ethernet Switches Configuration Examples Table of Contents

Table of Contents

Chapter 1 DHCP Functions Overview .........................................................................................1-1

1.1 Supported DHCP Functions ..............................................................................................1-1

1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches...................1-1

1.2 Configuration Guide...........................................................................................................1-2

1.2.1 Configuring the DHCP Server.................................................................................1-2

1.2.2 Configuring the DHCP Relay Agent........................................................................1-8

1.2.3 Configuring DHCP Snooping ..................................................................................1-9

Chapter 2 Configuration Examples .............................................................................................2-1

2.1 DHCP Server Configuration Example................................................................................2-1

2.1.1 Network Requirements............................................................................................ 2-1

2.1.2 Network Diagram.....................................................................................................2-2

2.1.3 Configuration Procedure......................................................................................... 2-2

2.2 DHCP Relay Agent/Snooping Configuration Examples ....................................................2-4

2.2.1 Network Requirements............................................................................................ 2-4

2.2.2 Network Diagram.....................................................................................................2-5

2.2.3 Configuration Procedure......................................................................................... 2-6

2.3 Precautions......................................................................................................................2-11

2.3.1 Cooperation Between DHCP Relay Agent and IRF..............................................2-11

Chapter 3 Related Documents..................................................................................................... 3-1

3.1 Protocols and Standards ...................................................................................................3-1

DHCP H3C Low-End Ethernet Switches Configuration Examples Abstract

DHCP Configuration Examples

Keywords: DHCP, Option 82

Abstract: This document describes DHCP configuration and application on Ethernet

switches in specific networking environments. Based on the different roles played by the devices in the network, the functions and applications of DHCP server, DHCP relay agent, DHCP snooping, and DHCP Option 82 are covered.

Acronym: DHCP (Dynamic Host Configuration Protocol).

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Chapter 1 DHCP Functions Overview

1.1 Supported DHCP Functions

1.1.1 DHCP Functions Supported by the H3C Low-End Ethernet Switches

Table 1-1 DHCP functions supported by the H3C low-end ethernet switches

Function

Model

S3600-EI

DHCP server

S3600-SI — S5600 S3610 S5510

S5500-SI — S5100 — — S3100 — —

DHCP relay

agent

DHCP snooping

Depending on the models, the H3C low-end switches can support part or all of the following DHCP functions:

DHCP server:

z DHCP server using global address pool/interface address pool z IP address lease configuration z Allocation of gateway addresses, DNS server addresses, WINS server addresses

to DHCP clients

z Static bindings for special addresses z DHCP server security functions: detection of unauthorized DHCP servers and

detection of duplicate IP addresses

DHCP relay agent:

z DHCP relay agent z DHCP relay agent security functions: address checking , DHCP server handshake,

and periodic update of client address entries

z DHCP Option 82

DHCP snooping:

z DHCP snooping

1-1

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

z DHCP snooping security functions: DHCP snooping entry update and ARP source

checking

z DHCP Option 82

 Note:

Refer to respective user manuals for detailed descriptions of the DHCP functions supported by different models.

1.2 Configuration Guide

 Note:

z The configuration varies with product models. The following configuration ta kes the

S3600 series as an example. Refer to respective operation manuals for the configurations on other models.

z Only basic configuration steps are listed below. Refer to respective operation and

command manuals for the operating principles and applications of the functions.

1.2.1 Configuring the DHCP Server

The DHCP server can be configured to assign IP addresses from a global or interface address pool. These two configuration methods are applicable to the following environments:

z If the DHCP server and DHCP clients are on the same network segment, both

methods can be applied.

z If the DHCP server and DHCP clients are on different network segments, the

DHCP server can only be configured to assign IP addresses from a global address pool.

1) Use the following commands to configure the DHCP server to assign IP addresse s from a global address pool.

Table 1-2 Configure IP address allocation from a global address pool

Operation Command Description

Enter system view

Enable the DHCP service

system-view

dhcp enable

— Optional

By default, the DHCP service is enabled.

1-2

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Create a DHCP address pool and enter DHCP address pool view

Configure an IP address range for dynamic allocation

Configure the lease period of dynamically allocated IP addresses

Configure a domain name for DHCP clients

Configure DNS server addresses for DHCP clients

dhcp server ip-pool pool-name

network ip-address [ mask-length | mask mask ]

expired { day day [ hour hour [ minute minute ] ] | unlimited }

domain-name domain-name

dns-list ip-address&<1-8>

Required By default, no global

DHCP address pool is created.

Required By default, no IP

address range is configured for dynamic allocation.

Optional IP address lease

period defaults to one day.

Required By default, no

domain name is configured for DHCP clients.

Required By default, no DNS

server addresses are configured.

