DHCP

1

Agenda

DHCP Overview

DHCP Basic DHCP Relay

DHCP Snooping

DHCP Server

DHCP Additional DHCP Security

SAVI

ND Snooping

2

Concepts of DHCP

DHCP Dynamic Host Configuration Protocol (DHCP) enables a client to dynamically obtain a valid IP

address.

DHCP server A DHCP server allocates IP addresses to clients. A client sends a packet to the server to

request for configurations such as the IP address, subnet mask, and default gateway. After receiving the packet, the server replies with a packet carrying the corresponding configurations according to policies. Both the Request and Reply packets are encapsulated in UDP packets.

DHCP relay agent A DHCP relay agent transparently transmits DHCP broadcast packets between the DHCP

clients and DHCP server that are on different network segments.

DHCP snooping DHCP snooping is introduced to protect DHCP servers and clients against attacks through

ARP, IP, or DHCP packets with IP and MAC addresses of other valid users.

DHCP Feature

DHCP SERVER

ADDITIONAL BASIC

DHCP RELAY DHCP SNOOPING DHCP SERCURITY

3

DHCP Usage and RFC Comply Table

Document Description Remarks

RFC 1533 DHCP Options and BOOTP Vendor

Extensions

RFC 1534 Interoperation Between DHCP and BOOTP RFC 2131 Dynamic Host Configuration Protocol

RFC 2132 DHCP Options and BOOTP Vendor

Extensions

RFC 3046 DHCP Relay Agent Information Option

RFC 2460 Internet Protocol, Version 6 (IPv6)

Specification

RFC 3315 Dynamic Host Configuration Protocol for

IPv6 (DHCPv6)

The functions of the DHCPv6 client and

DHCPv6 server are not supported.

RFC 4649

Dynamic Host Configuration Protocol for

IPv6 (DHCPv6) Relay Agent Remote-ID

Option

The S9700 can be used as ① A DHCP server ② A DHCP relay agent

4

DHCP Usage and RFC Comply Table Document Description Remarks

RFC3319 DHCPv6 Options for Session Initiation Protocol (SIP) Servers

RFC3633 IPv6 Prefix Options for Dynamic Host Configuration Protocol

(DHCP) version 6

RFC3646 DNS Configuration options for DHCPv6

RFC3898 Network Information Service (NIS) Configuration Options for

DHCPv6

RFC4075 Simple Network Time Protocol (SNTP) Configuration Option

for DHCPv6

RFC2461 Neighbor Discovery for IPv6

draft-bi-savi-stateless-00 SAVI Solution for Stateless Address

draft-ietf-savi-dhcp-02

draft-ietf-savi-dhcp-09 SAVI Solution for DHCP(only support DHCPv6)

draft-kaippallimalil-savi-dhcp-

pd-01

SAVI Solution for Delegated IPv6 Prefixes

5

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

6

DHCP Server – Principle #1 Three Modes for the Interaction Between the DHCP Client and Server.

DHCP SERVER

DHCP CLIENT

Selecting Stage

Four Stage： ① Discovering stage ② Offering stage ③ Selecting stage ④ Acknowledging stage

MODE1：The DHCP client accesses the network for the first time.

DHCP SERVER

DHCP CLIENT

Selecting Stage

OR

MODE2：The DHCP client accesses the network for the second time.

DHCP SERVER

DHCP CLIENT

Trigger condition： ① Client Started release ② Server supply longer lease ③ If no reply at ½ L from

server,client release at ¾ L with broadcast packet

④ Available Server supply new lease with dhcp_ack

MODE3：The DHCP client extends the IP address lease.

½ L

¾ L

7

DHCP Server – Principle #2 Static and Dynamic Allocation of IP Addresses

DHCP server provides the following address allocation policies

Sequence of IP address allocation

Manual address allocation: An administrator assigns fixed IP addresses to a few specific hosts, such as the WWW server.

Automatic address allocation: The server assigns fixed IP addresses to some hosts when they are connected to the network for the first time. These IP addresses can be used by the hosts for a long time.

Dynamic address allocation: The server assigns IP addresses with leases to clients. The clients need to apply for new IP addresses when the leases expire. This address allocation policy is widely accepted by most clients.

IP address that is in the database of the DHCP server and is statically bound to the client's MAC address

IP address assigned to the client before, that is, the IP address in the requested IP Address option of the DHCP DISCOVER packet sent by the client

IP address first found when the server searches for available IP addresses in the DHCP address pool

If the DHCP address pool has no available IP address, the DHCP server searches for the expired IP addresses and conflicting IP addresses in turn for an available IP address. If an available address is found, the server allocates the IP address to the client; otherwise, the server sends an error message.

8

Why we use S9700 as DHCP Server?

Purpose

With the rapid growth in network scales and increment of complexity, for example, the location

of hosts frequently changes (for portable computers or wireless networks) and the number of

hosts exceeds the number of assignable IP addresses, network configurations become more

complicated. To properly and dynamically assign IP addresses to hosts, DHCP is applied.

