DHCP
1
Agenda
DHCP Overview
DHCP Basic DHCP Relay
DHCP Snooping
DHCP Server
DHCP Additional DHCP Security
SAVI
ND Snooping
2
Concepts of DHCP
DHCP Dynamic Host Configuration Protocol (DHCP) enables a client to dynamically obtain a valid IP
address.
DHCP server A DHCP server allocates IP addresses to clients. A client sends a packet to the server to
request for configurations such as the IP address, subnet mask, and default gateway. After receiving the packet, the server replies with a packet carrying the corresponding configurations according to policies. Both the Request and Reply packets are encapsulated in UDP packets.
DHCP relay agent A DHCP relay agent transparently transmits DHCP broadcast packets between the DHCP
clients and DHCP server that are on different network segments.
DHCP snooping DHCP snooping is introduced to protect DHCP servers and clients against attacks through
ARP, IP, or DHCP packets with IP and MAC addresses of other valid users.
DHCP Feature
DHCP SERVER
ADDITIONAL BASIC
DHCP RELAY DHCP SNOOPING DHCP SERCURITY
3
DHCP Usage and RFC Comply Table
Document Description Remarks
RFC 1533 DHCP Options and BOOTP Vendor
Extensions
RFC 1534 Interoperation Between DHCP and BOOTP RFC 2131 Dynamic Host Configuration Protocol
RFC 2132 DHCP Options and BOOTP Vendor
Extensions
RFC 3046 DHCP Relay Agent Information Option
RFC 2460 Internet Protocol, Version 6 (IPv6)
Specification
RFC 3315 Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)
The functions of the DHCPv6 client and
DHCPv6 server are not supported.
RFC 4649
Dynamic Host Configuration Protocol for
IPv6 (DHCPv6) Relay Agent Remote-ID
Option
The S9700 can be used as ① A DHCP server ② A DHCP relay agent
4
DHCP Usage and RFC Comply Table Document Description Remarks
RFC3319 DHCPv6 Options for Session Initiation Protocol (SIP) Servers
RFC3633 IPv6 Prefix Options for Dynamic Host Configuration Protocol
(DHCP) version 6
RFC3646 DNS Configuration options for DHCPv6
RFC3898 Network Information Service (NIS) Configuration Options for
DHCPv6
RFC4075 Simple Network Time Protocol (SNTP) Configuration Option
for DHCPv6
RFC2461 Neighbor Discovery for IPv6
draft-bi-savi-stateless-00 SAVI Solution for Stateless Address
draft-ietf-savi-dhcp-02
draft-ietf-savi-dhcp-09 SAVI Solution for DHCP(only support DHCPv6)
draft-kaippallimalil-savi-dhcp-
pd-01
SAVI Solution for Delegated IPv6 Prefixes
5
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
6
DHCP Server – Principle #1 Three Modes for the Interaction Between the DHCP Client and Server.
DHCP SERVER
DHCP CLIENT
Selecting Stage
Four Stage: ① Discovering stage ② Offering stage ③ Selecting stage ④ Acknowledging stage
MODE1:The DHCP client accesses the network for the first time.
DHCP SERVER
DHCP CLIENT
Selecting Stage
OR
MODE2:The DHCP client accesses the network for the second time.
DHCP SERVER
DHCP CLIENT
Trigger condition: ① Client Started release ② Server supply longer lease ③ If no reply at ½ L from
server,client release at ¾ L with broadcast packet
④ Available Server supply new lease with dhcp_ack
MODE3:The DHCP client extends the IP address lease.
½ L
¾ L
7
DHCP Server – Principle #2 Static and Dynamic Allocation of IP Addresses
DHCP server provides the following address allocation policies
Sequence of IP address allocation
Manual address allocation: An administrator assigns fixed IP addresses to a few specific hosts, such as the WWW server.
Automatic address allocation: The server assigns fixed IP addresses to some hosts when they are connected to the network for the first time. These IP addresses can be used by the hosts for a long time.
Dynamic address allocation: The server assigns IP addresses with leases to clients. The clients need to apply for new IP addresses when the leases expire. This address allocation policy is widely accepted by most clients.
IP address that is in the database of the DHCP server and is statically bound to the client's MAC address
IP address assigned to the client before, that is, the IP address in the requested IP Address option of the DHCP DISCOVER packet sent by the client
IP address first found when the server searches for available IP addresses in the DHCP address pool
If the DHCP address pool has no available IP address, the DHCP server searches for the expired IP addresses and conflicting IP addresses in turn for an available IP address. If an available address is found, the server allocates the IP address to the client; otherwise, the server sends an error message.
8
Why we use S9700 as DHCP Server?
Purpose
With the rapid growth in network scales and increment of complexity, for example, the location
of hosts frequently changes (for portable computers or wireless networks) and the number of
hosts exceeds the number of assignable IP addresses, network configurations become more
complicated. To properly and dynamically assign IP addresses to hosts, DHCP is applied.