Configure WINS server addresses for DHCP clients

Specify a NetBIOS node type for DHCP clients

nbns-list ip-address&<1-8>

netbios-type { b-node | h-node

| m-node | p-node }

Configure gateway addresses for DHCP clients

Configure a self-defined DHCP option

gateway-list ip-address&<1-8>

option code { ascii ascii-string | hex hex-string&<1-10> | ip-address ip-address&<1-8> }

Required By default, no WINS

server addresses are configured.

Optional By default, the DHCP

clients are h-nodes if the command is not specified.

Required By default, no

gateway address is configured.

Required By default, no

self-defined option is configured.

1-3

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Confi gure a static bindi ng

Return to system view

quit

Create an address pool for the static

dhcp server ip-pool pool-name

address binding Specify the IP

address of the static binding

Spe cify the MA C addr

Specify the MAC address of the static binding

static-bind ip-address

ip-address [ mask-length | mask mask ]

static-bind mac-address

mac-address

ess or the clie nt ID of the stati

Specify the client ID of the static binding

static-bind client-identifier client-identifier

c bind ing

Optional By default, no MAC

address or client ID is bound to an IP address statically.

Note:

z To configure a

static binding, you need to specify the IP address and the MAC address or client ID.

z A static address

pool can be configured with only one IP address-to-MAC or IP address-to-client ID binding.

Return to system view

Specify the IP addresses to be excluded from automatic allocation

quit

dhcp server forbidden-ip

low-ip-address [ high-ip-address ]

interface interface-type interface-number

dhcp select global quit

dhcp select global { interface

interface-type interface-number [ to interface-type interface-number ] | all }

Configure the global address pool mode

On the current interface

On multiple interfaces in system view

— Optional

By default, all the IP addresses in a DHCP address pool are available for dynamic allocation.

Optional By default, an

interface operates in the global address pool mode.

1-4

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Required

Enable the detection of unauthorized DHCP servers

dhcp server detect

By default, the detection of unauthorized DHCP servers is disabled.

Set the maximum number of

Optional The default

maximum number is

Configure duplicate IP address detection

ping packets sent by the DHCP server for each IP address

dhcp server ping packets number

Set a response timeout for each ping packet

dhcp server ping timeout milliseconds

Optional The default timeout

is 500 milliseconds.

Enable the DHCP server to support Option 82

dhcp server relay information enable

Optional By default, the DHCP

server supports Option 82.

2) Use the following commands to configure IP address allocation through the interface address pool.

Table 1-3 Configure IP address allocation through the interface address pool

Operation Command Description

Enter system view

Enable the DHCP service

Configure multiple or all the VLAN interfaces to operate in interface address pool mode

system-view

— Optional

dhcp enable

By default, the DHCP service is enabled.

dhcp select interface { interface interface-type

interface-number [ to interface-type interface-number ] | all }

Optional

Configure a VLAN interface to operate in interface address pool mode

interface interface-type interface-number

dhcp select interface

1-5

Required By default, a VLAN

interface operates in global address pool mode.

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Bind an IP address statically to a client MAC address or client ID

Config ure the

On the current interface

lease period of dynami cally allocat ed IP

On multiple interfaces in system view

addres ses

Return to system view

Specify the IP addresses to be excluded from automatic allocation

dhcp server static-bind ip-address ip-address

{ client-identifier client-identifier | mac-address mac-address }

dhcp server expired { day day [ hour hour [ minute minute ] ] |

unlimited } quit dhcp server expired { day day

[ hour hour [ minute minute ] ] | unlimited } { interface

interface-type interface-number [ to interface-type interface-number ] | all }

quit

dhcp server forbidden-ip

low-ip-address [ high-ip-address ]

Optional By default, no static

binding is configured

Optional IP address lease

period defaults to one day.

— Optional

By default, all the IP addresses in an interface address pool are available for dynamic allocation.

Configure a domain name for DHCP clients

Configure DNS server addresses for DHCP clients

interface interface-type interface-number

On one interface

dhcp server domain-name

domain-name

quit dhcp server domain-name

On multiple interfaces

domain-name { interface interface-type interface-number [ to interface-type interface-number ] | all }

interface interface-type interface-number

On one interface

dhcp server dns-list ip-address&<1-8>

quit dhcp server dns-list

On multiple interfaces

ip-address&<1-8> { interface interface-type interface-number [ to interface-type interface-number ] | all }

Optional By default, no

domain name is configured for DHCP clients.

Optional By default, no DNS

server address is configured.

