DHCP Relay Configuration

DHCP Relay Configuration 25.1 Overview 25.1.1 understand DHCP

DHCP protocols are widely used to dynamically allocate reusable network resources, such as IP addresses.

DHCP client issues DHCP Discover broadcast messages to DHCP Server. After DHCP server receives the DHCP discover message, it assigns resources to client, such as IP address, and sends DHCP offer message according to certain policies. After the DHCP client receives a DHCP offer message, it verifies that the resource is available. If the resource can send DHCP request messages, resend the DHCP Discover message if not available. The server receives a DHCP request message, verifies that the IP Address resource (or other limited resources) can be allocated, sends a DHCP ACK message if it can be allocated, and sends a DHCP NAK message if it is not allocated. The DHCP client receives the DHCP ACK message and begins to use the resources assigned by the server; If you receive a DHCP NAK, you may resend the DHCP Discover message and request another IP address again. 25.1.2 Understanding DHCP Relay agent (DHCP Relay agent)

The destination IP address of the DHCP request message is 255.255.255.255, the forwarding of this type of message is limited to the subnet and is not forwarded by the device. In order to realize the dynamic IP assignment across the network segment, the DHCP Relay agent is produced. It encapsulates the received DHCP request message to the DHCP Server by encapsulating it as an IP unicast, while forwarding the received DHCP response message to the DHCP Client. This means that the DHCP Relay agent is equivalent to a forwarding station, which communicates DHCP client and DHCP Server located on different network segments. This enables the dynamic IP management of all segments, that is, client-relay agent-server mode DHCP dynamic IP management, as long as you install a DHCP server.

Figure 1

VLAN 10 and VLAN 20 correspond to the 10.0.0.1/16 and 20.0.0.1/16 networks respectively, while DHCP server on the 30.0.0.1/16 network, 30.0.0.2 DHCP server to 10.0.0.1/ 16 and 20.0.0.1/16 Network for dynamic IP management, just open the DHCP Relay Agent on the device as a gateway, and specify DHCP Server IP as 30.0.0.2. 25.1.3 Understanding DHCP Relay Agent information (option)

According to the definition of RFC3046, when a relay device is DHCP relay, it is possible to specify some network information of the DHCP client by adding an option, so that the server can assign different permissions to the user based on more precise information. Depending on the definition of RFC3046, the option number for option is 82, and is also known as option82, which can continue to be decomposed into multiple child options, with the circuit ID and remote ID being used frequently at this stage. The company to achieve the relay agent information at this stage there are two kinds, one is with the 802.1x/sam application Scheme Relay Agent Information option Dot1x, the other is a combination of user-owned port Vid,slot, Port, as well as the device MAC information Relay Agent information option82, the bottom of the two scenarios when the option to carry the content and format and some typical application scenarios for some explanation:

1. Relay Agent Information Option dot1x: This kind of application plan needs to combine 802.1X attestation as well as our product Rg-sam. Through the Rg-sam in the 802.1x authentication process, the device is delegated different IP rights, combined with the VID group of the DHCP client to synthesize the circuit ID sub option. When the DHCP relay is uploaded to DHCP server, the application of IP with different permissions can be implemented with the configuration of DHCP server. The Circuit ID format is grouped as follows, where the priviliage and vid fields each account for two bytes:

Figure 2

2. Relay Agent Information option82: This option application does not need to be combined with the operation of other protocol modules, the device in the process of DHCP relay, according to the receiving DHCP request entity port, as well as the device itself physical address information, composition O Ption82 information uploaded to the server, option selected Xian is the following format:

Agent Circuit ID

Figure 3

Agent Remote ID

Figure 4 25.1.4 understand DHCP relay Check Server-id functionality

When DHCP is applied, it is common for each network to have multiple DHCP servers, which can be backed up to prevent the normal use of the network because of the dysfunctional functioning of a single server. During the four interactions that DHCP obtains, when the DHCP client has selected the server when sending DHCP request, a server-id option is carried in the requested message, and in some particular application environment to mitigate network server pressure, We relay be able to enable this option to only send the request message to the server in this option, instead of sending it to each configured DHCP server, which is the DHCP check server-id feature 25.2 Configuring DHCP c14>25.2.1 Configure DHCP Relay Agent

In global configuration mode, use the following procedure to configure the DHCP Relay Agent:

Command	function
Ruijie (config) # service DHCP	Enable DHCP Agent
Ruijie (config) # no service DHCP	Turn off the DHCP agent.

25.2.2 Configure The IP address of DHCP server

After the IP address of the DHCP server is configured, the DHCP request message received by the device is forwarded to it, and the received DHCP response message from the server is sent to the client.

DHCP server addresses can be configured globally or on a three-tier interface, and each configuration mode can be configured with multiple server addresses configured with up to 20 server addresses. When a DHCP request is received on an interface, the interface DHCP server is used first, and a globally configured DHCP server is used if no server address is configured on the interface.

DHCP relay supports VRF relay capabilities by adding VRF parameters in front of the corresponding server address. Configure the DHCP server address as follows:

Command	function
Ruijie (config) # IP helper-address [vrf]A.B.C.D	To add a global DHCP server address
Ruijie (config-if) # IP helper-address[vrf] A.b.c.d	Adds a DHCP server address for an interface. This command must be set under the three-tier interface.
Ruijie (config) # no IP helper-address[vrf] A.b.c.d	To delete a global DHCP server address
Ruijie (config-if) # no IP helper-address[vrf] A.b.c.d	Remove a DHCP server address for an interface

25.2.3 Configure DHCP option dot1x

By understanding the description of the DHCP Relay Agent information, we can configure IP DHCP Relay information option if the network needs to assign different IP rights to users depending on their rights. Dot1x To configure the option Dot1x feature that turns on DHCP relay, when this feature is turned on, the device will add the corresponding option information to the server when it is relay, and it needs to be used in conjunction with the DOT1X feature when configuring this feature.

In global configuration mode, use the following procedure to configure DHCP option DOT1X:

Command	function
Ruijie (config) # IP DHCP relay Information Option dot1x	Enable DHCP option DOT1X feature
Ruijie (config) # no ip DHCP relay Information Option dot1x	Turn off the DHCP option dot1x feature.

25.2.4 Configure DHCP option dot1x access-group

In the option dot1x application scenario, the device is required to control unauthorized or low-power IP access only to certain IP addresses, and to restrict access between users with low privileges, at which point you can configure the command IP DHCP relay information Option dot1x Access-group acl-name to implement, the ACL defined here must be pre-configured to filter some content, primarily to prevent mutual access between authenticated users. In addition, the ACL associated here is applied to all ports on the device, and the ACL has no default ace and does not conflict with ACLs associated with other interfaces, for example:

Planning a class of IP addresses for unauthorized users, for 192.168.3.2-192.168.3.254,192.168.4.2-192.168.4.254,192.168.5.2-192.168.5.254; 192.168.3.1 , 192.168.4.1, 192.168.5.1 as the gateway address, not assigned to the user. The user uses the 192.168.3.x-5.x address to download the client-side software under the Web portal before being authenticated. Therefore, you need to configure the following on your device:

ruijie# config

Ruijie (config) # IP access-list Extended denyaccesseachotherofunauthrize

Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.3.1

Messages that are allowed to be sent to the gateway

Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.4.1

Ruijie (CONFIG-EXT-NACL) # permit ip any host 192.168.5.1

Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.3.1 any

Message communication that allows the source IP address to be a gateway

Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.4.1 any

Ruijie (CONFIG-EXT-NACL) # permit IP host 192.168.5.1 any

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255

Prohibit non-authenticated users from accessing each other

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.5.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # deny IP 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

Ruijie (CONFIG-EXT-NACL) # Exit

Then use the command IP DHCP relay information option DOT1X Access-group

Denyaccesseachotherofunauthrize to apply the command to the global interface

In global configuration mode, use the following procedure to configure DHCP option dot1x access-group:

Command	function
Ruijie (config) # IP DHCP relay Information option dot1x access-group acl-name	Apply DHCP option dot1x ACL
Ruijie (config) # no ip DHCP relay Information option dot1x access-group acl-name	Cancels the application of the DHCP option dot1x ACL.

< /c20>25.2.5 Configure DHCP option

When the command IP DHCP relay information option82 command is configured, the device is added to the DHCP relay process, such as understanding DHCP relay Agent information option to the server in the format described in.

In global configuration mode, use the following procedure to configure DHCP Option82:

Command	function
Ruijie (config) # IP DHCP relay Information option82	Enable DHCP option82 features
Ruijie (config) # no ip DHCP relay Information option82	Turn off the DHCP option82 feature.

25.2.6 Configure DHCP relay check server-id

When a command IP DHCP relay check SERVER-ID is configured, the device resolves DHCP server-id option when it receives a DHCP relay, and if this option is not empty, only requests are sent to this server. Do not send requests to other configured servers.

In global configuration mode, configure the DHCP relay check Server-id feature by following these steps:

Command	function
Ruijie (config) # ip DHCP relay check Server-id	Enable DHCP relay check Server-di features
Ruijie (config) # no ip DHCP relay Check Server-id	Turn off the DHCP relay check Server-id feature.

25.2.7 Configure DHCP relay suppression

When the command IP DHCP relay suppression is configured, the interface configured with DHCP realy suppression does not convert the received DHCP broadcast request to unicast relay. The normal broadcast forwarding of the broadcast message received by the port is not suppressed.

In interface configuration mode, use the following steps:

Command	function
Ruijie (config-if) # IP DHCP relay Suppresson	Enable DHCP relay Suppresson features
Ruijie (config-if) # no ip DHCP relay Suppresson	Turn off the DHCP relay Suppresson feature.

25.2.8 DHCP configuration Instance

The following command opens the DHCP relay feature, adding two sets of server addresses:

ruijie# Configure Terminal

Ruijie (config) # service DHCP //Open DHCP relay feature

Ruijie (config) # IP helper-address 192.18.100.1//Add Global server address

Ruijie (config) # IP helper-address192.18.100.2//Add Global server address

Ruijie (config) # interface gigabitethernet 0/3

Ruijie (config-if) # IP helper-address 192.18.200.1//Add Interface server address

Ruijie (config-if) # IP helper-address 192.18.200.2//Add Interface server address

Ruijie (config-if) # end 25.3 Additional considerations for configuring DHCP relay

For a two-tier network device, it is necessary to enable at least one feature of option dot1x, dynamic address bindings, and option82 to be implemented across the Management VLAN relay function, otherwise only the relay function of managing VLANs can be achieved on a two-tier device. 25.3.1 Configure dhcp option dot1x required Considerations

1. The actual entry into force of this order requires that the AAA/802.1X-related configuration be correct.

2. IP authorization to enable 802.1x DHCP mode is required when this scenario is applied.

3. This command is incompatible with the DHCP option82 command and cannot be used at the same time.

4. In the mode of IP licensing with 802.1x DHCP enabled, Mac + IP binding is also set up, so it cannot be enabled with DHCP dynamic binding capabilities. 25.3.2 Configure dhcp option82 required Considerations

DHCP option82 functionality is mutually exclusive to DHCP option dot1x and cannot be used to display DHCP configuration at the same time

Please display the DHCP configuration with the show running-config command in privileged mode.

ruijie# Show Running-config

Building configuration ...

Current configuration:1464 bytes

Version rg0s 10.1.00 (1), Release (11758) (Fri Mar 12:53:11 CST 2007-NPRD

Hostname Ruijie

VLAN 1

IP helper-address 192.18.100.1

IP helper-address 192.18.100.2

IP DHCP relay information option DOT1X

Interface Gigabitethernet 0/1

Interface Gigabitethernet 0/2

Interface Gigabitethernet 0/3

No Switchport

IP helper-address 192.168.200.1

IP helper-address 192.168.200.2

Interface VLAN 1

IP address 192.168.193.91 255.255.255.0

Line con 0

Exec-timeout 0 0

Line Vty 0

Exec-timeout 0 0

Login

Password 7 0137

Line Vty 1 2

Login

Password 7 0137

Line Vty 3 4

Login

End 25.5 DHCP Typical configuration use case 25.5.1 user request IP Internet 25.5.1.1 configuration requirements for cross-network segment

1, require users across the network segment can obtain IP address for normal access to the Internet;

2, to prevent illegal users to set up IP address Internet access. 25.5.1.2 topology Map

25.5.1.3 Analysis

DHCP snooping devices connected to the DHCP relay device port is a normal access port, requiring the client to automatically obtain IP addresses across the network to access the Internet, which requires DHCP relay devices to implement. To prevent illegal users to set up IP address Internet There are two ways: one is in the global mode to open dai (Dynamic ARP detection), the other is in the interface mode configuration port address binding, and combined with the Arp-check function to prevent illegal users online. This use case takes the first approach. 25.5.1.4 Configuration Process

Build the environment according to the topology above, and configure it according to the following configuration steps:

L DHCP Snooping configuration:

# Open DHCP snooping function

Ruijie (config) # ip dhcp snooping

# Configure the server-attached GI0/2 as a trusted port

Ruijie (config) # interface gigabitethernet 0/2

Ruijie (config-if) # IP dhcp snooping Trust

# Configure GI0/2 for ARP detection trust Port

Ruijie (config-if) # ip arp inspection Trust

Ruijie (config-if) # Exit

# enable the DAI message Check feature on the specified VLAN

Ruijie (config) # ip arp inspection vlan 1

# Configure the device's IP address (SVI1 )

Ruijie (config) # interface vlan 1

Ruijie (config-if) # IP address 10.2.0.1 255.255.0.0

# Static routes configured to another network segment (10.1.0.0/16)

Ruijie (config) # IP route 10.1.0.0 255.255.0.0 10.2.1.1

• Configuration of DHCP Relay

# Enable DHCP Relay Agent

Ruijie (config) # server DHCP

# Add the address of a global DHCP server

Ruijie (config) # IP helper-address 10.1.1.1

# Configure the IP address of the port to which the snooping device is connected

Ruijie (config) # interface gigabitethernet 3/1

Ruijie (config-if) # no switchport

Ruijie (config-if) # IP address 10.2.1.1 255.255.0.0

# Configure the IP address of the port to which the server device is connected

Ruijie (config) # interface gigabitethernet 3/2

Ruijie (config-if) # no switchport

Ruijie (config-if) # IP address 10.1.0.1 255.255.0.0

L Configuration on DHCP server:

# Configure IP addresses for ports connected to relay devices

Ruijie (config) # interface gigabitethernet 4/1

Ruijie (config-if) # no switchport

Ruijie (config-if) # IP address 10.1.1.1 255.255.0.0

# Enable DHCP server

Ruijie (config) # service DHCP

# Configure DHCP exclusion addresses, which are not assigned to clients

Ruijie (config) # ip dhcp excluded-address 10.1.1.1 10.1.1.10

# Configure address pool name and enter address pool configuration mode

Ruijie (config) # ip dhcp pool linwei

# Configure client Default gateways

Ruijie (dhcp-config) # Default-router 10.2.1.1

# Configure the network number and mask for the DHCP address pool

Ruijie (dhcp-config) # network 10.2.0.0 255.255.0.0

# Static routes configured to another network segment (10.2.0.0/16)

Ruijie (config) # IP route 10.2.0.0 255.255.0.0 10.1.0.1