Benefit
HOT BACKUP : For a S9700 with two MPUs/SRUs, DHCP data on the two MPUs is backed
up in real time. Therefore, after the master/slave switchover is performed, the slave MPU
becomes the master MPU; therefore, the DHCP server can function and allocate IP addresses
to clients normally.
9
DHCP Server – Packet Flow
Packet Processor
DHCP Discover/ Requrest Packet
1
LC CPU
2
LPU
SRU CPU
Control Channel
3
Memory
4
DHCP Packet export process
5
DHCP Offer/ Reply/ ACK/ NAK Datagram
Internal HDR+
DHCP Packet
IP : MAC :PORT Mapping table
Address Pool Timing Table ……
10
Subcategory Item Specifications Remarks
DHCP server
Assigning addresses randomly through the global address pool
256 global address pools are supported.
Binding addresses statically MAC addresses and the IP addresses can be bound.
Assign specific IP address to specific MAC address
Setting user-defined DHCP options
Supporting detection of DHCP server address conflicts
When detecting an address conflict, the DHCP server monitors the status of the addresses until they are idle. This function can be enabled or disabled.
key command: •dhcp server ping packet number •dhcp server ping timeout milliseconds
Number of DHCP server groups 64
Number of DHCP servers in each DHCP server group
20
Maximum number of IP relay addresses that can be configured on a VLANIF interface
20
Number of DHCP server groups on a VLANIF interface
1
User online or offline rate supported by the DHCP relay
85 users per second 8*10G board: 60 users per second
DHCP Server – Feature Implementation
11
Subcategory Item Specifications Remarks
DHCPv6 server
Address allocation by two-message exchanges
A client multicasts a Solicit packet to find the server that can allocate addresses and configuration parameters. After receiving the Solicit packet, the server responds with a Reply packet carrying the IP address and configuration parameters allocated to the client.
Address allocation by four-message exchanges
A client first multicasts a Solicit packet to find the servers that can provide DHCPv6 services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete address application and allocation by exchanging Request and Reply packets.
Stateful DHCPv6 mode The server allocates IP address and configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client.
Stateless DHCPv6 mode The server allocates configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client.
Prefix allocation by two-message exchanges
A client multicasts a Solicit packet to find the server that can provide services. After receiving the Solicit packet, the server responds with a Reply packet carrying the prefix allocated to the client.
Prefix allocation by four-message exchanges
A client first multicasts a Solicit packet to find the servers that can provide services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete prefix application and allocation by exchanging Request and Reply packets.
DHCP Server – Feature Implementation
12
Subcategory Item Specifications Remarks
Address pool management
Supporting address pools of VPNs
Enable dhcp server on VLAN IF
key command: •interface vlanif vlan-id •ip address ip-address { mask | mask-length •dhcp select interface
Each address pool supporting two DNS server addresses and the DNS suffix
Each address pool supporting two NetBIOS server addresses and the NetBIOS server type
Assigning IP addresses based on MAC addresses
Setting the address pool lease key command: lease { day day [ hour hour [ minute minute ] ] | unlimited }
Locking the address pool
Setting user-defined options for address pools 1 to 254
The option can be in the IP address format, in the character string, or in hexadecimal notation.
Reclaiming addresses manually
DHCP Server – Feature Implementation
13
DHCP Server – Feature 1
Usage Scenario
The dhcp server ping command is applicable to DHCP servers. Repetitive IP address assignment will cause IP address conflicts. To solve this problem, before assigning an IP address to a client, the DHCP server needs to send ping packets by using the dhcp server ping command to check whether the IP address is in use. The DHCP server first sends a ping packet to the IP address. If there is no response to the ping packet within a specified period, the DHCP server continues to send ping packets to the IP address until the number of sent ping packets reaches the maximum value. If there is still no response, the DHCP server considers that this IP address is not in use and can be assigned to the client. This ensures that a unique IP address is assigned to the client.
Feature 1 : Supporting detection of DHCP server address conflicts
Example # Set the maximum number of ping packets to be sent to 10 and the maximum response time of each ping packet to 100 ms. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp server ping packet 10 [Quidway] dhcp server ping timeout 100
14
DHCP Server – Feature 2 Feature 2 : Locking the address pool
Usage Scenario
The lock command is applicable to DHCP servers. When a DHCP server needs to be migrated, you simply need to migrate address pools on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. When new users get online, they apply for IP addresses from a new address pool.
Precautions
After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. Only the created address pools can be locked.
Example # Lock the address pool global1. <Quidway> system-view [Quidway] ip pool global1 [Quidway-ip-pool-global1] lock
15
DHCP Server – Feature 3
Usage Scenario
The reset ip pool command manually recycles the IP addresses that cannot be released in an IP address pool. If an IP address conflict occurs because two clients use the same IP address, run the reset ip pool command to set the IP address to idle.
Precautions
User information cannot be restored after you clear it. Exercise caution when running the reset ip pool command. DHCP clients must release their old IP addresses before obtaining new IP addresses.
Configuration Impact
After the reset ip pool command is run, a user may be disconnected if its IP address is within the address range specified in this command.