Benefit

HOT BACKUP : For a S9700 with two MPUs/SRUs, DHCP data on the two MPUs is backed

up in real time. Therefore, after the master/slave switchover is performed, the slave MPU

becomes the master MPU; therefore, the DHCP server can function and allocate IP addresses

to clients normally.

9

DHCP Server – Packet Flow

Packet Processor

DHCP Discover/ Requrest Packet

1

LC CPU

2

LPU

SRU CPU

Control Channel

3

Memory

4

DHCP Packet export process

5

DHCP Offer/ Reply/ ACK/ NAK Datagram

Internal HDR+

DHCP Packet

IP : MAC :PORT Mapping table

Address Pool Timing Table ……

10

Subcategory Item Specifications Remarks

DHCP server

Assigning addresses randomly through the global address pool

256 global address pools are supported.

Binding addresses statically MAC addresses and the IP addresses can be bound.

Assign specific IP address to specific MAC address

Setting user-defined DHCP options

Supporting detection of DHCP server address conflicts

When detecting an address conflict, the DHCP server monitors the status of the addresses until they are idle. This function can be enabled or disabled.

key command： •dhcp server ping packet number •dhcp server ping timeout milliseconds

Number of DHCP server groups 64

Number of DHCP servers in each DHCP server group

20

Maximum number of IP relay addresses that can be configured on a VLANIF interface

20

Number of DHCP server groups on a VLANIF interface

1

User online or offline rate supported by the DHCP relay

85 users per second 8*10G board: 60 users per second

DHCP Server – Feature Implementation

11

Subcategory Item Specifications Remarks

DHCPv6 server

Address allocation by two-message exchanges

A client multicasts a Solicit packet to find the server that can allocate addresses and configuration parameters. After receiving the Solicit packet, the server responds with a Reply packet carrying the IP address and configuration parameters allocated to the client.

Address allocation by four-message exchanges

A client first multicasts a Solicit packet to find the servers that can provide DHCPv6 services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete address application and allocation by exchanging Request and Reply packets.

Stateful DHCPv6 mode The server allocates IP address and configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client.

Stateless DHCPv6 mode The server allocates configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client.

Prefix allocation by two-message exchanges

A client multicasts a Solicit packet to find the server that can provide services. After receiving the Solicit packet, the server responds with a Reply packet carrying the prefix allocated to the client.

Prefix allocation by four-message exchanges

A client first multicasts a Solicit packet to find the servers that can provide services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete prefix application and allocation by exchanging Request and Reply packets.

DHCP Server – Feature Implementation

12

Subcategory Item Specifications Remarks

Address pool management

Supporting address pools of VPNs

Enable dhcp server on VLAN IF

key command： •interface vlanif vlan-id •ip address ip-address { mask | mask-length •dhcp select interface

Each address pool supporting two DNS server addresses and the DNS suffix

Each address pool supporting two NetBIOS server addresses and the NetBIOS server type

Assigning IP addresses based on MAC addresses

Setting the address pool lease key command: lease { day day [ hour hour [ minute minute ] ] | unlimited }

Locking the address pool

Setting user-defined options for address pools 1 to 254

The option can be in the IP address format, in the character string, or in hexadecimal notation.

Reclaiming addresses manually

DHCP Server – Feature Implementation

13

DHCP Server – Feature 1

Usage Scenario

The dhcp server ping command is applicable to DHCP servers. Repetitive IP address assignment will cause IP address conflicts. To solve this problem, before assigning an IP address to a client, the DHCP server needs to send ping packets by using the dhcp server ping command to check whether the IP address is in use. The DHCP server first sends a ping packet to the IP address. If there is no response to the ping packet within a specified period, the DHCP server continues to send ping packets to the IP address until the number of sent ping packets reaches the maximum value. If there is still no response, the DHCP server considers that this IP address is not in use and can be assigned to the client. This ensures that a unique IP address is assigned to the client.

Feature 1 : Supporting detection of DHCP server address conflicts

Example # Set the maximum number of ping packets to be sent to 10 and the maximum response time of each ping packet to 100 ms. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp server ping packet 10 [Quidway] dhcp server ping timeout 100

14

DHCP Server – Feature 2 Feature 2 : Locking the address pool

Usage Scenario

The lock command is applicable to DHCP servers. When a DHCP server needs to be migrated, you simply need to migrate address pools on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. When new users get online, they apply for IP addresses from a new address pool.

Precautions

After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. Only the created address pools can be locked.

Example # Lock the address pool global1. <Quidway> system-view [Quidway] ip pool global1 [Quidway-ip-pool-global1] lock

15

DHCP Server – Feature 3

Usage Scenario

The reset ip pool command manually recycles the IP addresses that cannot be released in an IP address pool. If an IP address conflict occurs because two clients use the same IP address, run the reset ip pool command to set the IP address to idle.

Precautions

User information cannot be restored after you clear it. Exercise caution when running the reset ip pool command. DHCP clients must release their old IP addresses before obtaining new IP addresses.

Configuration Impact

After the reset ip pool command is run, a user may be disconnected if its IP address is within the address range specified in this command.

