DHCP Relay Configuration
25.1 Overview
25.1.1 understand DHCP
DHCP protocols are widely used to dynamically allocate reusable network resources, such as IP addresses.
DHCP client issues DHCP Discover broadcast messages to DHCP Server. After DHCP server receives the DHCP discover message, it assigns resources to client, such as IP address, and sends DHCP offer message according to certain policies. After the DHCP client receives a DHCP offer message, it verifies that the resource is available. If the resource can send DHCP request messages, resend the DHCP Discover message if not available. The server receives a DHCP request message, verifies that the IP Address resource (or other limited resources) can be allocated, sends a DHCP ACK message if it can be allocated, and sends a DHCP NAK message if it is not allocated. The DHCP client receives the DHCP ACK message and begins to use the resources assigned by the server; If you receive a DHCP NAK, you may resend the DHCP Discover message and request another IP address again. 25.1.2 Understanding DHCP Relay agent (DHCP Relay agent)
The destination IP address of the DHCP request message is 255.255.255.255, the forwarding of this type of message is limited to the subnet and is not forwarded by the device. In order to realize the dynamic IP assignment across the network segment, the DHCP Relay agent is produced. It encapsulates the received DHCP request message to the DHCP Server by encapsulating it as an IP unicast, while forwarding the received DHCP response message to the DHCP Client. This means that the DHCP Relay agent is equivalent to a forwarding station, which communicates DHCP client and DHCP Server located on different network segments. This enables the dynamic IP management of all segments, that is, client-relay agent-server mode DHCP dynamic IP management, as long as you install a DHCP server.
Figure 1
VLAN 10 and VLAN 20 correspond to the 10.0.0.1/16 and 20.0.0.1/16 networks respectively, while DHCP server on the 30.0.0.1/16 network, 30.0.0.2 DHCP server to 10.0.0.1/ 16 and 20.0.0.1/16 Network for dynamic IP management, just open the DHCP Relay Agent on the device as a gateway, and specify DHCP Server IP as 30.0.0.2. 25.1.3 Understanding DHCP Relay Agent information (option)
According to the definition of RFC3046, when a relay device is DHCP relay, it is possible to specify some network information of the DHCP client by adding an option, so that the server can assign different permissions to the user based on more precise information. Depending on the definition of RFC3046, the option number for option is 82, and is also known as option82, which can continue to be decomposed into multiple child options, with the circuit ID and remote ID being used frequently at this stage. The company to achieve the relay agent information at this stage there are two kinds, one is with the 802.1x/sam application Scheme Relay Agent Information option Dot1x, the other is a combination of user-owned port Vid,slot, Port, as well as the device MAC information Relay Agent information option82, the bottom of the two scenarios when the option to carry the content and format and some typical application scenarios for some explanation:
1. Relay Agent Information Option dot1x: This kind of application plan needs to combine 802.1X attestation as well as our product Rg-sam. Through the Rg-sam in the 802.1x authentication process, the device is delegated different IP rights, combined with the VID group of the DHCP client to synthesize the circuit ID sub option. When the DHCP relay is uploaded to DHCP server, the application of IP with different permissions can be implemented with the configuration of DHCP server. The Circuit ID format is grouped as follows, where the priviliage and vid fields each account for two bytes:
Figure 2
2. Relay Agent Information option82: This option application does not need to be combined with the operation of other protocol modules, the device in the process of DHCP relay, according to the receiving DHCP request entity port, as well as the device itself physical address information, composition O Ption82 information uploaded to the server, option selected Xian is the following format:
Agent Circuit ID
Figure 3
Agent Remote ID
Figure 4 25.1.4 understand DHCP relay Check Server-id functionality
When DHCP is applied, it is common for each network to have multiple DHCP servers, which can be backed up to prevent the normal use of the network because of the dysfunctional functioning of a single server. During the four interactions that DHCP obtains, when the DHCP client has selected the server when sending DHCP request, a server-id option is carried in the requested message, and in some particular application environment to mitigate network server pressure, We relay be able to enable this option to only send the request message to the server in this option, instead of sending it to each configured DHCP server, which is the DHCP check server-id feature 25.2 Configuring DHCP c14>25.2.1 Configure DHCP Relay Agent
In global configuration mode, use the following procedure to configure the DHCP Relay Agent:
Command |
function |
Ruijie (config) # service DHCP |
Enable DHCP Agent |
Ruijie (config) # no service DHCP |
Turn off the DHCP agent. |
25.2.2 Configure The IP address of DHCP server
After the IP address of the DHCP server is configured, the DHCP request message received by the device is forwarded to it, and the received DHCP response message from the server is sent to the client.
DHCP server addresses can be configured globally or on a three-tier interface, and each configuration mode can be configured with multiple server addresses configured with up to 20 server addresses. When a DHCP request is received on an interface, the interface DHCP server is used first, and a globally configured DHCP server is used if no server address is configured on the interface.
DHCP relay supports VRF relay capabilities by adding VRF parameters in front of the corresponding server address. Configure the DHCP server address as follows:
Command |
function |
Ruijie (config) # IP helper-address [vrf]A.B.C.D |
To add a global DHCP server address |
Ruijie (config-if) # IP helper-address[vrf] A.b.c.d |
Adds a DHCP server address for an interface. This command must be set under the three-tier interface. |
Ruijie (config) # no IP helper-address[vrf] A.b.c.d |
To delete a global DHCP server address |
Ruijie (config-if) # no IP helper-address[vrf] A.b.c.d |
Remove a DHCP server address for an interface |
25.2.3 Configure DHCP option dot1x
By understanding the description of the DHCP Relay Agent information, we can configure IP DHCP Relay information option if the network needs to assign different IP rights to users depending on their rights. Dot1x To configure the option Dot1x feature that turns on DHCP relay, when this feature is turned on, the device will add the corresponding option information to the server when it is relay, and it needs to be used in conjunction with the DOT1X feature when configuring this feature.
In global configuration mode, use the following procedure to configure DHCP option DOT1X:
Command |
function |
Ruijie (config) # IP DHCP relay Information Option dot1x |
Enable DHCP option DOT1X feature |
Ruijie (config) # no ip DHCP relay Information Option dot1x |
Turn off the DHCP option dot1x feature. |
25.2.4 Configure DHCP option dot1x access-group
In the option dot1x application scenario, the device is required to control unauthorized or low-power IP access only to certain IP addresses, and to restrict access between users with low privileges, at which point you can configure the command IP DHCP relay information Option dot1x Access-group acl-name to implement, the ACL defined here must be pre-configured to filter some content, primarily to prevent mutual access between authenticated users. In addition, the ACL associated here is applied to all ports on the device, and the ACL has no default ace and does not conflict with ACLs associated with other interfaces, for example:
Planning a class of IP addresses for unauthorized users, for 192.168.3.2-192.168.3.254,192.168.4.2-192.168.4.254,192.168.5.2-192.168.5.254; 192.168.3.1 , 192.168.4.1, 192.168.5.1 as the gateway address, not assigned to the user. The user uses the 192.168.3.x-5.x address to download the client-side software under the Web portal before being authenticated. Therefore, you need to configure the following on your device:
ruijie# config
Ruijie (config) # IP access-list Extended denyaccesseachotherofunauthrize
Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.3.1
Messages that are allowed to be sent to the gateway
Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.4.1
Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.5.1
Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.3.1 any
Message communication that allows the source IP address to be a gateway
Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.4.1 any
Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.5.1 any
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
Prohibit non-authenticated users from accessing each other
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
Ruijie (CONFIG-EXT-NACL) # Exit
Then use the command IP DHCP relay information option DOT1X Access-group
Denyaccesseachotherofunauthrize to apply the command to the global interface
In global configuration mode, use the following procedure to configure DHCP option dot1x access-group:
Command |
function |
Ruijie (config) # IP DHCP relay Information option dot1x access-group acl-name |
Apply DHCP option dot1x ACL |
Ruijie (config) # no ip DHCP relay Information option dot1x access-group acl-name |
Cancels the application of the DHCP option dot1x ACL. |
< /c20>25.2.5 Configure DHCP option
When the command IP DHCP relay information option82 command is configured, the device is added to the DHCP relay process, such as understanding DHCP relay Agent information option to the server in the format described in.
In global configuration mode, use the following procedure to configure DHCP Option82:
Command |
function |
Ruijie (config) # IP DHCP relay Information option82 |
Enable DHCP option82 features |
Ruijie (config) # no ip DHCP relay Information option82 |
Turn off the DHCP option82 feature. |
25.2.6 Configure DHCP relay check server-id
When a command IP DHCP relay check SERVER-ID is configured, the device resolves DHCP server-id option when it receives a DHCP relay, and if this option is not empty, only requests are sent to this server. Do not send requests to other configured servers.
In global configuration mode, configure the DHCP relay check Server-id feature by following these steps:
Command |
function |
Ruijie (config) # ip DHCP relay check Server-id |
Enable DHCP relay check Server-di features |
Ruijie (config) # no ip DHCP relay Check Server-id |
Turn off the DHCP relay check Server-id feature. |
25.2.7 Configure DHCP relay suppression
When the command IP DHCP relay suppression is configured, the interface configured with DHCP realy suppression does not convert the received DHCP broadcast request to unicast relay. The normal broadcast forwarding of the broadcast message received by the port is not suppressed.
In interface configuration mode, use the following steps:
Command |
function |
Ruijie (config-if) # IP DHCP relay Suppresson |
Enable DHCP relay Suppresson features |
Ruijie (config-if) # no ip DHCP relay Suppresson |
Turn off the DHCP relay Suppresson feature. |
25.2.8 DHCP configuration Instance
The following command opens the DHCP relay feature, adding two sets of server addresses:
ruijie# Configure Terminal
Ruijie (config) # service DHCP //Open DHCP relay feature
Ruijie (config) # IP helper-address 192.18.100.1//Add Global server address
Ruijie (config) # IP helper-address192.18.100.2//Add Global server address
Ruijie (config) # interface gigabitethernet 0/3
Ruijie (config-if) # IP helper-address 192.18.200.1//Add Interface server address
Ruijie (config-if) # IP helper-address 192.18.200.2//Add Interface server address
Ruijie (config-if) # end 25.3 Additional considerations for configuring DHCP relay
For a two-tier network device, it is necessary to enable at least one feature of option dot1x, dynamic address bindings, and option82 to be implemented across the Management VLAN relay function, otherwise only the relay function of managing VLANs can be achieved on a two-tier device. 25.3.1 Configure dhcp option dot1x required Considerations
1. The actual entry into force of this order requires that the AAA/802.1X-related configuration be correct.
2. IP authorization to enable 802.1x DHCP mode is required when this scenario is applied.
3. This command is incompatible with the DHCP option82 command and cannot be used at the same time.
4. In the mode of IP licensing with 802.1x DHCP enabled, Mac + IP binding is also set up, so it cannot be enabled with DHCP dynamic binding capabilities. 25.3.2 Configure dhcp option82 required Considerations
DHCP option82 functionality is mutually exclusive to DHCP option dot1x and cannot be used to display DHCP configuration at the same time
Please display the DHCP configuration with the show running-config command in privileged mode.
ruijie# Show Running-config
Building configuration ...
Current configuration:1464 bytes
Version rg0s 10.1.00 (1), Release (11758) (Fri Mar 12:53:11 CST 2007-NPRD
Hostname Ruijie
VLAN 1
IP helper-address 192.18.100.1
IP helper-address 192.18.100.2
IP DHCP relay information option DOT1X
Interface Gigabitethernet 0/1
Interface Gigabitethernet 0/2
Interface Gigabitethernet 0/3
No Switchport
IP helper-address 192.168.200.1
IP helper-address 192.168.200.2
Interface VLAN 1
IP address 192.168.193.91 255.255.255.0
Line con 0
Exec-timeout 0 0
Line Vty 0
Exec-timeout 0 0
Login
Password 7 0137
Line Vty 1 2
Login
Password 7 0137
Line Vty 3 4
Login
End 25.5 DHCP Typical configuration use case 25.5.1 user request IP Internet 25.5.1.1 configuration requirements for cross-network segment
1, require users across the network segment can obtain IP address for normal access to the Internet;
2, to prevent illegal users to set up IP address Internet access. 25.5.1.2 topology Map
25.5.1.3 Analysis
DHCP snooping devices connected to the DHCP relay device port is a normal access port, requiring the client to automatically obtain IP addresses across the network to access the Internet, which requires DHCP relay devices to implement. To prevent illegal users to set up IP address Internet There are two ways: one is in the global mode to open dai (Dynamic ARP detection), the other is in the interface mode configuration port address binding, and combined with the Arp-check function to prevent illegal users online. This use case takes the first approach. 25.5.1.4 Configuration Process
Build the environment according to the topology above, and configure it according to the following configuration steps:
L DHCP Snooping configuration:
# Open DHCP snooping function
Ruijie (config) # ip dhcp snooping
# Configure the server-attached GI0/2 as a trusted port
Ruijie (config) # interface gigabitethernet 0/2
Ruijie (config-if) # IP dhcp snooping Trust
# Configure GI0/2 for ARP detection trust Port
Ruijie (config-if) # ip arp inspection Trust
Ruijie (config-if) # Exit
# enable the DAI message Check feature on the specified VLAN
Ruijie (config) # ip arp inspection vlan 1
# Configure the device's IP address (SVI1 )
Ruijie (config) # interface vlan 1
Ruijie (config-if) # IP address 10.2.0.1 255.255.0.0
# Static routes configured to another network segment (10.1.0.0/16)
Ruijie (config) # IP route 10.1.0.0 255.255.0.0 10.2.1.1
• Configuration of DHCP Relay
# Enable DHCP Relay Agent
Ruijie (config) # server DHCP
# Add the address of a global DHCP server
Ruijie (config) # IP helper-address 10.1.1.1
# Configure the IP address of the port to which the snooping device is connected
Ruijie (config) # interface gigabitethernet 3/1
Ruijie (config-if) # no switchport
Ruijie (config-if) # IP address 10.2.1.1 255.255.0.0
# Configure the IP address of the port to which the server device is connected
Ruijie (config) # interface gigabitethernet 3/2
Ruijie (config-if) # no switchport
Ruijie (config-if) # IP address 10.1.0.1 255.255.0.0
L Configuration on DHCP server:
# Configure IP addresses for ports connected to relay devices
Ruijie (config) # interface gigabitethernet 4/1
Ruijie (config-if) # no switchport
Ruijie (config-if) # IP address 10.1.1.1 255.255.0.0
# Enable DHCP server
Ruijie (config) # service DHCP
# Configure DHCP exclusion addresses, which are not assigned to clients
Ruijie (config) # ip dhcp excluded-address 10.1.1.1 10.1.1.10
# Configure address pool name and enter address pool configuration mode
Ruijie (config) # ip dhcp pool linwei
# Configure client Default gateways
Ruijie (dhcp-config) # Default-router 10.2.1.1
# Configure the network number and mask for the DHCP address pool
Ruijie (dhcp-config) # network 10.2.0.0 255.255.0.0
# Static routes configured to another network segment (10.2.0.0/16)
Ruijie (config) # IP route 10.2.0.0 255.255.0.0 10.1.0.1