Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Layer 3 - IP Services Configuration G - Page 73

Configuring DHCP snooping, Overview, Application of trusted and untrusted ports

Add to My Manuals
Save this manual to your list of manuals

Page 73 highlights

Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent. Overview DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only from authorized DHCP servers. • Trusted-A trusted port can forward DHCP messages normally to make sure the clients get IP addresses from authorized DHCP servers. • Untrusted-An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses. DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN. The following features need to use DHCP snooping entries: • ARP detection-Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide. • IP source guard-Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide. Application of trusted and untrusted ports Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports. As shown in Figure 26, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages. 64

Section	Page
Title Page	1
Contents	3
Configuring ARP	10
Overview	10
ARP message format	10
ARP operating mechanism	10
ARP table	11
Dynamic ARP entry	11
Static ARP entry	12
Configuring a static ARP entry	12
Configuring a multiport ARP entry	13
Configuring the maximum number of dynamic ARP entries	13
Setting the aging timer for dynamic ARP entries	14
Enabling dynamic ARP entry check	14
Configuring ARP fast update	15
Displaying and maintaining ARP	15
Static ARP configuration example	16
Network requirements	16
Configuration procedure	16
Multiport ARP entry configuration example	17
Network requirements	17
Configuration procedure	17
Configuring gratuitous ARP	19
Overview	19
Gratuitous ARP packet learning	19
Periodic sending of gratuitous ARP packets	19
Configuration procedure	20
Configuring proxy ARP	21
Enabling common proxy ARP	21
Enabling local proxy ARP	21
Displaying proxy ARP	21
Common proxy ARP configuration example	22
Network requirements	22
Configuration procedure	22
Configuring ARP snooping	24
Configuration procedure	24
Displaying and maintaining ARP snooping	24
Configuring IP addressing	25
Overview	25
IP address classes	25
Special IP addresses	26
Subnetting and masking	26
Assigning an IP address to an interface	27
Configuration guidelines	27
Configuration procedure	27
Configuring IP unnumbered	27
Configuration guidelines	28
Configuration prerequisites	28
Configuration procedure	28
Displaying and maintaining IP addressing	28
IP address configuration example	29
Network requirements	29
Configuration procedure	29
Verifying the configuration	29
DHCP overview	31
DHCP address allocation	31
Allocation mechanisms	31
Dynamic IP address allocation process	32
IP address lease extension	32
DHCP message format	33
DHCP options	34
Common DHCP options	34
Custom DHCP options	34
Vendor-specific option (Option 43)	34
Relay agent option (Option 82)	36
Option 184	36
Protocols and standards	36
Configuring the DHCP server	38
Overview	38
DHCP address pool	38
Address assignment mechanisms	38
Principles for selecting an address pool	39
IP address allocation sequence	40
DHCP server configuration task list	40
Configuring an address pool on the DHCP server	40
Configuration task list	40
Creating a DHCP address pool	41
Specifying IP address ranges for a DHCP address pool	41
Specifying a primary subnet and multiple address ranges for a DHCP address pool	41
Specifying a primary subnet and multiple secondary subnets for a DHCP address pool	42
Configuring a static binding in a DHCP address pool	44
Specifying gateways for the client	44
Specifying a domain name suffix for the client	45
Specifying DNS servers for the client	45
Specifying WINS servers and NetBIOS node type for the client	46
Specifying BIMS server information for the client	46
Specifying the TFTP server and boot file name for the client	47
Specifying a server for the DHCP client	47
Configuring Option 184 parameters for the client	48
Configuring self-defined DHCP options	48
Enabling DHCP	49
Enabling the DHCP server on an interface	49
Applying an address pool on an interface	50
Configuring IP address conflict detection	50
Enabling handling of Option 82	51
Configuring DHCP server compatibility	51
Configuring the DHCP server to broadcast all responses	51
Configure the DHCP server to ignore BOOTP requests	51
Configuring the DHCP server to send BOOTP responses in RFC 1048 format	52