Feature 3 : Reclaiming addresses manually

Example # Set all conflicting IP addresses in the IP address pool test to idle. <Quidway> reset ip pool name test conflict

16

DHCP Server – Configuration Example #1 Example for Configuring a DHCP Server Based on the Global Address Pool

Configuration Roadmap

STEP 1 : Enable the DHCP server function on SwitchA.

<Quidway> system-view [Quidway] dhcp enable

17

DHCP Server – Configuration Example #2

STEP 2 : Create a global address pool on SwitchA and set the attributes of the address pool, including the range of the address pool, egress gateway, NetBIOS address, and address lease. # Set the attributes of IP address pool 1 [Quidway] ip pool 1 [Quidway-ip-pool-1] network 10.1.1.0 mask 255.255.255.128 [Quidway-ip-pool-1] dns-list 10.1.1.2 [Quidway-ip-pool-1] gateway-list 10.1.1.126 [Quidway-ip-pool-1] excluded-ip-address 10.1.1.2 [Quidway-ip-pool-1] excluded-ip-address 10.1.1.4 [Quidway-ip-pool-1] lease day 10 [Quidway-ip-pool-1] quit

# Set the attributes of IP address pool 2 [Quidway] ip pool 2 [Quidway-ip-pool-2] network 10.1.1.128 mask 255.255.255.128 [Quidway-ip-pool-2] dns-list 10.1.1.2 [Quidway-ip-pool-2] nbns-list 10.1.1.4 [Quidway-ip-pool-2] gateway-list 10.1.1.254 [Quidway-ip-pool-2] lease day 2 [Quidway-ip-pool-2] quit

18

DHCP Server – Configuration Example #3

# Add GE 1/0/1 to VLAN 10 and GE 1/0/2 to VLAN 20.

STEP 3 : Configure VLANIF interfaces to use the global address pool to allocate IP addresses.

[Quidway] vlan batch 10 20 [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port hybrid pvid vlan 20 [Quidway-GigabitEthernet1/0/2] port hybrid untagged vlan 20 [Quidway-GigabitEthernet1/0/2] quit

# Configure the clients on VLANIF 10 to obtain IP addresses from the global address pool.

[Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address 10.1.1.1 255.255.255.128 [Quidway-Vlanif10] dhcp select global [Quidway-Vlanif10] quit

# Configure the clients on VLANIF 20 to obtain IP addresses from the global address pool.

[Quidway] interface vlanif 20 [Quidway-Vlanif20] ip address 10.1.1.129 255.255.255.128 [Quidway-Vlanif20] dhcp select global [Quidway-Vlanif20] quit

19

DHCP Server – Configuration Example #4 STEP 4 : Verify Configuration

[Quidway] display ip pool ----------------------------------------------------------------------------------------------------------------- Pool-name : 2 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : 10.1.1.254 Mask : 255.255.255.128 VPN instance : -- ----------------------------------------------------------------------------------------------------------------- Pool-name : 1 Pool-No : 2 Position : Local Status : Unlocked Gateway-0 : 10.1.1.126 Mask : 255.255.255.128 VPN instance : -- IP address Statistic Total :250 Used :0 Idle :248 Expired :0 Conflict :0 Disable :2

20

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

21

DHCP Relay - Principle #1

DHCP SERVER

DHCP CLIENT

DHCP RELAY

STEP 1

STEP 2

STEP 3

STEP 4

DHCP client obtaining an address through the DHCP relay agent for the first time

DHCP client extending the IP address lease through a DHCP relay agent

DHCP SERVER

DHCP CLIENT

DHCP RELAY

STEP 1

STEP 2

22

DHCP Relay - Principle #2 S9700 DHCP Relay Agent Supporting VPNs

To forward DHCP packets on a VPN, you need to configure the DHCP relay agent to support VPNs. Once a private route exists, a DHCP REQUEST packet can be sent to the DHCP server to apply for an IP address. The DHCP relay agent sends a DHCP REQUEST packet from the client on a VPN (or on the public network) to the DHCP server on the local VPN, and then sends a DHCP REPLY packet from the server to the client.

MPLS VPN NETWORK

VPN B VPN B VPN A VPN B VPN C Client 1

Client 2

Client 3

DHCP SERVER 1

DHCP RELAY

DHCP RELAY

Currently, the scenario, CE-PE-PE-CE, is applicable. Both the DHCP server and the client can be deployed on the same CE, or the DHCP server is deployed on a PE while the DHCP client is deployed on a CE.

23

DHCP Relay - Scenario

With the rapid growth in network scales and increment of complexity, for

example, the location of hosts frequently changes (for portable

computers or wireless networks) and the number of hosts exceeds the

number of assignable IP addresses, network configurations become

more complicated. To properly and dynamically assign IP addresses to

hosts, DHCP is applied.