1-6

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

interface interface-type interface-number

Configure WINS server addresses for DHCP clients

On one interface

On multiple interfaces

dhcp server nbns-list

ip-address&<1-8> quit dhcp server nbns-list

ip-address&<1-8> { interface interface-type interface-number

[ to interface-type

Optional By default, no WINS

server addresses are configured.

interface-number ] | all } interface interface-type

interface-number

Define a NetBIOS node type for DHCP clients

Configure a self-define d DHCP option

On one interface

dhcp server netbios-type { b-node | h-node | m-node |

p-node } quit dhcp server netbios-type

{ b-node | h-node | m-node | On multiple interfaces

p-node } { interface

interface-type interface-number

[ to interface-type

interface-number ] | all }

interface interface-type

interface-number

On one interface

dhcp server option code

{ ascii ascii-string | hex

hex-string&<1-10> | ip-address

ip-address&<1-8> }

quit

dhcp server option code

{ ascii ascii-string | hex On multiple

interfaces

hex-string&<1-10> | ip-address

ip-address&<1-8> } { interface

interface-type interface-number

[ to interface-type

interface-number ] | all }

By default, no NetBIOS node type is specified and a DHCP client uses the

Optional

h-node type.

Optional By default, no

self-defined option is configured.

Enable the detection of unauthorized DHCP servers

dhcp server detect

1-7

Optional By default, the

detection of unauthorized DHCP servers is disabled.

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Set the maximum number of

Optional The default

maximum number is

Configure duplicate IP address detection

ping packets sent by the DHCP server for each IP address

dhcp server ping packets

number

Set a response timeout for each ping packet

dhcp server ping timeout

milliseconds

Optional The default timeout

is 500 milliseconds.

Optional

Enable the DHCP server to support Option 82

dhcp server relay information

enable

By default, the DHCP server supports Option 82.

1.2.2 Configuring the DHCP Relay Agent

Use the following commands to configure the DHCP relay agent.

Table 1-4 Configure DHCP relay agent

Operation Command Description

Enter system view

Enable the DHCP service

Configure DHCP server IP addresses for a DHCP server group

Configure a DHCP user address entry

system-view

dhcp enable

dhcp-server groupNo ip ip-address&<1-8>

dhcp-security static

ip-address mac-address

— Optional

By default, the DHCP service is enabled.

Required By default, no DHCP

server IP address is configured for a DHCP server group.

Optional By default, no DHCP user

address entry is configured.

Enable DHCP relay agent handshake

dhcp relay hand enable

1-8

Optional By default, DHCP relay

agent handshake is enabled.

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Optional

Configure the interval at which the DHCP relay agent updates dynamic client address entries

dhcp-security tracker

{ interval | auto }

By default, the update interval is calculated automatically according to the number of the DHCP client entries.

Enable the detection on unauthorized DHCP servers

Enable the DHCP relay agent to support Option 82

Configure a strategy for the DHCP relay agent to handle request packets containing Option 82

Enter VLAN interface view

Associate the interface to a DHCP server group

dhcp-server detect

dhcp relay information enable

dhcp relay information strategy { drop | keep | replace }

interface interface-type interface-number

dhcp-server groupNo

Enable the address checking function for the DHCP relay agent

address-check enable

Required By default, the detection

of unauthorized DHCP servers is disabled.

Required By default, the DHCP

relay agent does not support Option 82.

Optional By default, the strategy is

replace.

—

Required By default, a VLAN

interface is not associated to any DHCP server group.

Required By default, the address

checking function is disabled for the DHCP relay agent.

1.2.3 Configuring DHCP Snooping

Use the following commands to configure DHCP snooping:

Table 1-5 Configure DHCP snooping

Operation Command Description

Enter system view

Enable DHCP snooping

Enter Ethernet port view

system-view

dhcp-snooping

interface interface-type interface-number

1-9

— Required

By default, DHCP snooping is disabled.

—

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 1 DHCP Functions Overview

Operation Command Description

Specify the port connected to the DHCP server as a trusted port

dhcp-snooping trust

Optional By default, all the ports of

a switch are untrusted ports.

1-10

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

Chapter 2 Configuration Examples

2.1 DHCP Server Configuration Example

2.1.1 Network Requirements

An S3600 switch serves as the DHCP server in the corporate headquarters (HQ) to allocate IP addresses to the workstations in the HQ and Branch, a nd it also act s as the gateway to forward packets from the HQ. The network requirements are as follows:

z Assign the HQ the IP addresses in the 10.214.10.0/24 network segment, with a

lease period of two days, and exclude the IP addresses of the DNS server, WINS server, and mail server from allocation.

z Assign IP addresses to the DNS server, WINS server, and the mail server in HQ

through static bindings.

z Assign the workstations in the Branch the IP addresses in the 10.210.10.0/24

network segment, with a lease period of three days, and assign the file server in the Branch an IP address through a static IP-to-MAC binding.

z Assign the addresses of the gateway, DNS server, and the WINS server along

with an IP address to each workstation in the HQ and Branch.

z Enable the detection of unauthorized DHCP servers to prevent any unauthorized

DHCP server from allocating invalid addresses.