Displaying and maintaining the DHCP server	52
DHCP server configuration examples	53
Static IP address assignment configuration example	53
Network requirements	53
Configuration procedure	53
Verifying the configuration	54
Dynamic IP address assignment configuration example	54
Network requirements	54
Configuration procedure	55
Verifying the configuration	56
DHCP user class configuration example	56
Network requirement	56
Configuration procedure	56
Verifying the configuration	57
Self-defined option configuration example	57
Network requirements	57
Configuration procedure	57
Verifying the configuration	58
Troubleshooting DHCP server configuration	58
Symptom	58
Analysis	58
Solution	58
Configuring the DHCP relay agent	59
Overview	59
Operation	59
DHCP relay agent support for Option 82	60
DHCP relay agent configuration task list	60
Enabling DHCP	61
Enabling the DHCP relay agent on an interface	61
Specifying DHCP servers on a relay agent	61
Configuring the DHCP relay agent security functions	62
Enabling the DHCP relay agent to record relay entries	62
Enabling periodic refresh of dynamic relay entries	62
Enabling DHCP starvation attack protection	63
Configuring the DHCP relay agent to release an IP address	64
Configuring Option 82	64
Displaying and maintaining the DHCP relay agent	65
DHCP relay agent configuration examples	65
DHCP relay agent configuration example	65
Network requirements	65
Configuration procedure	66
Option 82 configuration example	66
Network requirements	66
Configuration procedure	66
Troubleshooting DHCP relay agent configuration	67
Symptom	67
Analysis	67
Solution	67
Configuring the DHCP client	68
Enabling the DHCP client on an interface	68
Configuring a DHCP client ID for an interface	69
Enabling duplicated address detection	69
Displaying and maintaining the DHCP client	70
DHCP client configuration example	70
Network requirements	70
Configuration procedure	70
Verifying the configuration	71
Configuring DHCP snooping	73
Overview	73
Application of trusted and untrusted ports	73
DHCP snooping support for Option 82	74
DHCP snooping configuration task list	75
Configuring basic DHCP snooping	75
Configuring Option 82	76
Saving DHCP snooping entries	77
Enabling DHCP starvation attack protection	78
Enabling DHCP-REQUEST attack protection	78
Configuring DHCP packet rate limit	79
Displaying and maintaining DHCP snooping	79
DHCP snooping configuration examples	80
Basic DHCP snooping configuration example	80
Network requirements	80
Configuration procedure	80
Verifying the configuration	81
Option 82 configuration example	81
Network requirements	81
Configuration procedure	81
Verifying the configuration	82
Configuring the BOOTP client	83
BOOTP application	83
Obtaining an IP address dynamically	83
Protocols and standards	83
Configuring an interface to use BOOTP for IP address acquisition	84
Displaying and maintaining BOOTP client	84
BOOTP client configuration example	84
Network requirements	84
Configuration procedure	84
Configuring DNS	85
Overview	85
Static domain name resolution	85
Dynamic domain name resolution	85
Resolution process	85
DNS suffixes	86
DNS proxy	86
DNS spoofing	87
DNS configuration task list	88
Configuring the IPv4 DNS client	89
Configuring static domain name resolution	89
Configuring dynamic domain name resolution	89
Configuration guidelines	89
Configuration procedure	90
Configuring the IPv6 DNS client	90
Configuring static domain name resolution	90
Configuring dynamic domain name resolution	91
Configuration guidelines	91
Configuration procedure	91
Configuring the DNS proxy	91
Configuring DNS spoofing	92
Specifying the source interface for DNS packets	92
Configuring the DNS trusted interface	93
Displaying and maintaining IPv4 DNS	93
IPv4 DNS configuration examples	94
Static domain name resolution configuration example	94
Network requirements	94
Configuration procedure	94
Dynamic domain name resolution configuration example	95
Network requirements	95
Configuration procedure	95
Verifying the configuration	97
DNS proxy configuration example	97
Network requirements	97
Configuration procedure	98
Verifying the configuration	98
IPv6 DNS configuration examples	99
Static domain name resolution configuration example	99
Network requirements	99
Configuration procedure	99
Dynamic domain name resolution configuration example	100
Network requirements	100
Configuration procedure	100
Verifying the configuration	103
DNS proxy configuration example	104
Network requirements	104
Configuration procedure	104