DHCP Client

DHCP Server

L2/L3 Networks

DHCP Relay

DHCP Relay

DHCP PACKET

24

DHCP Relay – Packet Flow

Packet Processor

DHCP Server / Client Packet

1

LC CPU

2

LPU

SRU CPU

Control Channel

3

Memory

4

DHCP Packet export process

5

DHCP Relay Packet (Unicast)

Internal HDR+

DHCP Packet

DHCP Relay Related table

25

DHCP Relay - Feature Implementation

Subcategory Item Specifications Remarks

DHCP relay

Configuring DHCP relay on the VLANIF

interface

Configuring DHCP relay on the sub-interface

Configuring DHCP relay on VPNs

Configuring DHCPv6 relay on VLANIFs

DHCPv6 relay

VLANIF interface-based relay agent

DHCPv6 Option 37 (remote-id)

DHCPv6 Option 18 (interface-id)

26

DHCP Relay – Feature 1

When functioning as a DHCP relay agent, the S9700 forwards the DHCP Request packets from DHCP clients to the DHCP server. After the DHCP relay function is enabled on the VLANIF interface, set the DHCP server address on the VLANIF interface in either of the following ways:

Configure a destination DHCP server group and bind the group to the interface. For details, see Configuring a Destination DHCP Server Group and Binding an Interface to a DHCP Server Group.

Run the dhcp relay server-ip ip-address command in the VLANIF interface view to configure the destination DHCP server address.

Feature 1 : Configuring DHCP relay on the VLANIF interface

27

DHCP Relay – Feature 2 Feature 2 : Configuring DHCP relay on VPNs

An enterprise establishes a VPN for employees to communicate with each other. The DHCP server is not in the VPN. Users in the VPN need to obtain IP addresses from the DHCP server.

As shown in Figure left, the DHCP clients are located in VPNA, which is in network segment 20.20.20.0/24; the DHCP server is located in network segment 10.10.10.0/24. The DHCP packets need to be relayed by the Switch enabled with the DHCP relay function. The DHCP clients on the VPN then can apply for IP addresses from the DHCP server.

An address pool containing network segment 20.20.20.0/24 is configured on the DHCP server. The DHCP server has a reachable route to 20.20.20.0/24.

28

DHCP Relay – Configuration Example #1

Configuration Roadmap

STEP 1 : Create a DHCP server group and add a DHCP server to the group.

STEP 2 : Enable DHCP relay on VLANIF 100 so that the Switch functions as the DHCP relay agent.

STEP 3 : Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance.

STEP 4 : Bind the specified DHCP server group to VLANIF 100 so that the packets passing VLANIF 100 are forwarded to the specified server.

29

DHCP Relay - Configuration Example #2 1. Create a DHCP server group and add DHCP server to the group.

<Quidway> system-view [Quidway] sysname Switch [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] dhcp-server 10.10.10.1 [Switch-dhcp-server-group-dhcpgroup1] quit

2. Enable the DHCP relay function on the VLANIF interface.

[Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface gigabitethernet 1/0/0 [Switch-GigabitEthernet1/0/0] port link-type trunk [Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 [Switch-GigabitEthernet1/0/0] quit [Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] dhcp select relay [Switch-Vlanif100] quit

30

DHCP Relay - Configuration Example #3 3. Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance. # Create a VPN instance. [Switch] ip vpn-instance vpna [Switch-vpn-instance-vpna] route-distinguisher 1:1 [Switch-vpn-instance-vpna] vpn-target 2:2 both [Switch-vpn-instance-vpna] quit # Bind the DHCP server group to the VPN instance. [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] vpn-instance vpna [Switch-dhcp-server-group-dhcpgroup1] quit # Bind the VLANIF interface to the VPN instance. [Switch] interface vlanif 100 [Switch-Vlanif100] ip binding vpn-instance vpna

4.Bind the VLANIF interface to the specified DHCP server group. # Set the IP address of the VLANIF interface. [Switch] interface vlanif 100 [Switch-Vlanif100] ip address 20.20.20.1 24 # Specify a DHCP server for the VLANIF interface. [Switch-Vlanif100] dhcp relay server-select dhcpgroup1

31

DHCP Relay - Configuration Example #4

Page 31

5. Configure the DHCP server and PE. <Quidway> system-view [Quidway] sysname SERVER [SERVER] ip pool 1 [SERVER-ip-pool-1] network 20.20.20.0 mask 255.255.255.0 [SERVER-ip-pool-1] gateway-list 20.20.20.1 [SERVER-ip-pool-1] quit [SERVER] ip route-static 20.20.20.0 255.255.255.0 10.10.10.2 <Quidway> system-view [Quidway] sysname PE [PE] vlan 101 [PE-Vlan101] quit [PE] interface gigabitethernet 1/0/0 [PE-GigabitEthernet1/0/0] port link-type trunk [PE-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 [PE-GigabitEthernet1/0/0] quit [PE] ip vpn-instance vpna [PE-vpn-instance-vpna] route-distinguisher 1:1 [PE-vpn-instance-vpna] vpn-target 2:2 both [PE-vpn-instance-vpna] quit [PE] interface vlanif 101 [PE-Vlanif101] ip binding vpn-instance vpna [PE-Vlanif101] ip address 10.10.10.2 24 [PE-Vlanif101] quit

