SupportDocumentationRoutersAccess RoutersAR100&200Configuration & CommissioningConfiguration Guide

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010 CLI-based Configuration Guide - IP Service

This document describes the concepts and configuration procedures of IP Service features on the device, and provides the configuration examples.

This document describes the concepts and configuration procedures of IP Service features on the device, and provides the configuration examples.

Configuring a DHCP Relay Agent

Configuring a DHCP Relay Agent

Enabling DHCP

Context

Before enabling the DHCP relay function, enable DHCP in the system view.

  • The dhcp enable command is the prerequisite for configuring DHCP-related functions, including DHCP relay, DHCP snooping, and DHCP server. These functions take effect only after the dhcp enable command is run. After the undo dhcp enable command is run, all DHCP-related configurations of the device are deleted. After DHCP is enabled again using the dhcp enable command, all DHCP-related configurations of the device are restored to the default configurations.

  • After DHCP is enabled, if STP is also enabled, address allocation may slow down. By default, STP is enabled. To disable STP, run the undo stp enable command.

Procedure

  1. Enter the system view. 

    system-view

  2. Enable DHCP. 

    dhcp enable

    By default, DHCP is disabled.

  3. (Optional) Enable dynamic route limiting on DHCP messages. 

    dhcp speed-limit auto

    By default, dynamic rate limiting is disabled on DHCP messages.

Enabling the DHCP Relay Function

Context

Enable the DHCP relay function on an interface so that the interface functions as a DHCP relay agent.

Procedure

  1. Enter the system view. 

    system-view

  2. Enter the interface view or sub-interface view. 

    interface interface-type interface-number [.subinterface-number ]

  3. Configure an IP address for the interface. 

    ip address ip-address { mask | mask-length }

    • The DHCP relay function is configured on the user-side gateway interface typically. The IP address of the gateway interface must be on the same network segment as the address pool configured on the DHCP server; otherwise, DHCP clients cannot obtain IP addresses.

  4. Enable the DHCP relay function on the interface. 

    dhcp select relay

    By default, the DHCP relay function is disabled on an interface.

    When enabling the DHCP relay function on a sub-interface, run the arp broadcast enable command on the sub-interface to enable ARP broadcast on the VLAN tag termination sub-interface. By default, ARP broadcast is enabled on a VLAN tag termination sub-interface.

    If DHCP relay is enabled in a super-VLAN, DHCP snooping cannot be enabled in this super-VLAN.

Specifying the DHCP Server IP Address

Context

You must specify the IP address of the DHCP server so that the DHCP relay agent can forward DHCP messages between the server and clients. Two methods are available for you to specify the DHCP server IP address: in the interface view and in the DHCP server group view. The former method is recommended if you configure the DHCP relay function on individual interfaces connected to DHCP servers that have different IP addresses. The latter method is recommended if you configure the DHCP relay function on multiple interfaces that connect to one DHCP server.

A maximum of 16 DHCP relay agents are allowed between a DHCP server and a DHCP client. If there are more than 16 DHCP relay agents, DHCP messages are discarded.

Procedure

  • Specify the DHCP server IP address in the interface view.
    1. Enter the system view. 

      system-view

    2. (Optional) Configure the DHCP server polling function on the DHCP relay agent. 

      ip relay address cycle

      By default, DHCP server polling is disabled on a DHCP relay agent.

    3. (Optional) Set the TTL value for DHCP Discovery messages after they are forwarded by the DHCP relay agent at Layer 3. 

      dhcp set ttl { unvaried | ttl-value }

      By default, the TTL value of DHCP Discovery messages decreases by 1 after they are forwarded by the DHCP relay agent at Layer 3.

      If the DHCP relay agent connects to a special client whose TTL value of DHCP Discovery messages is 1, and if there are routing devices between the DHCP relay agent and DHCP server, run the dhcp set ttl ttl-value command to specify a fixed TTL value (16 is recommended) for DHCP Discovery messages after they are forwarded by the DHCP relay agent at Layer 3.

    4. Enter the interface or sub-interface view. 

      interface interface-type interface-number [.subinterface-number ]

    5. Specify the IP address of a DHCP server. 

      dhcp relay server-ip ip-address

      By default, no DHCP server IP address is specified.

      You can specify up to eight DHCP server IP addresses for each interface.

  • Specify the DHCP server IP address in the DHCP server group view.
    1. Enter the system view. 

      system-view

    2. (Optional) Configure the DHCP server polling function on the DHCP relay agent. 

      ip relay address cycle

      By default, DHCP server polling is disabled on a DHCP relay agent.

    3. (Optional) Set the TTL value for DHCP Discovery messages after they are forwarded by the DHCP relay agent at Layer 3. 

      dhcp set ttl { unvaried | ttl-value }

      By default, the TTL value of DHCP Discovery messages decreases by 1 after they are forwarded by the DHCP relay agent at Layer 3.

      If the DHCP relay agent connects to a special client whose TTL value of DHCP Discovery messages is 1, and if there are routing devices between the DHCP relay agent and DHCP server, run the dhcp set ttl ttl-value command to specify a fixed TTL value (16 is recommended) for DHCP Discovery messages after they are forwarded by the DHCP relay agent at Layer 3.

    4. Create a DHCP server group and enter its view. 

      dhcp server group group-name

      By default, no DHCP server group is configured.

      A maximum of 64 DHCP server groups can be configured on a device.

    5. Configure the DHCP server members in the DHCP server group. 

      dhcp-server ip-address [ ip-address-index ]

      By default, no DHCP server member is configured in a DHCP server group.

      A maximum of 8 DHCP servers can be added to a DHCP server group.

    6. (Optional) Specify the gateway address for clients. 

      gateway ip-address

      A gateway address is specified for clients.

      Skip this step if the interface connecting the DHCP relay agent to clients functions as the gateway.

      The gateway address specified in this step must be the same as the egress gateway address of clients specified on the DHCP server. If the device functions as the DHCP server, refer to (Optional) Configuring a Gateway Address for Clients for details about how to specify the egress gateway address for clients.

    7. (Optional) Bind the DHCP server group to a VPN instance. 

      vpn-instance vpn-instance-name

      By default, the DHCP server group is not bound to a VPN instance.

      To ensure clients can obtain IP parameters if the DHCP relay agent is deployed on a VPN network, bind the DHCP server group to a VPN instance that is also bound to the address pool of the DHCP server.

    8. Return to the system view. 

      quit

    9. Enter the interface or sub-interface view. 

      interface interface-type interface-number [.subinterface-number ]

    10. Create a DHCP server group. 

      dhcp relay server-select group-name

(Optional) Configuring Strategies for Processing Option 82 Information on a DHCP Relay Agent

Context

To enable a DHCP relay agent to accept, process, and forward DHCP messages that carry Option 82 information, you must configure the DHCP relay agent to trust and process this option.

You are advised to perform the configuration on a user-side device. If the DHCP relay agent connects to a DHCP snooping-enabled device, configure the strategies for processing Option 82 information on the DHCP snooping device. When a device functions as the DHCP snooping device, for details on how to perform the configuration, see Inserting the Option 82 Field in a DHCP Message in the Huawei AR Series V200R010 Configuration Guide - Security.

If the device functions as the first-hop DHCP relay agent, it can process Option 82 information. If the device functions as the second-hop or subsequent DHCP relay agent, it cannot process Option 82 information.

Procedure

  1. Enter the system view. 

    system-view

  2. Enable the DHCP relay agent to trust Option 82. 

    dhcp relay trust option82

    By default, a DHCP relay agent does not trust Option 82.

    When this function is enabled, the DHCP relay agent can receive and forward DHCP messages that carry Option 82. If the DHCP relay agent is disabled from trusting Option 82 using the undo dhcp relay trust option82 command, the device discards the DHCP messages carrying Option 82.

  3. Configure strategies for processing Option 82 information on the DHCP relay agent.

    • Configure the DHCP relay agent to insert the Option 82 field to DHCP messages in a VLAN view. This configuration takes effect on all DHCP messages from this VLAN received on the interfaces of the DHCP relay agent.

      1. Enter the VLAN view.

        vlan vlan-id

      2. Enable the DHCP relay agent to insert the Option 82 field to received DHCP messages. 

        dhcp option82 { insert | rebuild } enable

        By default, a DHCP relay agent is disabled from inserting the Option 82 field to received DHCP messages.

      3. Return to the system view.

        quit

    • Configure the DHCP relay agent to insert the Option 82 field to DHCP messages in an interface view. This configuration takes effect on DHCP messages received on the specified interface.

      1. Enter the interface view or sub-interface view.

        interface interface-type interface-number [.subinterface-number ]

      2. Enable the DHCP relay agent to insert the Option 82 field to received DHCP messages.

        dhcp option82 { insert | rebuild } enable

        By default, a DHCP relay agent is disabled from inserting the Option 82 field to received DHCP messages.

        DHCP messages received on the DHCP relay agent may carry the Option 82 field. Select a strategy based on network requirements.

        • When insert is configured: If a DHCP message does not carry the Option 82 field, the DHCP relay agent inserts the Option 82 field. If a DHCP message carries the Option 82 field, the DHCP relay agent checks whether the Option 82 field contains remote-id. If yes, the Option 82 field remains unchanged; if no, the DHCP relay agent inserts remote-id.
        • When rebuild is configured: If a DHCP message does not carry the Option 82 field, the DHCP relay agent inserts the Option 82 field. If a DHCP message carries the Option 82 field, the DHCP relay agent deletes the original Option 82 field and inserts the locally configured Option 82 field.

