DHCP server, DHCP relay and DHCP snooping Implementation on Huawei.
- November 17, 2024
- Posted by: James Majani
- Category: Huawei
Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to dynamically assign an IP address to any device, on a network so it can communicate using IP. DHCP automates and centrally manages these configurations rather than requiring network administrators to manually assign IP addresses to all network devices.
When a client connects to a network, it sends an IP broadcast packet, visible only within the subnet on which the requester resides, to find the DHCP server. Typically, DHCP servers are centralized and are not present on every subnet. DHCP Relay provides a way for DHCP clients to communicate with DHCP servers when none are available on its local subnet. A Relay Agent uses IP routing to forward discover messages to a provisioned DHCP server. The relay agent then relays the DHCP offer back to the client network.
DHCP snooping is equivalent to a firewall between DHCP clients and the DHCP server to defend against DHCP attacks on the network, ensuring security for communications services. Some attacks are launched based on DHCP. These attacks include bogus DHCP server attack, DHCP server DoS attack and bogues DHCP message attack. DHCP snooping ensures that DHCP clients obtain IP addresses only from authorized DHCP servers and a DHCP snooping enabled device records a mapping between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.
Networking description.
An enterprise uses a DHCP server to assign IP addresses to clients. The enterprise client is on the network segment 192.168.10.0/24 for VLAN 10 and 192.168.20.0/24 for VLAN 20, and the DHCP server is on the network segment 10.0.0.0/30. The DHCP clients can obtain IP addresses from the DHCP server through AR1 enabled with DHCP relay. AR1 is also the gateway for enterprise services.
Step 1: Configure access switch.
*******************************************ACC
system-view
#
sysname ACC
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
port link-type trunk
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 10 20
#
port-group 1
group-member Ethernet0/0/1
group-member Ethernet0/0/2
port link-type access
port default vlan 10
port-group 2
group-member Ethernet0/0/3
group-member Ethernet0/0/4
port link-type access
port default vlan 20
#
return
Step 2: Configure DHCP relay.
*******************************************AR1
system-view
#
sysname AR1
#
dhcp enable
#
interface GigabitEthernet0/0/0
ip address 10.0.0.1 255.255.255.252
#
interface GigabitEthernet0/0/1.10
dot1q termination vid 10
ip address 192.168.10.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.0.0.2
#
interface GigabitEthernet0/0/1.20
dot1q termination vid 20
ip address 192.168.20.1 255.255.255.0
dhcp select relay
dhcp relay server-ip 10.0.0.2
#
ospf 1
silent-interface all
undo silent-interface GigabitEthernet0/0/0
area 0.0.0.0
network 10.0.0.0 0.0.0.3
network 192.168.10.0 0.0.0.255
network 192.168.20.0 0.0.0.255
#
returnStep 3: Configure DHCP server.
*******************************************DHCP-SERVER
system-view
#
sysname DHCP-SERVER
#
dhcp enable
#
ip pool VLAN10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
dns-list 8.8.8.8
#
ip pool VLAN20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
dns-list 8.8.8.8
#
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
dhcp select global
#
interface LoopBack0
ip address 8.8.8.8 255.255.255.255
#
ospf 1
silent-interface all
undo silent-interface GigabitEthernet0/0/0
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 10.0.0.0 0.0.0.3
#
returnStep 4: Configure DHCP snooping on the access switch.
*******************************************ACC
system-view
#
dhcp enable
#
dhcp snooping enable ipv4
#
interface GigabitEthernet0/0/1
dhcp snooping trusted
#
port-group 1
dhcp snooping enable
#
port-group 2
dhcp snooping enable
#
returnStep 5: Result confirmation.
For PCs, set to get IP address via DHCP and confirm results.
Check DHCP server statistics.
Check interfaces where DHCP relay is enabled and DHCP relay statistics on DHCP relay server.
Check DHCP snooping on interfaces of the access switch.
Check DHCP snooping binding table.
DHCP snooping uses the DHCP snooping trusted interface and DHCP snooping binding table to ensure DHCP network security.