Feature 3 : Reclaiming addresses manually
Example # Set all conflicting IP addresses in the IP address pool test to idle. <Quidway> reset ip pool name test conflict
16
DHCP Server – Configuration Example #1 Example for Configuring a DHCP Server Based on the Global Address Pool
Configuration Roadmap
STEP 1 : Enable the DHCP server function on SwitchA.
<Quidway> system-view [Quidway] dhcp enable
17
DHCP Server – Configuration Example #2
STEP 2 : Create a global address pool on SwitchA and set the attributes of the address pool, including the range of the address pool, egress gateway, NetBIOS address, and address lease. # Set the attributes of IP address pool 1 [Quidway] ip pool 1 [Quidway-ip-pool-1] network 10.1.1.0 mask 255.255.255.128 [Quidway-ip-pool-1] dns-list 10.1.1.2 [Quidway-ip-pool-1] gateway-list 10.1.1.126 [Quidway-ip-pool-1] excluded-ip-address 10.1.1.2 [Quidway-ip-pool-1] excluded-ip-address 10.1.1.4 [Quidway-ip-pool-1] lease day 10 [Quidway-ip-pool-1] quit
# Set the attributes of IP address pool 2 [Quidway] ip pool 2 [Quidway-ip-pool-2] network 10.1.1.128 mask 255.255.255.128 [Quidway-ip-pool-2] dns-list 10.1.1.2 [Quidway-ip-pool-2] nbns-list 10.1.1.4 [Quidway-ip-pool-2] gateway-list 10.1.1.254 [Quidway-ip-pool-2] lease day 2 [Quidway-ip-pool-2] quit
18
DHCP Server – Configuration Example #3
# Add GE 1/0/1 to VLAN 10 and GE 1/0/2 to VLAN 20.
STEP 3 : Configure VLANIF interfaces to use the global address pool to allocate IP addresses.
[Quidway] vlan batch 10 20 [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port hybrid pvid vlan 20 [Quidway-GigabitEthernet1/0/2] port hybrid untagged vlan 20 [Quidway-GigabitEthernet1/0/2] quit
# Configure the clients on VLANIF 10 to obtain IP addresses from the global address pool.
[Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.1.1.1 255.255.255.128 [Quidway-Vlanif10] dhcp select global [Quidway-Vlanif10] quit
# Configure the clients on VLANIF 20 to obtain IP addresses from the global address pool.
[Quidway] interface vlanif 20 [Quidway-Vlanif20] ip address 10.1.1.129 255.255.255.128 [Quidway-Vlanif20] dhcp select global [Quidway-Vlanif20] quit
19
DHCP Server – Configuration Example #4 STEP 4 : Verify Configuration
[Quidway] display ip pool ----------------------------------------------------------------------------------------------------------------- Pool-name : 2 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : 10.1.1.254 Mask : 255.255.255.128 VPN instance : -- ----------------------------------------------------------------------------------------------------------------- Pool-name : 1 Pool-No : 2 Position : Local Status : Unlocked Gateway-0 : 10.1.1.126 Mask : 255.255.255.128 VPN instance : -- IP address Statistic Total :250 Used :0 Idle :248 Expired :0 Conflict :0 Disable :2
20
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
21
DHCP Relay - Principle #1
DHCP SERVER
DHCP CLIENT
DHCP RELAY
STEP 1
STEP 2
STEP 3
STEP 4
DHCP client obtaining an address through the DHCP relay agent for the first time
DHCP client extending the IP address lease through a DHCP relay agent
DHCP SERVER
DHCP CLIENT
DHCP RELAY
STEP 1
STEP 2
22
DHCP Relay - Principle #2 S9700 DHCP Relay Agent Supporting VPNs
To forward DHCP packets on a VPN, you need to configure the DHCP relay agent to support VPNs. Once a private route exists, a DHCP REQUEST packet can be sent to the DHCP server to apply for an IP address. The DHCP relay agent sends a DHCP REQUEST packet from the client on a VPN (or on the public network) to the DHCP server on the local VPN, and then sends a DHCP REPLY packet from the server to the client.
MPLS VPN NETWORK
VPN B VPN B VPN A VPN B VPN C Client 1
Client 2
Client 3
DHCP SERVER 1
DHCP RELAY
DHCP RELAY
Currently, the scenario, CE-PE-PE-CE, is applicable. Both the DHCP server and the client can be deployed on the same CE, or the DHCP server is deployed on a PE while the DHCP client is deployed on a CE.
23
DHCP Relay - Scenario
With the rapid growth in network scales and increment of complexity, for
example, the location of hosts frequently changes (for portable
computers or wireless networks) and the number of hosts exceeds the
number of assignable IP addresses, network configurations become
more complicated. To properly and dynamically assign IP addresses to
hosts, DHCP is applied.