32

DHCP Relay - Configuration Example #5 6. Configure MP-IBGP to exchange VPN routing information. [PE] bgp 100 [PE-bgp] peer 1.1.1.1 as-number 100 [PE-bgp] peer 1.1.1.1 connect-interface loopback 1 [PE-bgp] ipv4-family vpnv4 [PE-bgp-af-vpnv4] peer 1.1.1.1 enable [PE-bgp-af-vpnv4] quit [PE-bgp] quit [Switch] bgp 100 [Switch-bgp] peer 2.2.2.2 as-number 100 [Switch-bgp] peer 2.2.2.2 connect-interface loopback 1 [Switch-bgp] ipv4-family vpnv4 [Switch-bgp-af-vpnv4] peer 2.2.2.2 enable [Switch-bgp-af-vpnv4] quit

[PE] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 1.1.1.1 4 100 12 6 0 00:02:21 Established 0

After the configuration, run the display bgp peer command on the PE, and you can see that the BGP peer relationship between the PEs is in Established state.

33

DHCP Relay - Configuration Example #6 7. Verify the configuration. [Switch] display dhcp relay interface vlanif100 DHCP relay agent running information of interface Vlanif100 : DHCP server group name : dhcpgroup1 DHCP server IP [0] :10.10.10.1 DHCP server IP [1] :255.255.255.255 DHCP server IP [2] :255.255.255.255 DHCP server IP [3] :255.255.255.255 DHCP server IP [4] :255.255.255.255 DHCP server IP [5] :255.255.255.255 DHCP server IP [6] :255.255.255.255 DHCP server IP [7] :255.255.255.255 DHCP server IP [8] :255.255.255.255 DHCP server IP [9] :255.255.255.255 DHCP server IP [10] :255.255.255.255 DHCP server IP [11] :255.255.255.255 DHCP server IP [12] :255.255.255.255 DHCP server IP [13] :255.255.255.255 DHCP server IP [14] :255.255.255.255 DHCP server IP [15] :255.255.255.255 DHCP server IP [16] :255.255.255.255 DHCP server IP [17] :255.255.255.255 DHCP server IP [18] :255.255.255.255 DHCP server IP [19] :255.255.255.255

34

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

35

DHCP Snooping – Principle

DHCP snooping is a security feature of DHCP. The S9700 creates and

maintains the DHCP snooping binding table to filter out untrusted DHCP

information that is sent from untrusted zones. The DHCP snooping binding

table contains the MAC address, IP address, lease, VLAN ID, interface

number of each user in an untrusted zone.

When DHCP snooping is enabled on an S9700, the S9700 listens on DHCP

packets and records the IP addresses and MAC addresses in the received

DHCP Request packets or Ack messages. A physical interface can be

configured as a trusted interface or an untrusted interface. A trusted

interface can forward received DHCP Reply packets, whereas an untrusted

interface discards the received DHCP reply packets. By using DHCP

snooping, the S9700 can prevent bogus DHCP servers and ensure that

clients obtain IP addresses from valid DHCP servers.

36

DHCP Snooping - Scenario

Purpose

DHCP snooping prevents the following attacks:

• Bogus DHCP server attack

• Man-in-the-middle attack and IP/MAC spoofing attack

• Denial of Service (DoS) attack

• DoS attack by changing the value of the Client Hardware Address (CHADDR)

Benefits

DHCP snooping ensures that:

• Clients obtain IP addresses from valid DHCP servers.

• The IP addresses and MAC addresses of DHCP clients are recorded, and the

binding entries can be used by other Feature.

37

DHCP Snooping – Packet Flow

Packet Processor

DHCP Server Packet

1

LC CPU

2

LPU

SRU CPU

Control Channel

3

Memory

4

DHCP Packet export process

5

DHCP Snooping Packet (Unicast)

Internal HDR+

DHCP Packet

DHCP Snooping table

Trust port or not ?

Y

N DROP

38

DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks

DHCP snooping

Enabling or disabling DHCP snooping globally or on an interface

Configuring the trusted interface for the DHCP server

Prevent unauthorized servers

Configuring static entries of DHCP snooping

When the static entry of DHCP snooping is configured, the IP address and VLAN ID must be set. The MAC address and port number are optional.

DHCP Snooping binding table consists static bind-table and dynamic bind-table

Preventing DHCP starvation attacks The transmission rate of DHCP packets on an interface or in a VLAN is limited.

key command：dhcp snooping check dhcp-rate rate

Preventing attackers from sending bogus DHCP messages for extending IP address leases

Key command： dhcp snooping check user-bind enable

Supporting DHCP snooping in the VPLS

DHCP snooping over VPLS is enabled by enabling DHCP snooping on a physical interface or in a VLAN.

Supporting DHCPv6 snooping DHCP snooping static binding table

DHCP snooping dynamic binding table

Rate of creating/deleting DHCP snooping binding table

85 entries per second

39

DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks

DHCPv6 snooping

Global DHCPv6 snooping

Interface-based DHCPv6 snooping

VLAN-based DHCPv6 snooping

DHCPv6 trusted interface The trusted interface can receive packets from the DHCP server. The switch discards the DHCP packets received from untrusted interfaces.

