Layer-3 Switch DHCP Relay technology full solution

The layer-3 switch is currently one of the most popular switches, especially suitable for small and medium enterprises, especially the use of DHCP Relay technology for layer-3 switches. DHCP Server can automatically set network parameters such as IP address, mask, gateway, DNS, and WINS for users to solve client location changes such as hosts or wireless networks) and when the number of clients exceeds the allocated IP address, user settings are simplified and management efficiency is improved. However, in the use of DHCP management, problems such as DHCP Server impersonating, Dos attacks against DHCP Server, and network address conflicts caused by random IP addresses.

1. DHCP Relay technology for layer-3 switches

The early DHCP protocol only applies when the DHCP Client and Server are in the same subnet and cannot work across network segments. Therefore, to achieve Dynamic Host Configuration, you need to set a DHCP Server for each subnet, which is obviously economic. The introduction of DHCP Relay solves this problem: DHCP clients in the LAN can communicate with DHCP servers in other subnets through DHCP Relay to obtain valid IP addresses. In this way, DHCP clients on multiple networks can use the same DHCP Server, which saves both costs and facilitates centralized management. DHCP Relay configurations include:

1) configure the IP address
To improve reliability, you can set the master and slave DHCP servers in one CIDR block. The master and slave DHCP servers constitute a DHCP Server group. You can use the following command to specify the IP addresses of the active and standby DHCP servers. In the system view, configure dhcp-server groupNo ip ipaddress1 [ipaddress2].

2) configure the group corresponding to the VLAN Interface
In the VLAN Interface view, configure dhcp-server groupNo.

3) enable/disable DHCP security features on VLAN interfaces
Enabling DHCP security features on VLAN interfaces will enable the check of the legality of user addresses under VLAN interfaces, so that users can configure IP addresses without authorization to disturb network order and cooperate with DHCP Server, quickly and accurately locates viruses or interference sources. In the VLAN Interface view, configure address-check enable.

4) Configure user address table items
To enable users with valid fixed IP addresses in VLAN configured with DHCP Relay to pass the address legality check of DHCP security features, you need to use this command to add a static address table entry that corresponds to an IP address and a MAC address to a user with a fixed IP address. If another illegal user configures a static IP address, the static IP address conflicts with a valid user's fixed IP address. The layer-3 switch that implements the DHCP Relay function can identify the illegal user, and rejects the Binding Request between the IP address of an invalid user and the MAC address. In the system view, configure dhcp-security static ip_address mac_address.

2. Other address management technologies

On the layer-3 Switch, in order to allow users to obtain IP addresses through valid DHCP servers, the DHCP-Snooping security mechanism allows users to set ports as trusted ports and untrusted ports. The trusted port is connected to the DHCP server or the port of another layer-3 switch. The port is not trusted to connect to the user or network. The untrusted port discards the DHCPACK and DHCPOFF packets returned by the DHCP server. The trusted port forwards the DHCP packets normally, so that the user can obtain the correct IP address.

1) enable/disable layer-3 Switch DHCP-Snooping
By default, the DHCP-Snooping function of the layer-3 switch is disabled. In the system view, configure DHCP-Snooping.

2) configure the port as a trusted Port
By default, the layer-3 switch ports are untrusted ports. Configure dhcp-snooping trust in the Ethernet port view.

(3) configure the VLAN interface to obtain the ip address through DHCP. In the VLAN Interface view, perform the following configuration: ip address dhcp-alloc. Access Management Configuration-Configure port/IP Address/MAC Address binding. You can bind the Port, IP address, and MAC address by using the following command. Port + IP, Port + MAC, Port + IP + MAC, and IP + MAC binding modes are supported, this method can prevent unauthorized mobile devices, MAC address abuse attacks, and IP address theft attacks. However, this method has a huge workload.