DHCP Client
DHCP Server
L2/L3 Networks
DHCP Relay
DHCP Relay
DHCP PACKET
24
DHCP Relay – Packet Flow
Packet Processor
DHCP Server / Client Packet
1
LC CPU
2
LPU
SRU CPU
Control Channel
3
Memory
4
DHCP Packet export process
5
DHCP Relay Packet (Unicast)
Internal HDR+
DHCP Packet
DHCP Relay Related table
25
DHCP Relay - Feature Implementation
Subcategory Item Specifications Remarks
DHCP relay
Configuring DHCP relay on the VLANIF
interface
Configuring DHCP relay on the sub-interface
Configuring DHCP relay on VPNs
Configuring DHCPv6 relay on VLANIFs
DHCPv6 relay
VLANIF interface-based relay agent
DHCPv6 Option 37 (remote-id)
DHCPv6 Option 18 (interface-id)
26
DHCP Relay – Feature 1
When functioning as a DHCP relay agent, the S9700 forwards the DHCP Request packets from DHCP clients to the DHCP server. After the DHCP relay function is enabled on the VLANIF interface, set the DHCP server address on the VLANIF interface in either of the following ways:
Configure a destination DHCP server group and bind the group to the interface. For details, see Configuring a Destination DHCP Server Group and Binding an Interface to a DHCP Server Group.
Run the dhcp relay server-ip ip-address command in the VLANIF interface view to configure the destination DHCP server address.
Feature 1 : Configuring DHCP relay on the VLANIF interface
27
DHCP Relay – Feature 2 Feature 2 : Configuring DHCP relay on VPNs
An enterprise establishes a VPN for employees to communicate with each other. The DHCP server is not in the VPN. Users in the VPN need to obtain IP addresses from the DHCP server.
As shown in Figure left, the DHCP clients are located in VPNA, which is in network segment 20.20.20.0/24; the DHCP server is located in network segment 10.10.10.0/24. The DHCP packets need to be relayed by the Switch enabled with the DHCP relay function. The DHCP clients on the VPN then can apply for IP addresses from the DHCP server.
An address pool containing network segment 20.20.20.0/24 is configured on the DHCP server. The DHCP server has a reachable route to 20.20.20.0/24.
28
DHCP Relay – Configuration Example #1
Configuration Roadmap
STEP 1 : Create a DHCP server group and add a DHCP server to the group.
STEP 2 : Enable DHCP relay on VLANIF 100 so that the Switch functions as the DHCP relay agent.
STEP 3 : Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance.
STEP 4 : Bind the specified DHCP server group to VLANIF 100 so that the packets passing VLANIF 100 are forwarded to the specified server.
29
DHCP Relay - Configuration Example #2 1. Create a DHCP server group and add DHCP server to the group.
<Quidway> system-view [Quidway] sysname Switch [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] dhcp-server 10.10.10.1 [Switch-dhcp-server-group-dhcpgroup1] quit
2. Enable the DHCP relay function on the VLANIF interface.
[Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface gigabitethernet 1/0/0 [Switch-GigabitEthernet1/0/0] port link-type trunk [Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 [Switch-GigabitEthernet1/0/0] quit [Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] dhcp select relay [Switch-Vlanif100] quit
30
DHCP Relay - Configuration Example #3 3. Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance. # Create a VPN instance. [Switch] ip vpn-instance vpna [Switch-vpn-instance-vpna] route-distinguisher 1:1 [Switch-vpn-instance-vpna] vpn-target 2:2 both [Switch-vpn-instance-vpna] quit # Bind the DHCP server group to the VPN instance. [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] vpn-instance vpna [Switch-dhcp-server-group-dhcpgroup1] quit # Bind the VLANIF interface to the VPN instance. [Switch] interface vlanif 100 [Switch-Vlanif100] ip binding vpn-instance vpna
4.Bind the VLANIF interface to the specified DHCP server group. # Set the IP address of the VLANIF interface. [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 20.20.20.1 24 # Specify a DHCP server for the VLANIF interface. [Switch-Vlanif100] dhcp relay server-select dhcpgroup1
31
DHCP Relay - Configuration Example #4
Page 31
5. Configure the DHCP server and PE. <Quidway> system-view [Quidway] sysname SERVER [SERVER] ip pool 1 [SERVER-ip-pool-1] network 20.20.20.0 mask 255.255.255.0 [SERVER-ip-pool-1] gateway-list 20.20.20.1 [SERVER-ip-pool-1] quit [SERVER] ip route-static 20.20.20.0 255.255.255.0 10.10.10.2 <Quidway> system-view [Quidway] sysname PE [PE] vlan 101 [PE-Vlan101] quit [PE] interface gigabitethernet 1/0/0 [PE-GigabitEthernet1/0/0] port link-type trunk [PE-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 [PE-GigabitEthernet1/0/0] quit [PE] ip vpn-instance vpna [PE-vpn-instance-vpna] route-distinguisher 1:1 [PE-vpn-instance-vpna] vpn-target 2:2 both [PE-vpn-instance-vpna] quit [PE] interface vlanif 101 [PE-Vlanif101] ip binding vpn-instance vpna [PE-Vlanif101] ip address 10.10.10.2 24 [PE-Vlanif101] quit
32
DHCP Relay - Configuration Example #5 6. Configure MP-IBGP to exchange VPN routing information. [PE] bgp 100 [PE-bgp] peer 1.1.1.1 as-number 100 [PE-bgp] peer 1.1.1.1 connect-interface loopback 1 [PE-bgp] ipv4-family vpnv4 [PE-bgp-af-vpnv4] peer 1.1.1.1 enable [PE-bgp-af-vpnv4] quit [PE-bgp] quit [Switch] bgp 100 [Switch-bgp] peer 2.2.2.2 as-number 100 [Switch-bgp] peer 2.2.2.2 connect-interface loopback 1 [Switch-bgp] ipv4-family vpnv4 [Switch-bgp-af-vpnv4] peer 2.2.2.2 enable [Switch-bgp-af-vpnv4] quit
[PE] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 1.1.1.1 4 100 12 6 0 00:02:21 Established 0
After the configuration, run the display bgp peer command on the PE, and you can see that the BGP peer relationship between the PEs is in Established state.