Dynamic DHCPv6 snooping binding table

The switch dynamically generates DHCPv6 snooping binding entries by capturing and analyzing DHCP packets received from the DHCPv6 server. A binding entry contains the IPv6 address, MAC address, double-layer VLAN IDs, and interface number.

Static DHCPv6 snooping binding table You can manually configure DHCP snooping binding entries. A static binding entry contains the IP address, MAC address, VLAN ID, and interface number.

DHCPv6 snooping binding table management

You can add, delete, modify, and query dynamic and static DHCP snooping binding entries by using commands.

Preventing bogus DHCPv6 Request message

If unauthorized users send a large number of bogus DHCP Request messages with variable MAC addresses to extend IP addresses, expired IPv6 addresses cannot be withdrawn.

1:1 VLAN mapping Super VLAN Batch configurations take effect in sub-VLANs. Port flapping Port flapping for binding table Interface- or VLAN-based PD snooping

40

DHCP Snooping – Feature 1 Feature 1 : Supporting DHCP snooping in the VPLS

PWs ACCESS

Glo

bal &

PH

YIF Enab

le

E series

FA series

FC series

W series

BC series

VLAN 10

S series

LPUs

× Do not support DHCP Snooping in VPLS

VLAN 20 VLAN

10 VLAN

30

PHY IF 1

PHY IF 2

PHY IF 3

VPLS VSI 100

VPLS VSI 200

Binding Relationship

VPLS VSI 200 VPLS VSI 100

PHY IF 3 PHY IF 1

VLANIF 20 VLANIF 10

Take effect

DHCP snooping in the VPLS

Do not take effect

Take effect ×

Normal DHCP snooping

VLAN 10

VLAN 20

VLAN 30

VLANIF 30

PHY IF 2

41

DHCP Snooping - Limitation

If DHCP relay is enabled in a super-VLAN, DHCP snooping

cannot be enabled in this super-VLAN.

DHCP snooping over VPLS is not supported by the Physical

interface and NONE VPLS VLAN interfaces. It can be enabled

only on VPLS VLAN interfaces.

DHCP snooping over VPLS cannot be enabled on PWs.

S series LPUs do not support DHCP snooping in the VPLS.

42

DHCP Snooping – Configuration Example #1 Example for Preventing Bogus DHCP Server Attacks

Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping trusted [Quidway-GigabitEthernet1/0/0] quit

Configuration Roadmap

STEP 1 : Enable DHCP snooping globally and on the interface. STEP 2: Configure the interface connected to the DHCP server as the trusted interface. STEP 3 : Configure the user-side interface as an untrusted interface. The DHCP Request messages including Offer, ACK, and NAK messages received from the untrusted interface are discarded. STEP 4 : Configure the alarm function for discarded packets.

43

DHCP Snooping – Configuration Example #2 Example for Limiting the Rate of Sending DHCP Messages

Configuration Roadmap

STEP 1 : Enable DHCP snooping STEP 2 : globally and in the interface view. STEP 3 : Set the rate of sending DHCP Request messages to the protocol stack. STEP 4 : Configure the alarm function for discarded packets.

Limit the rate of sending DHCP messages. # Enable the function of checking the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable # Set the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate 90

44

DHCP Snooping – Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #1

Configuration Roadmap

STEP 1 : Enable DHCP snooping globally and in the interface view. STEP 2 : Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. STEP 3 : Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. STEP 4 : Configure the function of checking the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. STEP 5 : Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. STEP 6 : Configure the Option 82 function and create the binding table that contains information about the interface. STEP 7 : Configure the alarm function for discarded packets and the alarm function for checking the rate of sending packets.

45

DHCP Snooping – Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #2

Enable DHCP snooping. # Enable DHCP snooping globally. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface at the user side. The configuration procedure of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping enable [Quidway-GigabitEthernet1/0/0] quit

Configure the interface as trusted. # Configure the interface connecting to the DHCP server as the trusted interface and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks. [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping trusted [Quidway-GigabitEthernet2/0/0] quit

46

DHCP Snooping – Configuration Example #4

Configure the checking for certain types of packets. # Enable the checking of DHCP Request messages on the interfaces on the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit # Enable the checking of the CHADDR field on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of GE 1/0/1 is the same as the configuration of GE1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit

Example for Applying DHCP Snooping on a Layer 2 Network #3

47

DHCP Snooping – Configuration Example #5

Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90

Configure the Option 82 function. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet1/0/0] quit

Configure the alarm function for discarded packets. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120 [Quidway-GigabitEthernet1/0/0] quit # Enable the alarm function for checking the rate of sending DHCP messages, and set the alarm threshold for checking the rate of sending DHCP messages. [Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80

Example for Applying DHCP Snooping on a Layer 2 Network #4

48

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

49

DHCP Security – Feature Implementation Subcategory Item Specifications Remarks

DHCP security

Setting the format of Option 82 The default format, the format conforming to the DSLAM standard, and the user-defined format are supported.

Setting the policy for processing Option 82 on an interface

The Option 82 field in a packet can be kept or replaced.

Note: This version does not support removing of the Option 82 field.

Binding an IP address to the MAC address, VLAN ID, or interface flexibly Enabling or disabling the function of checking the DHCP relay address based on the binding

Match certain entries in the binding table, for example, IP address or MAC address, which are irrelevant to the DHCP relay.

Restoring entries in the DHCP snooping/relay/server binding table after restart

It can be configured.

Supporting static binding

Enabling or disabling the detection on bogus DHCP servers

The server address is recorded and the administrator checks whether it is the address is invalid by using the trusted interface. An alarm is generated if the address is invalid.

Limiting the transmission rate of DHCP packets sent to the host

50

Restoring entries in the DHCP after restart

DHCP DATA

Command dhcp server database enable dhcp server database write-delay XXX

S9700 Memory

CF C

ard

S9700 Memory

√ Restart

DHCP DATA

Lease.txt Conflict.txt

DHCP DATA

dhcp server database recover

×

51

DHCP Security – Feature 1 Feature 1 : Restoring entries in the DHCP snooping/relay/server binding table after restart

Usage Scenario

When the S9700 functions as a DHCP server, run the dhcp server database command to enable the S9700 to save DHCP data to storage devices. This avoids data loss caused by device faults. Then the system generates lease.txt and conflict.txt files in the CF card. The two files save address lease information and address conflict information respectively. After the dhcp server database command is run, the current DHCP data is automatically saved at the specified interval, and previous data files are overwritten. The interval can be set by using the dhcp server database write-delay interval command.

If a fault occurs on the S9700, run the dhcp server database recover command to recover DHCP data from storage devices after the system restarts.

Example # Enable the S9700 to save the current DHCP data to storage devices and set the interval at which DHCP data is saved to 36000s. <Quidway> system-view [Quidway] dhcp server database enable [Quidway] dhcp server database write-delay 36000 # Recover DHCP configuration by using the DHCP data saved on storage devices. <Quidway> system-view [Quidway] dhcp server database recover

52

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

53

SAVI– Feature Implementation Subcategory Item Specifications Remarks

SAVI

Enabling and disabling global SAVI Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port.

Generating DHCPv6 snooping binding entries

The switch listens on DHCPv6 address allocation process, dynamically generates binding entries, or uses static binding entries.

Protocol packet check based on DHCPv6 snooping binding entries

The switch can verify DHCPv6 and ND packets based on DHCPv6 snooping entries.

Generating ND snooping binding entries

The switch listens on ND address allocation process and generates dynamic binding entries.

Protocol packet check based on ND snooping binding entries

The switch can verify DHCPv6 and ND packets based on ND snooping entries.

Generating PD snooping binding entries

The switch listens on DHCPv6 PD prefix allocation process, dynamically generates prefix binding entries, or uses static prefix binding entries.

Protocol packet check based on PD snooping binding entries

The switch can verify DHCPv6 and ND packets based on PD snooping entries.

Delivering IPSGv6 entries based on DHCPv6, ND snooping, and PD snooping binding entries.

If IPSGv6 is enabled, the switch requests the IPSGv6 module to deliver binding entries to the forwarding plane to verify the forwarded data packets.

Checking DHCPv6 snooping trusted interface

Checking ND snooping trusted interface

The switch discards the RA packets received from untrusted interfaces.

54

SAVI: Source Address Validation Improvement

Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port. Based on duplicate address detection, SAVI listens on address allocation control packets, and creates binding entries. After a binding entry is created, the switch verifies the data and protocol packets received on the specified port. The switch forwards valid packets and discards invalid packets.

Function： Address Allocation Mode：DHCPv6，SLAAC Scenarios:

DHCPv6-only：Only support DHCPv6 in network

SLAAC-only： Only support SLAAC in network Mix Scenario：DHCPv6+SLAAC SLAAC-Stateless Address Auto-configuration

55

SAVI: DHCPv6 Mode SAVI

Switch Port 1

Downlink

Port 24

Uplink

DHCPv6 Request

Add a item to table:

(Port 1, MAC1, A)

Data Packet(src=A)

Data Packet(src!=A)

DHCPv6

Server

DHCPv6 Request

DHCPv6 Reply DHCPv6 Reply

Allot Address A

DAD NS

Get Address A

Host

（MAC1）

56

SAVI: SLAAC Mode

SAVI

Switch Port 1

Downlink

Port 24

Uplink

Host

（MAC1）

DAD NS

Data Packet(src=A)

Data Packet(src!=A)

DAD NS: Duplicate Address Detection Neighbor Solicitation

Add a item to table:

(Port 1, MAC1, A)

57

DHCP-only :Configuration Example

•Global configuration •[Quidway] savi enable （Enable the SAVI feature globally） •[Quidway] dhcp enable （Enable the DHCP feature globally） •[Quidway] dhcp snooping enable （Enable the DHCP snooping feature globally）

•User side interface Ethernet0/0/10 configuration •Enable the DHCP snooping feature on the interface •[Quidway-Ethernet0/0/10] dhcp snooping enable •The port which enabled this command called SAVI-Validation port. Users get online through this port can create the DHCP binding table, but if you want to create filter table to filter the packet by the source address of the IP packet, you need to configure “ip source check user-bind enable” on this interface. •Enable the IPSG feature on the interface •[Quidway-Ethernet0/0/10] ip source check user-bind enable •This command only can be configured on the SAVI-Validation port，and once configured this port can filter IP packet passed through this port by the IP source address according the binding table, only packets whose IP address and MAC, interface, VLAN match the binding table can pass through this port, others will be dropped.

•Network side interface Ethernet0/0/20 configuration •Configure the port as DHCP trust port •[Quidway-Ethernet0/0/20] dhcp snooping trusted The port which is configured as SAVI-DHCP-Trust can pass DHCP packets sent by server.

58

DHCP-SLAAC-MIX :Configuration Example •Global configuration •[Quidway] savi enable （ Enable the SAVI feature globally ） •[Quidway] dhcp enable （ Enable the DHCP feature globally ） •[Quidway] dhcp snooping enable （ Enable the DHCP snooping feature globally ） •[Quidway] nd snooping enable （Enable the ND snooping feature globally）

•User side interface Ethernet0/0/10 configuration •Enable the DHCP snooping feature on the interface •[Quidway-Ethernet0/0/10] dhcp snooping enable •Enable the ND snooping feature on the interface •[Quidway-Ethernet0/0/10] nd snooping enable •Enable the IPSG feature on the interface •[Quidway-Ethernet0/0/10] ip source check user-bind enable •When configured the three commands，this port called SAVI-Validation port, and users get online through this port can create DHCP binding table and SLAAC binding table, at the same time create filter table according to the binding table to filter the IP packets by source address.

•Network side interface Ethernet0/0/20 configuration •Configure the port as DHCP trust port •[Quidway-Ethernet0/0/20] dhcp snooping trusted •The port which is configured as SAVI-DHCP-Trust port can pass the DHCP packets sent from the server. •Configure the port as ND trust port • [Quidway-Ethernet0/0/20] nd snooping trusted The port which is configured as SAVI-RA-Trust port can pass the RA packets sent from the server.

59

Agenda

DHCP Overview

DHCP Basic DHCP Server

DHCP Relay

DHCP Snooping

DHCP Additional DHCP Security

SAVI

ND Snooping

60

ND Snooping– Feature Implementation

Subcategory Item Specifications Remarks

ND Snooping

Global, interface-based, and VLAN-based ND snooping.

Maximum number of ND binding

entries

The value is the same as the maximum number of DHCPv6

binding entries.

61

ND SNOOPING: ND User security

ND : Neighbor Discovery Protocol

Basic idea： The IPv6 node which has passed the no-state address

distribution, will combine the address prefix of the notification with the interface ID created by itself to make the address when receiving the notification of link router.

The Ipv6 node will send NS packet for DAD detecting before use the address, no matter the address is get through state, no-state or configured manually. The IPv6 node will receive relevant NA packet when there is address conflict in the network.

Device creates or deletes the ND binding table by detecting the NS packets and NA packets of the network.

62

ND SNOOPING Nd snp

Switch Port 1

downlink

Port 24

uplink ND RS

Add a prefix to bind the table:

(Port 1,prefixA)

Data Packet(src=A1)

Data Packet(src!=A1)

ND prefix management

switch

ND RS

ND RA ND RA

Distribute prefix A

DAD NS（prefix=A）

Get

address

A1

Host

（MAC1）

Add a prefix to bind the table:

(Port 1, MAC1, A1)

63

ND SNOOP-INGConfiguration Example

Global configuration

[Quidway] savi enable （Enable the SAVI feature globally）

[Quidway] dhcp enable （Enable the DHCP feature globally）

[Quidway] nd snooping enable （Enable the ND snooping feature globally）

User side interface Ethernet0/0/10 configuration

Enable the ND snooping feature on the interface

[Quidway-Ethernet0/0/10] nd snooping enable

The port which enabled this command called SAVI-Validation port. Users get online through this port can get a

SLAAC binding table. But if you want to create filtration table to filter the IP packets by the source address,

you need to configure “ip source check user-bind enable” on the interface.

Enable the IPSG feature on the interface

[Quidway-Ethernet0/0/10] ip source check user-bind enable

this command has to be configured on the SAVI-Validation port，and once configured the IP packet passed

through this port will be filtered by the IP source address according to the binding table, only packets whose

source IP address and MAC, interface, VLAN accord with the binding table can pass through this port, others

will be dropped.

Network side interface Ethernet0/0/20 configuration

The interface configured as ND trust interface

[Quidway-Ethernet0/0/20] nd snooping trusted

The port configured as SAVI-RA-Trust port can pass the RA packets sent from the server

64

DHCP Feature Summary top 3~5

S9700 can only act as DHCP server and DHCP relay agent,

can’t act as an DHCP client.

DHCP server support global address pool and interface

address pool.

When S9700 deployed double SRUs and act as an DHCP

server, it can support DHCP server hot backup.

S9700 DHCP Relay Agent and DHCP Snooping Supporting

VPNs. Except the S series LPUs.

S9700 supports DHCPv6 server and DHCPv6 relay agent.

Copyright©2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and

operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to

differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and

constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY