Revision History This page is hidden

and not printed

DATE AUTHOR REVIEWER VERSION
DHCP protocol principles
 Foreword

⚫ Manually configuring IP addresses, masks, gateways and other parameters for a big number of hosts in a
LAN is tedious and error-prone.
⚫ DHCP (Dynamic Host Configuration Protocol) can centrally manage and allocate IP addresses so that
hosts in the network environment can dynamically obtain IP addresses, Gateway addresses, DNS server
addresses, and other information, and can improve the use of addresses while avoiding the problem of IP
address conflicts.

Innovation • Simplicity • Experience

 Objective

⚫ After taking this course, you will be able to:

➢ Get familiar with DHCP application scenarios

➢ Understand the working principle of DHCP, packet types

➢ Master the basic configuration of DHCP and relay mode

➢ Understand the working mechanism of DHCP Spooning

Innovation • Simplicity • Experience

 Contents

1. DCHP Protocol Working Principles

2. DHCP Security-related Design

Innovation • Simplicity • Experience

 Usage Scenarios

⚫ Laptops, desktop computers, cell phones, smart appliances and other devices are closely related to our
lives. But the basis of all these connections to the Internet is the IP address.
⚫ How to obtain IP address efficiently and securely with no perceived user experience?

Innovation • Simplicity • Experience

 Static IP Address Allocation

Even if all users know

exactly how to manually
configure the IP

The network center maintenance

staff still needs to develop an IP
allocation table to specify which
user uses which IP address
Users are likely to have IP address
conflicts due to misconfiguration settings
to the same IP address

Is there a way to:

1. Reduce the difficulty for users to configure IP addresses
2. Reduce the workload of network center maintenance staff
3. Avoid IP address conflicts due to misconfiguration

Innovation • Simplicity • Experience

 DHCP Overview

⚫ DHCP, Dynamic Host Configuration Protocol

⚫ Defined in RFC2131, C/S architecture, the server is responsible for centralized management, the client
submits a configuration request to the server, the server returns the corresponding configuration
information according to the policy
⚫ DHCP messages are encapsulated with UDP. The port number the server is listening on is 67, and the
port number for the client is 68.

PC: What is my IP Address?

DHCP Protocol: I'll ask for you!

Innovation • Simplicity • Experience

 DHCP System Components

Network 1 Network 2

DHCP Client DHCP Relay DHCP Server

⚫ DHCP client
➢ A host that needs to obtain an IP address dynamically.

⚫ DHCP server
➢ A DHCP-capable server or network device to assign IP addresses to clients and manages these IP addresses.

⚫ DHCP relay
➢ When a DHCP client and a DHCP server are not in a same subnet, they need a DHCP relay to forward DHCP
request and reply packets. Generally, it is a network device such as a router or a Layer 3 switch.

Innovation • Simplicity • Experience

 DHCP process

Network 1

DHCP Client DHCP Server

Can someone allocate me an IP address?

DHCP-DISCOVER
(Broadcast)
I can allocate IP address 192.168.1.2/24 to you
DHCP-OFFER
(Broadcast)

Okay, I'll use the 192.168.1.2/24 you allocated

DHCP-REQUEST
(Broadcast)

Okay, I acknowledge!
DHCP-ACK
(Broadcast)

Innovation • Simplicity • Experience

 DHCP Discover

⚫ DHCP Discover
➢ This message is the first request message sent by the PC, it is a broadcast message, the main purpose is to
discover the DHCP server, but the PC does not know the IP address of DHCP, so the destination MAC and
destination IP address are broadcasts

Innovation • Simplicity • Experience

 DHCP Offer

⚫ DHCP Offer
➢ This message is the first message returned by the DHCP server, when there are multiple DHCP servers in the
network, the PC will only keep the DHCP Offer received first. DHCP Offer contains the IP address, gateway IP,
DNS parameters and other configuration information that the DHCP server can allocate to the PC

Innovation • Simplicity • Experience

 DHCP request

⚫ DHCP request
➢ The second request message from the PC, the PC initiates a formal request based on the information in the Offer
returned by the server.

Innovation • Simplicity • Experience

 DHCP Ack

⚫ DHCP ACK
➢ After the server receives the request message from the PC, it allocates the corresponding IP address from the
address pool and returns it to the PC

Innovation • Simplicity • Experience

 IP Address Rejection and Release

Network 1

DHCP Client DHCP Server

The 192.168.1.2/24 you provided is already being used and I refuse to use it!
DHCP-Decline

I don't want to use the address you allocated, please give it to someone else
DHCP-Release

Innovation • Simplicity • Experience

 DHCP lease renewal

Network 1

DHCP Client DHCP Server

Upon 50% I would like to continue using the IP address you allocated, is that OK?
DHCP-REQUEST
time of the
Ok, you can continue to use it
lease term DHCP-ACK

Upon I would like to continue using the IP address you allocated, is that OK?
DHCP-REQUEST
87.5% time
of the lease Ok, you can continue to use it
DHCP-ACK
term No, you can not continue to use it
DHCP-NAK

Innovation • Simplicity • Experience

 DHCP Protocol Messages and Usage

Message Type Applications

DHCP discover Client broadcasts to find available servers
The server responds to the DHCP discover message and allocates the corresponding configuration
DHCP offer
parameters
DHCP request Client request configuration parameters, request configuration acknowledgement, lease renewal

DHCP ack The server acknowledges the DHCP request message

DHCP decline Client notifies server when address is found to be in use

DHCP release Message to notify the server when a client releases an address

DHCP inform The client already has an IP address and requests more detailed configuration parameters

DHCP nak The server tells the client that the address request is incorrect or the lease period has expired

Innovation • Simplicity • Experience

 DHCP Server Basic Configuration

⚫ Enable DHCP service (mandatory)

Ruijie(config)#service dhcp

⚫ Create DHCP address pool (mandatory)

Ruijie(config)# ip dhcp pool vlan1

⚫ Configure a range of dynamically allocated IP addresses (mandatory)

Ruijie(dhcp-config)# network 20.1.1.0 255.255.255.0

⚫ Configure the gateway address of the DHCP client (optional)

Ruijie(dhcp-config)# default-router 20.1.1.1

⚫ Configure the DNS server address of the DHCP client (optional)

switch(dhcp-config)#dns-server 8.8.8.8

⚫ Configure the lease expiry date of dynamically allocated IP addresses (optional)

Ruijie(dhcp-config)# lease 1 0 0

Innovation • Simplicity • Experience

 Examples of DHCP Server Basic Configuration

DHCP Client DHCP Server

Ruijie-SW(config)#service dhcp
Ruijie-SW(config)#ip dhcp pool IT
Ruijie-SW(dhcp-config)#network 172.16.1.0 255.255.255.0
Ruijie-SW(dhcp-config)#default-router 172.16.1.254
Ruijie-SW(dhcp-config)#dns-server 114.114.114.114 8.8.8.8
Ruijie-SW(dhcp-config)#lease 0 8 0
Ruijie-SW(dhcp-config)#exit

Innovation • Simplicity • Experience

 DHCP server display and maintenance

⚫ Display DHCP lease information

Ruijie(config)#show dhcp lease

⚫ Display the created address pool

Ruijie(config)# show ip dhcp pool

⚫ Display conflicting addresses

Ruijie(config)# show ip dhcp conflict

⚫ Display allocated addresses

Ruijie(onfig)# show ip dhcp binding

Innovation • Simplicity • Experience

 DHCP Relay

⚫ DHCP Client and DHCP Server are not in the same network segment, DHCP broadcast messages are not reachable,
then you need to deploy DHCP Relay devices.
⚫ To ensure IP/route reachability between the gateway device acting as a DHCP relay and the DHCP server.

Network 1 Network 2

DHCP Client DHCP Relay DHCP Server

DHCP Broadcast DHCP Unicast

DHCP Broadcast DHCP Unicast

Innovation • Simplicity • Experience

 DHCP Relay Configuration

⚫ Enable DHCP relay agent

Ruijie(config)# service dhcp

⚫ Add a global DHCP server address

Ruijie(config)# ip helper-address 172.2.2.1

⚫ Configure the IP address of the port connected to the customer equipment

Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)# ip address 192.1.1.1 255.255.255.0

⚫ Configure the IP address of the port connected to the Server device

Ruijie(config)# interface gigabitEthernet 0/2
Ruijie(config-if)# ip address 172.2.2.2 255.255.255.0

Innovation • Simplicity • Experience

 Contents

1. DCHP Protocol Working Principles

2. DHCP Security-related Design

Innovation • Simplicity • Experience

 Rogue DHCP server access

⚫ In the same VLAN, if there is a malicious user who has set up a DHCP server privately, then it will make
the users in this VLAN obtain the wrong IP address, resulting in the inability to access the network.
Core Switch
DHCP Server
offer messgae
Gi0/28

Gi0/22 offer messgae

Access Switch Rogue DHCP Server

SW Gi0/22
ACK message
Gi0/22

Gi0/1

discover message

request message
PC1 PC2
Oh no, I can't get on the internet~

Innovation • Simplicity • Experience

 DHCP Snooping Technology Overview

⚫ DHCP Snooping: the following two functions can be provided:

➢ Access switches with DHCP Snooping enabled set the port as Untrust port, this type of port will filter the
messages sent by illegal DHCP servers in the network, thus preventing illegal DHCP servers from providing wrong
IP addresses and gateways;
➢ By snooping on the DHCP exchange messages between the Client and the server, the user's IP address usage is
recorded and monitored, and DHCP Snooping Binding table entries are generated, all of which are used as
information tables for legitimate users and provided to other security modules of the device to achieve further
access security functions.

Innovation • Simplicity • Experience

 DHCP snooping Technical Principle

⚫ The DHCP function is enabled on the core switch to achieve the

demand for access users to obtain IP addresses automatically,
while a rouge DHCP server is hung next to an access switch.
Core Switch
➢ Core switch is properly enabled for DHCP and the correct DHCP DHCP Server
Gi0/28 service dhcp
ip dhcp pool vlan1
configuration is done; network 192.168.1.0 255.255.255.0
dns-server 59.49.49.49
➢ Access switch enables DHCP Snooping function, all interfaces are default-router 192.168.1.254
Untrust ports by default; Gi0/24
Gi0/22
➢ The port on the access switch to which the DHCP server is Access Switch

connected is set to the DHCP Snooping Trust port.

Gi0/1 Gi0/22 Rogue DHCP Server
➢ Both DHCP offer and ACK messages received from the Untrust
interface will be discarded.
Ruijie(config)#ip dhcp snooping // enable DHCP snooping function
Ruijie(config)#interface gigabitEthernet 0/24
Ruijie(config-GigabitEthernet 0/24)#ip dhcp snooping trust PC1 PC2

Innovation • Simplicity • Experience

 DHCP snooping binding table entry

➢ Snooping of DHCP ACK messages received by the Trust

interface (the IP address information is included in the ACK
message);
➢ Extract the client IP address, MAC address, and lease time fields Core Switch
DHCP Server
from the DHCP ACK message, and generate a Binding record by
Gi0/28
combining the port number and VLAN of the client recorded by
the device

Gi0/22
Gi0/22
Access Switch

Gi0/1 Gi0/22 Rogue DHCP Server

PC1 PC2

Innovation • Simplicity • Experience

 Maintenance of DHCP snooping binding table

⚫ The DHCP Snooping table entry can be deleted in the following way:
➢ Recorded lease time expires (successful renewal will not be deleted) Core Switch
DHCP Server
➢ Snooping on legitimate DHCP-RELEASE/DHCP-DECLINE messages sent
Gi0/28
by the client
➢ When a NAK message is received from the TRUST port (meaning that the Rogue DHCP Server
address in the offer is not available) Gi0/22

➢ When a user actively deletes a binding record using the clear command Access Switch
Gi0/22

Ruijie#clear ip dhcp snooping binding [A.B.C.D | H.H.H | interface | vlan | <cr>] Gi0/22

Gi0/1

PC1 PC2

Innovation • Simplicity • Experience

 DHCP snooping source MAC verification

⚫ DHCP snooping source MAC address check:

➢ Check whether the Layer 2 source mac address and the Client MAC
Core Switch
address field (hardware address of the client) in the request message DHCP Server
received by the Untrust port are the same; Gi0/28

➢ If they are the same, continue to forward it, if not, discard the Request
message
Gi0/22
Gi0/22
Access Switch

Gi0/1 Gi0/22
RogueDHCP
Rogue DHCPServer
Server

PC1 PC2

Innovation • Simplicity • Experience

 DHCP snooping other features

⚫ DHCP snooping can only snoop non-relay DHCP messages, if there is a relay in the network, the following
configuration should be done in the global mode of the device configured with DHCP snooping (the giaddr field in the
DHCP message indicates the IP address of the first relay device through which the discover message passes):
Ruijie(config)#ip dhcp snooping check-giaddr

⚫ The port on which DHCP Snooping comes into effect can be a wired switch port, a Layer 2 AP port, or a Layer 2
encapsulation subinterface.
⚫ DHCP Snooping and DHCP Relay are not supported for simultaneous deployment in VRF scenarios;
⚫ When DHCP Snooping loose forwarding is enabled, if the DHCP Snooping binding table is full, the new user DHCP
messages can continue to be forwarded to get the address, but DHCP Snooping will not record the binding table
entries of the new user. If not turned on, IP addresses cannot be obtained after the table entry reaches full capacity.
The enabling commands are as follows:

Ruijie(config)#ip dhcp snooping loose-forward

Innovation • Simplicity • Experience

 Practice Questions

1. The terminal obtains an IP address through DHCP, and the server finally determines in which message ()
is the information such as IP address and mask provided to the terminal included?
A. DHCP Discover message
B. DHCP Offer message
C. DHCP Request message B

D. DHCP ACK messsage

2. The DHCP Snooping feature creates DHCP Snooping Binding table entries by snooping which DHCP
message ()?
A. DHCP Discover message
B. DHCP Offer message
C. DHCP Request message D

D. DHCP ACK messsage

Innovation • Simplicity • Experience

 Practice Questions

1. (Multiple Choice) An access switch that has deployed DHCP Snooping maintains a DHCP Snooping
Binding table, under what circumstances will the binding entries be deleted ()?
A. Terminal DHCP lease expires
B. Snooping on legitimate DHCP-RELEASE/DHCP-DECLINE messages sent by the client
C. Receives a NAK message from the TRUST port
D. User initiated deletion of Binding records using the clear command

ABCD

Innovation • Simplicity • Experience

 Summary

⚫ This chapter mainly introduces the application scenarios of DHCP service, the working principle of DHCP
protocol, message types, message structure, and the basic configuration and relay mode of DHCP.
⚫ After DHCP Snooping is enabled on the access switch, all interfaces will be set to Untrust state, and the
ports connected to DHCP server will be manually configured as Trust interfaces, and Untrust interfaces
will discard all DHCP Offer messages and DHCP ACK messages, which can prevent illegal DHCP
servers from accessing the network.
⚫ The DHCP Snooping function will snoop the DHCP Offer message received by the trust interface, extract
the client IP address, client MAC address, and lease time fields in the message, combine with the port
number and VLAN where the client side is recorded by the device, generate a Binding record, and
provide raw data for other security function modules to realize further access security functions.

Innovation • Simplicity • Experience

 Ruijie Technical Support Portal:
https://www.ruijienetworks.com/support

Online Technical Support (Rita):

Ruijie Online https://www.ruijienetworks.com/rita

Service Channel Community:

https://community.ruijienetworks.com

Facebook (Ruijie Tech Support):

https://www.facebook.com/ruijietac

YouTube (Ruijie Technical Support):

https://www.youtube.com/c/RuijieTechnicalSupport
THANKS