2-1

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

2.1.2 Network Diagram

DHCP

Client1

DHCP Relay

DHCP

Client2

000d-88f8-4e71

Branch

File Server

10.210.10.4

10.214.10.5

002e-8d20-54c6

VLAN-int10

IP network

000d-85c7-4e20

Mail

Server

10.214.10.3

DNS

Server

Gateway

VLAN-int100

Figure 2-1 Network diagram for DHCP server configuration

10.214.10.4

0013-4ca8-9b71

WINS

Server

DHCP

Client

2.1.3 Configuration Procedure

I. Software Version Used

The S3600 Ethernet switches running software version Release 1510 are used in this example.

II. Configuring DHCP server

z Configure address allocation for the devices in the HQ.

# Configure the IP address of VLAN-interface10 on the DHCP server in the HQ.

<H3C> system-view [H3C] interface Vlan-interface 10 [H3C-Vlan-interface10] ip address 10.214.10.1 24

# Configure the interface to operate in the interface address pool mode, assigning the IP addresses in the 10.214.10.0/24 network segment to the devices in the HQ.

[H3C-Vlan-interface10] dhcp select interface

# Configure the address lease period of the address pool, and configure the IP addresses of the DNS server and WINS server.

[H3C-Vlan-interface10] dhcp server expired day 2 [H3C-Vlan-interface10] dhcp server dns-list 10.214.10.3

2-2

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[H3C-Vlan-interface10] dhcp server nbst-list 10.214.10.4

No gateway needs to be configured for the clients be cause an interface operating in the interface address pool mode automatically serves as the gateway for DHCP client s and sends the requested information to the clients.

# Assign IP addresses to the DNS server, WINS server, and mail server through IP-to-MAC bindings.

[H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.3 mac-address 000d-85c7-4e20 [H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.4 mac-address 0013-4ca8-9b71 [H3C-Vlan-interface10] dhcp server static-bind ip-address 10.214.10.5 mac-address 002e08d20-54c6

# Exclude the static IP addresses of the DNS server , WINS server , and mail server from allocation.

[H3C-Vlan-interface10] quit [H3C] dhcp server forbidden-ip 10.214.10.3 10.214.10.5

z Configure address allocation for the devices in the Branch.

# Create a global address pool named “br” for the Branch, and specify the range and lease period of the IP addresses for allocation.

[H3C] dhcp server ip-pool br [H3C-dhcp-pool-br] network 10.210.10.0 mask 255.255.255.0 [H3C-dhcp-pool-br] expired day 3

# Create a static binding address pool named “br-static”, and assign the file server in the Branch an IP address through an IP-to-MAC bindi ng.

[H3C-dhcp-pool-br] quit [H3C] dhcp server ip-pool br-static [H3C-dhcp-pool-br-static] static-bind ip-address 10.214.10.4 mask

255.255.255.0 [H3C-dhcp-pool-br-static] static-bind mac-address 000d-88f8-4e71

# Specify the gateway address, DNS server address, and the WINS server address fo r the workstations in the Branch.

[H3C-dhcp-pool-br-static] quit [H3C] dhcp server ip-pool br [H3C-dhcp-pool-br] gateway-list 10.210.10.1 [H3C-dhcp-pool-br] dns-list 10.214.10.3 [H3C-dhcp-pool-br] nbst-list 10.214.10.4

# Exclude the static IP address of the gateway in the Branch from allocation.

[H3C-dhcp-pool-br] quit [H3C] dhcp server forbidden-ip 10.210.10.1

2-3

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

# Enable the detection of unauthorized DHCP servers.

[H3C] dhcp server detect

# Configure VLAN-interface100 to operate in the global address pool mode.

[H3C] interface Vlan-interface 100 [H3C-Vlan-interface100] dhcp select global

Note that: After DHCP configuration is complete, IP addresses can be assigned to the

workstations in the Branch only when a route is active between the HQ and the Branch.

III. Configuring the DHCP relay agent

This section mainly describes the DHCP server configuration. The following shows the basic DHCP relay agent configuration that ensures the DHCP relay agent to relay DHCP requests to the DHCP server. For details about DHCP relay agent configuration, see section

<H3C> system-view [H3C] dhcp-server 1 ip 10.214.10.1 [H3C] interface Vlan-interface 5 [H3C-Vlan-interface5] dhcp-server 1

2.2 "DHCP Relay Agent/Snooping Configuration Examples".

2.2 DHCP Relay Agent/Snooping Configuration Examples

2.2.1 Network Requirements

A Cisco Catalyst 3745 switch is deployed in the HQ and serves as the DHCP server to assign IP addresses to the workstations in the Office branch. The branches are connected to an IRF (intelligent resilient framework) Fabric that serves as the central node and the DHCP relay agent to forward the DHCP requests from the workstations. Meanwhile, a lab DHCP server is used to assign IP addresses to the devices in the labs. The network requirements are as follows:

z Configure the DHCP server in the HQ to assign the IP addresses in the

192.168.10.0/24 network segment to the workstations in the Office branch, with a lease period of 12 hours. Configure the IP addresses of the DNS server and WINS server as 192.169.100.2 and 192.168.100.3 respectively.

z The IRF Fabric is connected to the branches and is comprised of four switches. It

serves as the DHCP relay agent to forward the DHCP requests from the workstations in the Office and the devices in the labs. It is enabled to detect unauthorized DHCP servers.

z An Ethernet switch in Lab1 serves as the Lab DHCP server to assign the IP

addresses in the 192.168.17.0/24 network segment to the devices in Lab1, with a lease period of one day, and to assign the IP addresses in the 192.168.19.0/24 network segment to Lab2, with a lease period of two days. The lab DHCP server

2-4

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

and the IRF Fabric are interconnected through the 172.16.2.4/30 network segment.

z Configure the address checking function on the DHCP relay agent so that only the

devices that are assigned legal IP addresses from the DHCP server are allowed to access the external network.

z Configure address entry update on the DHCP relay agent so that it updates the

address entries by sending requests to the DHCP server every one minute.

z Enable DHCP snooping to support DHCP Option 82, adding local port information

to the Option 82 field in DHCP messages.

z Enable the DHCP relay agent to support DHCP Option 82 so that the DHCP relay

agent keeps the original filed unchanged upon receiving DHCP messages carrying Option 82.

z Enable the DHCP server to support DHCP Option 82 so that it assigns the IP

addresses 192.168.10.2 through 192.168.10.25 to the DHCP clients conne cted to Ethernet1/0/11 on the DHCP snooping switch and assigns 192.168.10.100 through 192.168.10.150 to the DHCP clients connected to Ethernet1/0/12 of the DHCP snooping switch.

2.2.2 Network Diagram

Lab2

VLAN-int 25

192.168.19.1

SwitchD

(Unit4)

DHCP Snooping

Eth1/0/1

Eth1/0/11

Eth1/0/12

SwitchA (Master)

IRF Fabric

DHCP Relay

VLAN-int 10

192.168.10.1

Eth1/0/13

VLAN-int 17

172.16.2.4/30

Cisco Catalyst

3745

192.168.0.3

IP network

SwitchB

(Unit2)

SwitchC

(Unit3)

Lab DHCP Server

VLAN-int 15

192.168.17.1

0010-5ce9-1dea

Office Lab1

Figure 2-2 Network diagram for DHCP relay agent/snooping integrated configuration

2-5

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

2.2.3 Configuration Procedure

In this example, the IRF Fabric is comprised of S3600 switches running software version Release 1510, a Quidway S3552 switch running software version Release 0028 is used as the DHCP snooping-capable switch, and a Quidway S3528 switch running software version Release 0028 is used as the Lab DHCP server.

For better readability:

z The devices in the IRF Fabric are SwitchA, SwitchB, SwitchC, and SwitchD. z The DHCP snooping-capable device is referred to as “Snooping”. z The device serving as the Lab DHCP server is referred to as “LAB”.

I. Configuring IRF Fabric

The S3600 series support IRF Fabric. You can interconnect four devices to form a Fabric for centralized management of the devices in the Fabric. For det ails, see related sections in the operation manuals for the S3600 series.

II. Configuring the DHCP relay agent

Figure 2-3 Network diagram for DHCP relay agent configuration

Within the IRF Fabric, configuration made on a device can be synchronized to the other devices. Therefore, configuration is performed on Switch A only in this example.

# Configure to forward the DHCP requests from the Office to the DHCP server in the HQ.

<SwitchA> system-view [SwitchA] dhcp-server 1 ip 192.168.0.3 [SwitchA] interface vlan-interface10 [SwitchA-Vlan-interface10] ip address 192.168.10.1 24 [SwitchA-Vlan-interface10] dhcp-server 1

# Configure to forward the DHCP requests from Lab2 to the Lab DHCP server.

[SwitchA-Vlan-interface10] quit [SwitchA] dhcp-server 2 ip 192.168.17.1 [SwitchA] interface Vlan-interface 25 [SwitchA-Vlan-interface25] ip address 192.168.19.1 24

2-6

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[SwitchA-Vlan-interface25] dhcp-server 2

# Configure the IP address of VLAN-interface17 as 172.16.2.5/30 for forwarding DHCP packets from the Lab DHCP Server to a non-local segment.

[SwitchA-Vlan-interface25] quit [SwitchA] interface Vlan-interface 17 [SwitchA-Vlan-interface17] ip add 172.16.2.5 30

# Configure the address checking function on the DHCP relay agent. Make sure you configure the IP addresses and MAC addresses of the two DHCP servers as static entries for the security function.

[SwitchA-Vlan-interface17] quit [SwitchA] dhcp-security static 192.168.0.3 000D-88F8-4E71 [SwitchA] dhcp-security static 192.168.17.1 0010-5ce9-1dea [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] address-check enable [SwitchA-Vlan-interface10] quit [SwitchA] interface vlan-interface 25 [SwitchA-Vlan-interface25] address-check enable [SwitchA-Vlan-interface25] quit

# Configure the address entry update interval on the DHCP relay agent.

[SwitchA] dhcp relay hand enable [SwitchA] dhcp-security tracker 60

# Enable the DHCP relay agent to support DHCP Option 82 and adopt the strategy of keeping the original filed upon receiving DHCP messages carrying Option 82.

[SwitchA] dhcp relay information enable [SwitchA] dhcp relay information strategy keep

# Enable the DHCP relay agent to detect unauthorized DHCP servers.

[SwitchA] dhcp-server detect

# Enable UDP-Helper so that the IRF Fabric can operate in the DHCP relay agent mode.

[SwitchA] udp-helper enable

# To ensure normal forwarding of DHCP packets across network segments, you need configure a routing protocol and advertise the network segments of interfaces. The following configuration uses RIP as an example. For the configuration of other routing protocols, see the parts covering rout ing protocols in product manuals.

[SwitchA] rip [SwitchA-rip] network 192.168.10.0 [SwitchA-rip] network 192.168.19.0 [SwitchA-rip] network 172.16.0.0

2-7

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

 Note:

For the DHCP relay agent using the IRF structure and the DHCP server in the HQ to communicate with each other, an active route must also be configured between them. This configuration is performed by the ISP or the user; therefore, it will not be covered in this document.

III. Configuring the Lab DHCP server

VLAN-int 17

172.16.2.4/30 VLAN-int 15

192.168.17.1

0010-5ce9-1dea

Lab1

Figure 2-4 Network diagram for the Lab DHCP server configuration

# Configure an address pool for Lab2 and specify the address ran ge, lease period, and the gateway address.

<LAB> system-view [LAB] dhcp enable [LAB] dhcp server ip-pool lab2 [LAB-dhcp-lab2] network 192.168.19.0 255.255.255.0 [LAB-dhcp-lab2] expired day 2 [LAB-dhcp-lab2] gateway-list 192.168.19.1

# Configure the IP address of VLAN-interface17 as 172.16.2.6/30 and enable it to operate in global address pool mode.

[LAB-dhcp-lab2] quit [LAB] interface Vlan-interface 17 [LAB-Vlan-interface17] ip address 172.16.2.6 30 [LAB-Vlan-interface17] dhcp select global

# Lab1 is connected to VLAN-interface15. Therefore, to assign the IP addresses in the

192.168.17.0/24 network segment to the devices in Lab1, you only need to configure VLAN-interface15 to operate in the interface address pool mode.

[LAB-Vlan-interface17] quit [LAB] interface vlan-interface 15 [LAB-Vlan-interface15] ip address 192.168.17.1 24

2-8

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

[LAB-Vlan-interface15] dhcp select interface [LAB-Vlan-interface15] quit

# To ensure that the lab DHCP server forwards DHCP packets normally, you need configure a routing protocol. The following configuration uses RIP as an example. For the configuration of other routing protocols, see the related parts i n product manuals.

[LAB] rip [LAB-rip] network 192.168.17.0 [LAB-rip] network 172.16.0.0

IV. Configuring DHCP snooping

Eth1/0/11

Eth1/0/1

Eth1/0/12

Office

Eth1/0/13

DHCP Snooping

Figure 2-5 Network diagram for DHCP snooping configuration

# Enable DHCP snooping and enable Option 82 support for DHCP snooping.

<Snooping> system-view [Snooping] dhcp-snooping [Snooping] dhcp-snooping information enable [Snooping] dhcp-packet redirect Ethernet 0/11 to 0/13

V. Configuring the DHCP server in the HQ

# On the H3C series switches, port numbers, VLAN numbers, and the MAC addre sses of the DHCP snooping device and the DHCP relay agent are added to DHCP Option 82. A complete piece of Option 82 information is a combination of the values of two suboptions:

Circuit ID suboption: It identifies the VLAN to which the clients belong and the port to which the DHCP snooping device is connected.

0 31

Type(1)

VLAN ID

Length(6) 0 4

Port Index

Figure 2-6 Packet structure of Circuit ID suboption

2-9

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

For example, the DHCP messages from clients conne cted to Ethernet1/0/11 are added with Option 82, whose Circuit ID suboption should be 0x010600040001000a, where 01060004 is a fixed value, 0001 indicates the access port’ s VLAN is VLAN 1, and 000a is the absolute number of the port, which is 1 less than the actual port number, indicating the actual port is Ethernet1/0/11.

Remote ID suboption: It identifies the MAC address of the DHCP snooping device connected to the client.

0 31

Type(2)

Length(8) 0 6

Bridge MAC Address

Figure 2-7 Packet structure of Remote ID suboption

For example, the DHCP messages from clients connected to the DHCP snooping device with MAC 000f-e234-bc66 are added with Option 82, whose Remote ID suboption should be 02080006000fe234bc66, where 02080006 is a fixed value and 000fe234bc66 is the MAC address of the DHCP snooping device.

In this example, IP addresses are assigned based on port number only. Therefore, on the DHCP server , only a matching port number field in the Circuit ID suboption needs to be found.

 Note:

The following configuration is performed on the Cisco Catalyst 3745 switch running IOS version 12.3(11)T2. If you are using any other models or devices running any other version, see the user manuals provided with the devices.

# Enable DHCP server and allocate IP addresses using Option 82 information.

Switch> enable Switch(config)# configure terminal Enter Configuration commands, one per line. End with CNTL/Z. Switch(config)# service dhcp Switch(config)# ip dhcp use class

# Create a DHCP class for the client connected to Ethernet1/0/11 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82, and replace the contents without match need with a wildcard "*".

Switch(config)# ip dhcp class office1 Switch(dhcp-class)# relay agent information hex 010600040001000a*

2-10

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 2 Configuration Examples

Switch(dhcp-class)# exit

# Configure a DHCP class for the client connected to Etherent1/0/12 of the DHCP snooping device and match the port number in the Circuit ID suboption of Option82.

Switch(config)# ip dhcp class office2 Switch(dhcp-class)# relay agent information hex 010600040001000b*

# Create an address pool for Office and specify address ranges for the two DHCP classes.

Switch(config)# ip dhcp pool office Switch(dhcp-pool)# network 192.168.10.0 Switch(dhcp-pool)# class office1 Switch(dhcp-pool-class)# address range 192.168.10.2 192.168.10.25 Switch(dhcp-pool-class)# exit Switch(dhcp-pool)# class office2 Switch(dhcp-pool-class)# address range 192.168.10.100 192.168.10.150 Switch(dhcp-pool-class)# exit

# Configure the lease period, gateway address, DNS server address, and WINS server address for the address pool.

Switch(dhcp-pool)# lease 0 12 Switch(dhcp-pool)# default-router 192.168.10.1 Switch(dhcp-pool)# dns-server 192.168.100.2 Switch(dhcp-pool)# netbios-name-server 192.168.100.3

After the above-mentioned configuration, the DHCP server can automatically assi gn an IP address, the gateway address, DNS server address, and the WINS server address for each device in Office.

2.3 Precautions

2.3.1 Cooperation Between DHCP Relay Agent and IRF

z In an IRF network, the DHCP relay agent runs on all the units in the Fabric. But

only the DHCP relay agent running on the master unit can receive and send packets to perform full DHCP relay agent functions. The DHCP relay agent running on a slave unit, however, only serves as a backup for the master unit.

z DHCP is an application-layer protocol based on UDP. Once a slave unit receives a

DHCP request, UDP-Helper redirects the packet to the master unit. Then, the DHCP relay agent running on the master unit gives a response back to the request and sends the real time information to each slave unit for backup. In this way, when the current master unit fails, one of the slaves becomes the new master and operates as the DHCP relay agent immediately. Therefore, make sure you enable UDP-Helper before using DHCP relay agent in an IRF system.

2-11

DHCP H3C Low-End Ethernet Switches Configuration Examples Chapter 3 Related Documents

Chapter 3 Related Documents

3.1 Protocols and Standards

z RFC2131: Dynamic Host Configuration Protocol z RFC2132: DHCP Options and BOOTP Vendor Extensions z RFC3046: DHCP Relay Agent Information Option

3-1

QACL H3C Low-End Ethernet Switches Configuration Examples Table of contents

Table of Contents

Chapter 1 QACL Overview............................................................................................................ 1-1

1.1 Supported QACL Functions...............................................................................................1-1

1.1.1 ACL/QoS Functions Supported by H3C Low-End Ethernet Switches....................1-1

1.2 Configuration Guide........................................................................................................... 1-3

Chapter 2 Examples of QACL Configuration.............................................................................. 2-1

2.1 Network Environment ........................................................................................................ 2-1

2.2 Time-based ACL plus Rate Limiting plus Traffic Policing Configuration Example............2-2

2.2.1 Network Requirements............................................................................................ 2-2

2.2.2 Network Diagram.....................................................................................................2-2

2.2.3 Configuration Procedure......................................................................................... 2-2

2.3 Configuration Example of Priority Re-marking plus Queue Scheduling Algorithm plus

Congestion Avoidance plus Packet Priority Trust....................................................................

2.3.1 Network Requirements............................................................................................ 2-4

2.3.2 Network Diagram.....................................................................................................2-4

2.3.3 Configuration Procedure......................................................................................... 2-4

2.4 Configuration Example of Traffic Measurement plus Port Redirection.............................. 2-5

2.4.1 Network Requirements............................................................................................ 2-5

2.4.2 Network Diagram.....................................................................................................2-6

2.4.3 Configuration Procedure......................................................................................... 2-6

2.5 Configuration Example of Local Traffic Mirroring .............................................................. 2-7

2.5.1 Network Requirements............................................................................................ 2-7

2.5.2 Network Diagram.....................................................................................................2-7

2.5.3 Configuration Procedure......................................................................................... 2-8

2.6 Precautions........................................................................................................................ 2-8

2.7 Other Functions Referencing ACL Rules .......................................................................... 2-9

2-4

Chapter 3 Configuration Example of WEB Cache Redirection................................................. 3-1

3.1 Configuration Example of WEB Cache Redirection ..........................................................3-1

3.1.1 Network Requirements............................................................................................ 3-1

3.1.2 Network Diagram.....................................................................................................3-2

3.1.3 Configuration Procedure......................................................................................... 3-2

QACL H3C Low-End Ethernet Switches Configuration Examples Abstract

QACL Configuration Examples

Key words: ACL, and QoS

Abstract: This document describes QACL configurations on Ethernet switches in actual

networking environments. To satisfy different user needs, the document covers various functions and applications like time-based ACLs, traffic policing, priority re-marking, queue scheduling, traffic measurement, port redirection, local traffic mirroring, and WEB Cache redirection.

Acronyms: Access control list (ACL), and quality of servi ce (QoS)

QACL H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Chapter 1 QACL Overview

1.1 Supported QACL Functions

1.1.1 ACL/QoS Functions Supported by H3C Low-End Ethernet Switches

Table 1-1 ACL/QoS functions supported by H3C low-end ethernet switches

Model

Function

Basic ACL Advanced

ACL Layer 2 ACL User-defined

ACL Software-bas

ed ACL referenced by upper-layer software

Apply hardware-bas ed ACL to hardware

Traffic classification

S3600-EI S3600-SI S5600 S5100-EI S5100-SI

S3100-

—

Priority re-marking

Port rate limiting

Traffic policing Traffic

shaping Port

redirection Queue

scheduling Congestion

avoidance

—

1-1

—

QACL H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Model

Function

Local traffic mirroring

Traffic measurement

WEB Cache redirection

S3600-EI S3600-SI S5600 S5100-EI S5100-SI

—

S3100-

—

 Note: z means that the function is supported.

— means that the function is not supported.

 Note:

For details on ACL/QoS functions supported by different models, refer to corresponding operation manuals.

1-2

QACL H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

1.2 Configuration Guide

 Note:

z ACL/QoS configuration varies with switch models. The configuration below takes an

H3C S3600 Ethernet Switch as an example. For ACL/QoS configuration on other switches, refer to corresponding user manuals.

z The section below only lists basic configuration steps. For the operating principle

and detailed information of each function, refer to the operation manual and command manual of each product.

Table 1-2 Configure ACL/QoS in system view

Configuration Command Remarks

By default, the matching

Create an ACL and enter ACL view

acl number acl-number [ match-order { config | auto } ]

order is config. Layer 2 ACLs and

user-defined ACLs do not support match-order.

Define an ACL rule

Configure a queue scheduling algorithm in system view

Configure congestion avoidance

rule [ rule-id ] { permit | deny } rule-string

queue-scheduler { strict-priority | wfq

queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight }

wred queue-index qstart probability

The parameters (criteria) available for rule-string vary with ACL types. For details, refer to the corresponding command manual.

z If the weight or minimum

bandwidth of a queue is set to 0 in the WRR or WFQ approach, strict priority queuing applies to the queue.

z By default, the WRR

queue scheduling algorithm is used for all outbound queues on a port. Default weights are 1:2:3:4:5:9:13:15.

z The queue scheduling

algorithm defined using the queue-scheduler command in system view will work on all ports.

—

1-3

QACL H3C Low-End Ethernet Switches Configuration Examples Chapter 1 QACL Overview

Table 1-3 Configure ACL/QoS in port view

Configuration Command Remarks

Apply an ACL on a port

Configure the switch to trust the priority of received packets

Configure port-based rate limit

Reference an ACL for traffic identification, and re-assign a priority to the matching packets

Configure traffic policing

packet-filter { inbound | outbound } acl-rule

—

Configure the switch to

priority trust

trust the priority carried in received packets.

The granularity is 64 kbps. If an entered

line-rate { inbound | outbound } target-rate

number is in the range N×64 to (N+1)×64 (N is a natural number), the switch takes the value (N+1)×64.

traffic-priority { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } |

cos { pre-value | from-ipprec } |

You can re-mark the IP priority, 802.1p priority, DSCP priority of packets, and the priority of local queues.

local-precedence

pre-value }*

exceed action: specifies

the action taken on the excess packets when the packet traffic exceeds the

traffic-limit inbound

acl-rule target-rate

preset limit.

z drop: Drop the

[ exceed action ]

z remark-dscp value:

excess packets.

Re-set the DSCP priority, and forward the packets.

1-4

+ 283 hidden pages