33
DHCP Relay - Configuration Example #6 7. Verify the configuration. [Switch] display dhcp relay interface vlanif100 DHCP relay agent running information of interface Vlanif100 : DHCP server group name : dhcpgroup1 DHCP server IP [0] :10.10.10.1 DHCP server IP [1] :255.255.255.255 DHCP server IP [2] :255.255.255.255 DHCP server IP [3] :255.255.255.255 DHCP server IP [4] :255.255.255.255 DHCP server IP [5] :255.255.255.255 DHCP server IP [6] :255.255.255.255 DHCP server IP [7] :255.255.255.255 DHCP server IP [8] :255.255.255.255 DHCP server IP [9] :255.255.255.255 DHCP server IP [10] :255.255.255.255 DHCP server IP [11] :255.255.255.255 DHCP server IP [12] :255.255.255.255 DHCP server IP [13] :255.255.255.255 DHCP server IP [14] :255.255.255.255 DHCP server IP [15] :255.255.255.255 DHCP server IP [16] :255.255.255.255 DHCP server IP [17] :255.255.255.255 DHCP server IP [18] :255.255.255.255 DHCP server IP [19] :255.255.255.255
34
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
35
DHCP Snooping – Principle
DHCP snooping is a security feature of DHCP. The S9700 creates and
maintains the DHCP snooping binding table to filter out untrusted DHCP
information that is sent from untrusted zones. The DHCP snooping binding
table contains the MAC address, IP address, lease, VLAN ID, interface
number of each user in an untrusted zone.
When DHCP snooping is enabled on an S9700, the S9700 listens on DHCP
packets and records the IP addresses and MAC addresses in the received
DHCP Request packets or Ack messages. A physical interface can be
configured as a trusted interface or an untrusted interface. A trusted
interface can forward received DHCP Reply packets, whereas an untrusted
interface discards the received DHCP reply packets. By using DHCP
snooping, the S9700 can prevent bogus DHCP servers and ensure that
clients obtain IP addresses from valid DHCP servers.
36
DHCP Snooping - Scenario
Purpose
DHCP snooping prevents the following attacks:
• Bogus DHCP server attack
• Man-in-the-middle attack and IP/MAC spoofing attack
• Denial of Service (DoS) attack
• DoS attack by changing the value of the Client Hardware Address (CHADDR)
Benefits
DHCP snooping ensures that:
• Clients obtain IP addresses from valid DHCP servers.
• The IP addresses and MAC addresses of DHCP clients are recorded, and the
binding entries can be used by other Feature.
37
DHCP Snooping – Packet Flow
Packet Processor
DHCP Server Packet
1
LC CPU
2
LPU
SRU CPU
Control Channel
3
Memory
4
DHCP Packet export process
5
DHCP Snooping Packet (Unicast)
Internal HDR+
DHCP Packet
DHCP Snooping table
Trust port or not ?
Y
N DROP
38
DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks
DHCP snooping
Enabling or disabling DHCP snooping globally or on an interface
Configuring the trusted interface for the DHCP server
Prevent unauthorized servers
Configuring static entries of DHCP snooping
When the static entry of DHCP snooping is configured, the IP address and VLAN ID must be set. The MAC address and port number are optional.
DHCP Snooping binding table consists static bind-table and dynamic bind-table
Preventing DHCP starvation attacks The transmission rate of DHCP packets on an interface or in a VLAN is limited.
key command:dhcp snooping check dhcp-rate rate
Preventing attackers from sending bogus DHCP messages for extending IP address leases
Key command: dhcp snooping check user-bind enable
Supporting DHCP snooping in the VPLS
DHCP snooping over VPLS is enabled by enabling DHCP snooping on a physical interface or in a VLAN.
Supporting DHCPv6 snooping DHCP snooping static binding table
DHCP snooping dynamic binding table
Rate of creating/deleting DHCP snooping binding table
85 entries per second
39
DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks
DHCPv6 snooping
Global DHCPv6 snooping
Interface-based DHCPv6 snooping
VLAN-based DHCPv6 snooping
DHCPv6 trusted interface The trusted interface can receive packets from the DHCP server. The switch discards the DHCP packets received from untrusted interfaces.
Dynamic DHCPv6 snooping binding table
The switch dynamically generates DHCPv6 snooping binding entries by capturing and analyzing DHCP packets received from the DHCPv6 server. A binding entry contains the IPv6 address, MAC address, double-layer VLAN IDs, and interface number.