Verifying the configuration	105
Troubleshooting IPv4 DNS configuration	105
Symptom	105
Solution	105
Troubleshooting IPv6 DNS configuration	105
Symptom	105
Solution	105
Configuring DDNS	106
Overview	106
DDNS application	106
DDNS client configuration task list	107
Configuring a DDNS policy	107
Configuration prerequisites	108
Configuration procedure	108
Applying the DDNS policy to an interface	109
Displaying DDNS	110
DDNS configuration examples	110
DDNS configuration example with www.3322.org	110
Network requirements	110
Configuration procedure	110
DDNS configuration example with PeanutHull server	111
Network requirements	111
Configuration procedure	111
Basic IP forwarding on the device	113
FIB table	113
Displaying FIB table entries	113
Optimizing IP performance	115
Enabling an interface to receive and forward directed broadcasts destined for the directly connected network	115
Configuration procedure	115
Configuration example	115
Network requirements	115
Configuration procedure	116
Configuring MTU for an interface	116
Configuring TCP MSS for an interface	116
Configuring TCP path MTU discovery	117
Enabling TCP SYN Cookie	118
Configuring the TCP buffer size	118
Configuring TCP timers	119
Enabling sending ICMP error packets	119
Disabling forwarding ICMP fragments	120
Displaying and maintaining IP performance optimization	121
Configuring UDP helper	122
Overview	122
Configuration guidelines	122
Configuration procedure	122
Displaying and maintaining UDP helper	123
UDP helper configuration example	123
Network requirements	123
Configuration procedure	123
Verifying the configuration	124
Configuring basic IPv6 settings	125
Overview	125
IPv6 features	125
Simplified header format	125
Larger address space	125
Hierarchical address structure	125
Address autoconfiguration	125
Built-in security	126
QoS support	126
Enhanced neighbor discovery mechanism	126
Flexible extension headers	126
IPv6 addresses	126
IPv6 address formats	126
IPv6 address types	127
Unicast addresses	127
Multicast addresses	128
EUI-64 address-based interface identifiers	128
IPv6 ND protocol	129
Address resolution	129
Neighbor reachability detection	130
Duplicate address detection	130
Redirection	130
IPv6 path MTU discovery	130
IPv6 transition technologies	131
Dual stack	131
Tunneling	131
Protocols and standards	131
IPv6 basics configuration task list	132
Assigning IPv6 addresses to interfaces	132
Configuring an IPv6 global unicast address	133
EUI-64 IPv6 address	133
Manual configuration	133
Configuring an IPv6 link-local address	133
Configuring automatic generation of an IPv6 link-local address for an interface	134
Manually specifying an IPv6 link-local address for an interface	134
Configuring an IPv6 anycast address	134
Configuring IPv6 ND	135
Configuring a static neighbor entry	135
Setting the maximum number of dynamic neighbor entries	135
Setting the aging timer for ND entries in stale state	136
Minimizing link-local ND entries	136
Setting the hop limit	136
Configuring parameters for RA messages	137
Enabling sending of RA messages	137
Configuring parameters for RA messages	138
Configuring the maximum number of attempts to send an NS message for DAD	139
Configuring path MTU discovery	139
Configuring the interface MTU	139
Configuring a static path MTU for a specific IPv6 address	140
Configuring the aging time for dynamic path MTUs	140
Controlling sending ICMPv6 packets	140
Enabling replying to multicast echo requests	141
Enabling sending ICMPv6 destination unreachable messages	141
Enabling sending ICMPv6 time exceeded messages	141
Enabling sending ICMPv6 redirect messages	142
Displaying and maintaining IPv6 basics	142
IPv6 basics configuration example	144
Network requirements	144
Configuration procedure	144
Verifying the configuration	145
Troubleshooting IPv6 basics configuration	148
Symptom	148
Solution	148
DHCPv6 overview	149
DHCPv6 address/prefix assignment	149
Rapid assignment involving two messages	149
Assignment involving four messages	149
Address/prefix lease renewal	150
Stateless DHCPv6	151
Protocols and standards	151
Configuring the DHCPv6 server	152
Overview	152
IPv6 address assignment	152
IPv6 prefix assignment	152
Concepts	153
Multicast addresses used by DHCPv6	153
DUID	153
IA	153
IAID	153
PD	154
DHCPv6 address pool	154
Address allocation mechanisms	154
Prefix allocation mechanisms	154
Address pool selection	154
IPv6 address/prefix allocation sequence	155
Configuration task list	155
Configuring IPv6 prefix assignment	155
Configuration guidelines	156
Configuration procedure	156
Configuring IPv6 address assignment	157
Configuration guidelines	157
Configuration procedure	157
Configuring network parameters assignment	158
Configuring the DHCPv6 server on an interface	159
Configuration guidelines	159
Configuration procedure	159
Displaying and maintaining the DHCPv6 server	160
DHCPv6 server configuration examples	161
Dynamic IPv6 prefix assignment configuration example	161
Network requirements	161
Configuration procedure	161
Verifying the configuration	162
Dynamic IPv6 address assignment configuration example	163
Network requirements	163
Configuration procedure	163
Verifying the configuration	164
Configuring tunneling	165
Overview	165
IPv6 over IPv4 tunneling	165
Implementation	165
Tunnel modes	166
IPv4 over IPv4 tunneling	167
IPv4 over IPv6 tunneling	168
IPv6 over IPv6 tunneling	169
Protocols and standards	170
Tunneling configuration task list	170
Configuring a tunnel interface	170
Configuring an IPv6 over IPv4 manual tunnel	171
Configuration example	172
Network requirements	172
Configuration procedure	173
Verifying the configuration	174
Configuring a 6to4 tunnel	174
6to4 tunnel configuration example	175
Network requirements	175
Configuration considerations	176
Configuration procedure	176
Verifying the configuration	177
Configuring an ISATAP tunnel	178
Configuration example	178
Network requirements	178
Configuration procedure	179
Verifying the configuration	180
Configuring an IPv4 over IPv4 tunnel	181
Configuration example	182
Network requirements	182
Configuration procedure	182
Verifying the configuration	183
Configuring an IPv4 over IPv6 tunnel	184
Configuration example	185
Network requirements	185
Configuration procedure	185
Verifying the configuration	186
Configuring an IPv6 over IPv6 tunnel	187
Configuration example	188
Network requirements	188
Configuration procedure	188
Verifying the configuration	190
Displaying and maintaining tunneling configuration	190
Troubleshooting tunneling configuration	190
Symptom	190
Analysis	190
Solution	190
Configuring GRE	192
Overview	192
GRE encapsulation format	192
GRE encapsulation and de-encapsulation	193
Encapsulation process	193
De-encapsulation process	193
Protocols and standards	193
Configuring a GRE over IPv4 tunnel	193
Configuration prerequisites	194
Configuration procedure	194
Configuring a GRE over IPv6 tunnel	196
Configuration prerequisites	196
Configuration procedure	196
Displaying and maintaining GRE	197
GRE configuration examples	198
GRE over IPv4 configuration example	198
Network requirements	198
Configuration procedure	198
GRE over IPv6 configuration example	201
Network requirements	201
Configuration procedure	201
Troubleshooting GRE	204
Symptom	204
Analysis	204
Solution	204
Support and other resources	205
Contacting HP	205
Subscription service	205
Related information	205
Documents	205
Websites	205
Conventions	206
Command conventions	206
GUI conventions	206
Symbols	206
Network topology icons	207
Port numbering in examples	207

Match case Limit results 1 per page

Configuring DHCP snooping

DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent.

It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records

IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.

DHCP snooping does not work between the DHCP server and DHCP relay agent.

Overview

DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only

from authorized DHCP servers.

•

Trusted

—A trusted port can forward DHCP messages normally to make sure the clients get IP

addresses from authorized DHCP servers.

•

Untrusted

—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent

unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages

to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client,

the port that connects to the DHCP client, and the VLAN.

The following features need to use DHCP snooping entries:

•

ARP

detection

—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For

more information, see

Security Configuration

Guide.

•

source

guard

—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more

information, see

Security Configuration

Guide

Application of trusted and untrusted ports

Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.

As shown in

Figure 26

, configure the DHCP snooping device's port that is connected to the DHCP server

as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The

untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.