      3. Return to the system view.

        quit

  4. (Optional) Set the format of the Option 82 field.

    Configure the format of the Option 82 field in the system or interface view. If the configuration is performed in the system view, it takes effect on all interfaces of the device. If the configuration is performed in an interface view, it takes effect only on the specified interface.

    • All Option82 fields configured in the system view or in the same interface view share a length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information will be lost.

    • There is no limit on the number of Option 82 fields configured on the device. However, a large number of Option 82 fields will occupy a lot of memory and prolong the device processing time. To ensure device performance, you are advised to configure Option 82 fields based on the service requirements and device memory size.

    • In the system view:

      Configure the format of the Option 82 field.

      dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

      By default, the Option 82 field is in the default format.

    • In the interface view:

      1. Enter the interface view.

        interface interface-type interface-number

      2. Configure the format of the Option 82 field.

        dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

        By default, the Option 82 field is in the default format.

      3. Return to the system view.

        quit

(Optional) Configuring Rate Limiting of DHCP Messages

Context

You can configure rate limiting of DHCP messages on the device to prevent DHCP message attacks. After rate limiting is configured, the device is allowed to process only a specified number of DHCP messages within a certain period and discards extra packets.

Rate limiting is configured for the DHCP messages sent by the clients, so you are advised to configure the rate limiting function on the device close to the user side. If the device functions as the DHCP relay and is connected to a DHCP snooping-enabled device, you are advised to configure the rate limiting function on the DHCP snooping-enabled device.

You can configure the rate limiting function in the system view, VLAN view, or interface view. The configuration in the interface view takes precedence over those in the VLAN view and global view; the configuration in the VLAN view takes precedence over that in the system view.

Procedure

  • Configure DHCP rate limiting in the system view.
    1. Enter the system view. 

      system-view

    2. Enable DHCP rate limiting. 

      dhcp check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

      By default, DHCP rate limiting is disabled.

    3. Configure the maximum rate of sending DHCP messages to the DHCP stack. 

      dhcp check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

      By default, DHCP messages are sent to the DHCP stack at the rate of 100 pps. Excess packets in a specified period of time are discarded.

    4. (Optional) Enable the trap function for rate limiting. 

      dhcp alarm dhcp-rate enable

      The trap function for rate limiting is enabled.

      By default, the trap function for rate limiting is disabled.

      This function allows the system to generate an alarm when the number of discarded DHCP messages reaches the threshold.

    5. (Optional) Specify the alarm threshold for checking DHCP message rates. 

      dhcp alarm dhcp-rate threshold threshold

      By default, the alarm threshold for checking DHCP message rates is 100.

      After the trap function for rate limiting is enabled, the device discards packets whose rate exceeds the rate limit. When the number of discarded packets exceeds the alarm threshold, the system generates an alarm.

  • Configure DHCP rate limiting in the VLAN view.
    1. Enter the system view. 

      system-view

    2. Enter the VLAN view. 

      vlan vlan-id

    3. Enable DHCP rate limiting. 

      dhcp check dhcp-rate enable
      By default, DHCP rate limiting is disabled.

    4. Configure the maximum rate of sending DHCP messages to the DHCP stack. 

      dhcp check dhcp-rate rate

      By default, DHCP messages are sent to the DHCP stack at the rate of 100 pps. Excess packets in a specified period of time are discarded.

  • Configure DHCP rate limiting in the interface view.
    1. Enter the system view. 

      system-view

    2. Enter the interface view or sub-interface view. 

      interface interface-type interface-number [.subinterface-number ]

    3. Enable DHCP rate limiting. 

      dhcp check dhcp-rate enable

      By default, DHCP rate limiting is disabled.

    4. Configure the maximum rate of sending DHCP messages to the DHCP stack. 

      dhcp check dhcp-rate rate

      By default, DHCP messages are sent to the DHCP stack at the rate of 100 pps. Excess packets in a specified period of time are discarded.

    5. (Optional) Enable the trap function for rate limiting. 

      dhcp alarm dhcp-rate enable

      By default, the trap function for rate limiting is disabled.

      This function allows the system to generate an alarm when the number of discarded DHCP messages on the interface reaches the threshold.

    6. (Optional) Specify the alarm threshold for checking DHCP message rates. 

      dhcp alarm dhcp-rate threshold threshold

      By default, the alarm threshold for checking DHCP message rates is 100.

      After the trap function for rate limiting is enabled, the device discards packets whose rate exceeds the rate limit. When the number of discarded packets exceeds the alarm threshold, the system generates an alarm.

Verifying the DHCP Relay Agent Configuration

Procedure

  • Run the display dhcp relay { all | interface interface-type interface-number } command to view information about the DHCP server or DHCP server group on the interface functioning as a DHCP relay agent.
  • Run the display dhcp server group [ group-name ] command to view the configuration of the DHCP server group.