Static DHCPv6 snooping binding table You can manually configure DHCP snooping binding entries. A static binding entry contains the IP address, MAC address, VLAN ID, and interface number.
DHCPv6 snooping binding table management
You can add, delete, modify, and query dynamic and static DHCP snooping binding entries by using commands.
Preventing bogus DHCPv6 Request message
If unauthorized users send a large number of bogus DHCP Request messages with variable MAC addresses to extend IP addresses, expired IPv6 addresses cannot be withdrawn.
1:1 VLAN mapping Super VLAN Batch configurations take effect in sub-VLANs. Port flapping Port flapping for binding table Interface- or VLAN-based PD snooping
40
DHCP Snooping – Feature 1 Feature 1 : Supporting DHCP snooping in the VPLS
PWs ACCESS
Glo
bal &
PH
YIF Enab
le
E series
FA series
FC series
W series
BC series
VLAN 10
S series
LPUs
× Do not support DHCP Snooping in VPLS
VLAN 20 VLAN
10 VLAN
30
PHY IF 1
PHY IF 2
PHY IF 3
VPLS VSI 100
VPLS VSI 200
Binding Relationship
VPLS VSI 200 VPLS VSI 100
PHY IF 3 PHY IF 1
VLANIF 20 VLANIF 10
Take effect
DHCP snooping in the VPLS
Do not take effect
Take effect ×
Normal DHCP snooping
VLAN 10
VLAN 20
VLAN 30
VLANIF 30
PHY IF 2
41
DHCP Snooping - Limitation
If DHCP relay is enabled in a super-VLAN, DHCP snooping
cannot be enabled in this super-VLAN.
DHCP snooping over VPLS is not supported by the Physical
interface and NONE VPLS VLAN interfaces. It can be enabled
only on VPLS VLAN interfaces.
DHCP snooping over VPLS cannot be enabled on PWs.
S series LPUs do not support DHCP snooping in the VPLS.
42
DHCP Snooping – Configuration Example #1 Example for Preventing Bogus DHCP Server Attacks
Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping trusted [Quidway-GigabitEthernet1/0/0] quit
Configuration Roadmap
STEP 1 : Enable DHCP snooping globally and on the interface. STEP 2: Configure the interface connected to the DHCP server as the trusted interface. STEP 3 : Configure the user-side interface as an untrusted interface. The DHCP Request messages including Offer, ACK, and NAK messages received from the untrusted interface are discarded. STEP 4 : Configure the alarm function for discarded packets.
43
DHCP Snooping – Configuration Example #2 Example for Limiting the Rate of Sending DHCP Messages
Configuration Roadmap
STEP 1 : Enable DHCP snooping STEP 2 : globally and in the interface view. STEP 3 : Set the rate of sending DHCP Request messages to the protocol stack. STEP 4 : Configure the alarm function for discarded packets.
Limit the rate of sending DHCP messages. # Enable the function of checking the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable # Set the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate 90
44
DHCP Snooping – Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #1
Configuration Roadmap
STEP 1 : Enable DHCP snooping globally and in the interface view. STEP 2 : Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. STEP 3 : Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. STEP 4 : Configure the function of checking the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. STEP 5 : Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. STEP 6 : Configure the Option 82 function and create the binding table that contains information about the interface. STEP 7 : Configure the alarm function for discarded packets and the alarm function for checking the rate of sending packets.
45
DHCP Snooping – Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #2
Enable DHCP snooping. # Enable DHCP snooping globally. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface at the user side. The configuration procedure of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping enable [Quidway-GigabitEthernet1/0/0] quit
Configure the interface as trusted. # Configure the interface connecting to the DHCP server as the trusted interface and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks. [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping trusted [Quidway-GigabitEthernet2/0/0] quit
46
DHCP Snooping – Configuration Example #4
Configure the checking for certain types of packets. # Enable the checking of DHCP Request messages on the interfaces on the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit # Enable the checking of the CHADDR field on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of GE 1/0/1 is the same as the configuration of GE1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit
Example for Applying DHCP Snooping on a Layer 2 Network #3
47
DHCP Snooping – Configuration Example #5
Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90
Configure the Option 82 function. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet1/0/0] quit
Configure the alarm function for discarded packets. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120 [Quidway-GigabitEthernet1/0/0] quit # Enable the alarm function for checking the rate of sending DHCP messages, and set the alarm threshold for checking the rate of sending DHCP messages. [Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80
Example for Applying DHCP Snooping on a Layer 2 Network #4
48
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
49
DHCP Security – Feature Implementation Subcategory Item Specifications Remarks
DHCP security
Setting the format of Option 82 The default format, the format conforming to the DSLAM standard, and the user-defined format are supported.
Setting the policy for processing Option 82 on an interface
The Option 82 field in a packet can be kept or replaced.
Note: This version does not support removing of the Option 82 field.
Binding an IP address to the MAC address, VLAN ID, or interface flexibly Enabling or disabling the function of checking the DHCP relay address based on the binding
Match certain entries in the binding table, for example, IP address or MAC address, which are irrelevant to the DHCP relay.
Restoring entries in the DHCP snooping/relay/server binding table after restart
It can be configured.
Supporting static binding
Enabling or disabling the detection on bogus DHCP servers
The server address is recorded and the administrator checks whether it is the address is invalid by using the trusted interface. An alarm is generated if the address is invalid.
Limiting the transmission rate of DHCP packets sent to the host
50
Restoring entries in the DHCP after restart
DHCP DATA
Command dhcp server database enable dhcp server database write-delay XXX
S9700 Memory
CF C
ard
S9700 Memory
√ Restart
DHCP DATA
Lease.txt Conflict.txt
DHCP DATA
dhcp server database recover
×
51
DHCP Security – Feature 1 Feature 1 : Restoring entries in the DHCP snooping/relay/server binding table after restart
Usage Scenario
When the S9700 functions as a DHCP server, run the dhcp server database command to enable the S9700 to save DHCP data to storage devices. This avoids data loss caused by device faults. Then the system generates lease.txt and conflict.txt files in the CF card. The two files save address lease information and address conflict information respectively. After the dhcp server database command is run, the current DHCP data is automatically saved at the specified interval, and previous data files are overwritten. The interval can be set by using the dhcp server database write-delay interval command.
If a fault occurs on the S9700, run the dhcp server database recover command to recover DHCP data from storage devices after the system restarts.
Example # Enable the S9700 to save the current DHCP data to storage devices and set the interval at which DHCP data is saved to 36000s. <Quidway> system-view [Quidway] dhcp server database enable [Quidway] dhcp server database write-delay 36000 # Recover DHCP configuration by using the DHCP data saved on storage devices. <Quidway> system-view [Quidway] dhcp server database recover
52
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
53
SAVI– Feature Implementation Subcategory Item Specifications Remarks
SAVI
Enabling and disabling global SAVI Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port.
Generating DHCPv6 snooping binding entries
The switch listens on DHCPv6 address allocation process, dynamically generates binding entries, or uses static binding entries.
Protocol packet check based on DHCPv6 snooping binding entries
The switch can verify DHCPv6 and ND packets based on DHCPv6 snooping entries.
Generating ND snooping binding entries
The switch listens on ND address allocation process and generates dynamic binding entries.
Protocol packet check based on ND snooping binding entries
The switch can verify DHCPv6 and ND packets based on ND snooping entries.
Generating PD snooping binding entries
The switch listens on DHCPv6 PD prefix allocation process, dynamically generates prefix binding entries, or uses static prefix binding entries.
Protocol packet check based on PD snooping binding entries
The switch can verify DHCPv6 and ND packets based on PD snooping entries.
Delivering IPSGv6 entries based on DHCPv6, ND snooping, and PD snooping binding entries.
If IPSGv6 is enabled, the switch requests the IPSGv6 module to deliver binding entries to the forwarding plane to verify the forwarded data packets.
Checking DHCPv6 snooping trusted interface
Checking ND snooping trusted interface
The switch discards the RA packets received from untrusted interfaces.
54
SAVI: Source Address Validation Improvement
Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port. Based on duplicate address detection, SAVI listens on address allocation control packets, and creates binding entries. After a binding entry is created, the switch verifies the data and protocol packets received on the specified port. The switch forwards valid packets and discards invalid packets.
Function: Address Allocation Mode:DHCPv6,SLAAC Scenarios:
DHCPv6-only:Only support DHCPv6 in network
SLAAC-only: Only support SLAAC in network Mix Scenario:DHCPv6+SLAAC SLAAC-Stateless Address Auto-configuration
55
SAVI: DHCPv6 Mode SAVI
Switch Port 1
Downlink
Port 24
Uplink
DHCPv6 Request
Add a item to table:
(Port 1, MAC1, A)
Data Packet(src=A)
Data Packet(src!=A)
DHCPv6
Server
DHCPv6 Request
DHCPv6 Reply DHCPv6 Reply
Allot Address A
DAD NS
Get Address A
Host
(MAC1)
56
SAVI: SLAAC Mode
SAVI
Switch Port 1
Downlink
Port 24
Uplink
Host
(MAC1)
DAD NS
Data Packet(src=A)
Data Packet(src!=A)
DAD NS: Duplicate Address Detection Neighbor Solicitation
Add a item to table:
(Port 1, MAC1, A)
57
DHCP-only :Configuration Example
•Global configuration •[Quidway] savi enable (Enable the SAVI feature globally) •[Quidway] dhcp enable (Enable the DHCP feature globally) •[Quidway] dhcp snooping enable (Enable the DHCP snooping feature globally)
•User side interface Ethernet0/0/10 configuration •Enable the DHCP snooping feature on the interface •[Quidway-Ethernet0/0/10] dhcp snooping enable •The port which enabled this command called SAVI-Validation port. Users get online through this port can create the DHCP binding table, but if you want to create filter table to filter the packet by the source address of the IP packet, you need to configure “ip source check user-bind enable” on this interface. •Enable the IPSG feature on the interface •[Quidway-Ethernet0/0/10] ip source check user-bind enable •This command only can be configured on the SAVI-Validation port,and once configured this port can filter IP packet passed through this port by the IP source address according the binding table, only packets whose IP address and MAC, interface, VLAN match the binding table can pass through this port, others will be dropped.
•Network side interface Ethernet0/0/20 configuration •Configure the port as DHCP trust port •[Quidway-Ethernet0/0/20] dhcp snooping trusted The port which is configured as SAVI-DHCP-Trust can pass DHCP packets sent by server.
58
DHCP-SLAAC-MIX :Configuration Example •Global configuration •[Quidway] savi enable ( Enable the SAVI feature globally ) •[Quidway] dhcp enable ( Enable the DHCP feature globally ) •[Quidway] dhcp snooping enable ( Enable the DHCP snooping feature globally ) •[Quidway] nd snooping enable (Enable the ND snooping feature globally)
•User side interface Ethernet0/0/10 configuration •Enable the DHCP snooping feature on the interface •[Quidway-Ethernet0/0/10] dhcp snooping enable •Enable the ND snooping feature on the interface •[Quidway-Ethernet0/0/10] nd snooping enable •Enable the IPSG feature on the interface •[Quidway-Ethernet0/0/10] ip source check user-bind enable •When configured the three commands,this port called SAVI-Validation port, and users get online through this port can create DHCP binding table and SLAAC binding table, at the same time create filter table according to the binding table to filter the IP packets by source address.
•Network side interface Ethernet0/0/20 configuration •Configure the port as DHCP trust port •[Quidway-Ethernet0/0/20] dhcp snooping trusted •The port which is configured as SAVI-DHCP-Trust port can pass the DHCP packets sent from the server. •Configure the port as ND trust port • [Quidway-Ethernet0/0/20] nd snooping trusted The port which is configured as SAVI-RA-Trust port can pass the RA packets sent from the server.
59
Agenda
DHCP Overview
DHCP Basic DHCP Server
DHCP Relay
DHCP Snooping
DHCP Additional DHCP Security
SAVI
ND Snooping
60
ND Snooping– Feature Implementation
Subcategory Item Specifications Remarks
ND Snooping
Global, interface-based, and VLAN-based ND snooping.
Maximum number of ND binding
entries
The value is the same as the maximum number of DHCPv6
binding entries.
61
ND SNOOPING: ND User security
ND : Neighbor Discovery Protocol
Basic idea: The IPv6 node which has passed the no-state address
distribution, will combine the address prefix of the notification with the interface ID created by itself to make the address when receiving the notification of link router.
The Ipv6 node will send NS packet for DAD detecting before use the address, no matter the address is get through state, no-state or configured manually. The IPv6 node will receive relevant NA packet when there is address conflict in the network.
Device creates or deletes the ND binding table by detecting the NS packets and NA packets of the network.
62
ND SNOOPING Nd snp
Switch Port 1
downlink
Port 24
uplink ND RS
Add a prefix to bind the table:
(Port 1,prefixA)
Data Packet(src=A1)
Data Packet(src!=A1)
ND prefix management
switch
ND RS
ND RA ND RA
Distribute prefix A
DAD NS(prefix=A)
Get
address
A1
Host
(MAC1)
Add a prefix to bind the table:
(Port 1, MAC1, A1)
63
ND SNOOP-INGConfiguration Example
Global configuration
[Quidway] savi enable (Enable the SAVI feature globally)
[Quidway] dhcp enable (Enable the DHCP feature globally)
[Quidway] nd snooping enable (Enable the ND snooping feature globally)
User side interface Ethernet0/0/10 configuration
Enable the ND snooping feature on the interface
[Quidway-Ethernet0/0/10] nd snooping enable
The port which enabled this command called SAVI-Validation port. Users get online through this port can get a
SLAAC binding table. But if you want to create filtration table to filter the IP packets by the source address,
you need to configure “ip source check user-bind enable” on the interface.
Enable the IPSG feature on the interface
[Quidway-Ethernet0/0/10] ip source check user-bind enable
this command has to be configured on the SAVI-Validation port,and once configured the IP packet passed
through this port will be filtered by the IP source address according to the binding table, only packets whose
source IP address and MAC, interface, VLAN accord with the binding table can pass through this port, others
will be dropped.
Network side interface Ethernet0/0/20 configuration
The interface configured as ND trust interface
[Quidway-Ethernet0/0/20] nd snooping trusted
The port configured as SAVI-RA-Trust port can pass the RA packets sent from the server
64
DHCP Feature Summary top 3~5
S9700 can only act as DHCP server and DHCP relay agent,
can’t act as an DHCP client.
DHCP server support global address pool and interface
address pool.
When S9700 deployed double SRUs and act as an DHCP
server, it can support DHCP server hot backup.
S9700 DHCP Relay Agent and DHCP Snooping Supporting
VPNs. Except the S series LPUs.
S9700 supports DHCPv6 server and DHCPv6 relay agent.
Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and
operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to
differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and
constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.
HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY