Original link address: https://bbs.51cto.com/thread-800321-1.html
We have recently seen often due to problems worry DHCP, in order to make everyone more aware of and understand the DHCP configuration will hereby made this stick
I believe we will be well aware of the certification watching for DHCP
1. Server Configuration DHCP
(. 1) enable the DHCP function
R2 (config) #service DHCP
(2) the DHCP address pool
r2 (config) #ip dhcp pool ccie1 address pool named ccie1
R2 (DHCP-config) #network 10.1.1.0 255.255. 255.0 available to the client's address field
r2 (dhcp-config) # default -router 10.1.1.1 gateway
r2 (dhcp-config) # dns-the dNS Server 10.1.1.1 10.1.1.2
r2 (dhcp-config) #lease 1 1 1 for a term of 1 day, 1 hour 1 minute (the default is one day)
r2 (config) #ip the pool ccie2 address dhcp pool called ccie1
r2 (dhcp-config) #network 20.1.1.0 255.255.255.0 available to address client to use section
r2 (dhcp-config) # default -router 20.1.1.1 gateway
r2 (dhcp-config) # dns -server 20.1.1.1 20.1.1.2 DNS
r2 (dhcp-config) #lease 1 1 1 1 day, 1 hour rental period of 1 min (default one day)
(3) are not removed to the client address
NOTE: Since some undesired IP address to the client, such as gateway address, so we want to address those
removed from the address pool, so the server will not use these addresses to the client.
r2 (config) #ip dhcp excluded- address 10.1.1.1 10.1.1.10 to remove 10.1.1.1 10.1.1.10
R2 (config) #ip excluded DHCP-address 20.1.1.1 to 20.1.1.1 20.1.1.10 20.1.1.10 removed
2. Configuration Client the DHCP
(. 1) Configure interface the DHCP
R1 (config) #int F0 /. 1
R1 (config-IF) #ip DHCP address
. 3. View command:
(1) to see which address is assigned to which hosts on the server:
R2 # ip dhcp Show the Binding
4. View Results
View DHCP Client will see the IP address of the interface F0 / 0 is 10.1.1.11 and produce a directed
default route to 10.1.1.1 (replaced PC will become a gateway is 10.1.1.1), routers do not need to get DNS .
Here, the DHCP Server obviously with the two address pool segment 10.1.1.0/24 respectively and
20.1.1.0/24, why the client requests an address to the server, the server but why would 10.1.1.0/24
address segment to the customer, but the wrong address 20.1.1.0/24 network segment to the customer yet. This is because the server
service receives a DHCP request, it can send and receive addresses to the same interface address from which the client interface to
the network segment, if the same network segment does not exist, it will discard the request packet. FIG receiving interface address of 10.1.1.1, and
the reception interface and just 10.1.1.0/24 address pool ccie1 the segment is the same network segment, so that the client send
sending IP address 10.1.1.11.
DHCP relay 
As shown, when the interface is configured to obtain an address of R1 DHCP, then from F0 / 0 emitted object
for 255.255.255.255 is broadcast request packet, if R2 is a DHCP server, it will respond to the client,
but it is not the DHCP server, so R2 receive this broadcast packet after the request packet is silently discarded. The real
DHCP server is R4, R1 broadcast packets, how can it reach this server R4, R4 R1 and how to
send the correct IP address of the client yet.
Routers can not forward broadcast is, therefore, unless it can make R2 client broadcast packets to a single broadcast
R4 this server. Our approach is to allow R2 to broadcast packets through unicast continue to R4 before this service
is called DHCP relay, is achieved by IP help-address function.
1. R2 Configuration
(1) Configuration front DHCP broadcast to 34.1.1.4
Note: IP help-address default function can turn the DHCP protocol before, so no additional add.
R2 (config) #int F0 / 0
R2 (config-IF) #ip address 34.1.1.4 Helper-
2. Server Configuration DHCP:
(. 1) enable the DHCP function
R4 (config) #service DHCP
(2) the DHCP address pool
R4 (config) #ip dhcp pool ccie1 address pool named ccie1
R4 (DHCP-config) #network 10.1.1.0 255.255 .255.0 available to the client's address field
R4 (dhcp-config) # default -router 10.1.1.1 gateway
R4 (config) #ip dhcp pool ccie2 address pool named ccie1
R4 (dhcp-config) #network 34.1.1.0 255.255 .255.0 available to the client address segment
R4 (dhcp-config) # default -router 34.1.1.4 gateway
(3) is not provided to remove the address of a client
R4 (config) #ip dhcp excluded- address 10.1.1.1 10.1.1.10 remove 10.1.1.1 to 10.1.1.10
R4 (config) #ip dhcp excluded- address 34.1.1.1 34.1.1.10 to remove 20.1.1.1
20.1.1.10
(. 4) configured correctly routing address pool
R4 (config) #ip route 10.1.1.0 255.255.255.0 34.1.1.3
Note: R3 do not need to do any configuration!
3. View Results
View DHCP Client will see the IP address of the interface F0 / 0 is 10.1.1.11, then the DHCP server R4
and the IP address of the network segment to which to judge according to what the client needs is it, why is not wrong to
34.1 address .1.0 / 24 to the customer segment of it. Not to say which server receives the request from the interface, put the
address of the interface to the client the same network segment it? According to the previous theory, it should be sent to the 34.1.1.0/24
address to the customer ah. Here, the guidance server can send the correct IP address to the client, because there is a being
called the option to option 82, this option will automatically be added as long as the DHCP request packet is relayed, this
option will relay router inside the giaddr position to write parameter, that is to tell the server, the customer
IP address of the network segment to which the client needs to work properly. Relay interface through which the client received from the DHCP
request, the write position giaddr option 82 on the IP address of the receiver interface, then the server according to the giaddr
IP address of the location, a selected address identical to the IP address from a pool of address segment to the customer, if
No corresponding address pool, the response is discarded, so that the server can send the correct R4 10.1.1.0/24 address of
the customer, because it is under the influence of R2 IP help-address because of the changed parameter giaddr own
reception interface address, coming into the giaddr parameters 10.1.1.1, through the debug process will see the following:
* Mar100: 28: 36.666: DHCPD:. Setting giaddr to 10.1.1.1
* Mar100: 28: 36.666HCPD: BOOTREQUESTfrom0063.6973.636f. 2d30.3031.322e.
6439.6639.2e63.3638.302d.4661.302f.30 Forwarded to 34.1.1.4.
Debug R2 can be seen from the above information is sent in the giaddr into secondary 10.1.1.1 to 34.1.1.4
requires We know that after the relay request packet sent by a DHCP giaddr If a position is not the IP
address 0.0.0.0, but then discards the request without server provides an IP address.
NOTE: When the presence server on 10.1.1.0/24 address pool, the address pool server to send to the client,
it must exist a route segment 10.1.1.0 (default route too), and the client must It located in the route
direction, if the wrong direction, the address pool is not able to send customers to use.
Different assigned different VLAN addresses 
shown in Figure 3, two DHCP clients are located on two different VLAN switch, the switch
VLAN interface will serve as their gateway, R3 is a DHCP server, both clients must not get
the same net address, or can not network communication with the outside, in this case, the server R3 to R1 must be properly
allocated address of the network segment 10.1.1.0/24 20.1.1.0/24 address must be assigned to R2, the configuration is as follows:
1. Server Configuration DHCP
(. 1) enable the DHCP function
R3 (config) #service DHCP
(2) the DHCP address pool
R3 (config) #ip dhcp pool ccie1 address pool named ccie1
R3 (DHCP-config) #network 10.1.1.0 255.255. 255.0 available to the client's address field
R3 (dhcp-config) # default -router 10.1.1.1 gateway
R3 (config) #ip dhcp pool ccie2 address pool named ccie1
R3 (dhcp-config) #network 20.1.1.0 255.255. 255.0 available to the client address segment
R3 (dhcp-config) # default -router 20.1.1.1 gateway
(3) is not provided to remove the address of a client
R3 (config) #ip dhcp excluded- address 10.1.1.1 10.1.1.10 shift In addition to 10.1.1.1 to 10.1.1.10
R3 (config) #ip dhcp excluded- address 20.1.1.1 20.1.1.10 to remove 20.1.1.1
20.1.1.10
(. 4) address pool configured correctly route
R3 (config) #ip route 10.1.1.0 255.255.255.0 30.1.1.1
R3 (config) #ip 255.255.255.0 route 20.1.1.0 30.1.1.1
2. Configuration switches
(1) corresponding to the configuration interface information
SW (config) #vlan 10
SW (config-VLAN) #exit
SW (config) #vlan 20 is
SW (config-VLAN) #exit
SW (config) #int F0 / 1
SW ( IF-config) #switchport MODE Access
SW (config-IF) 10 #switchport Access VLAN
SW (config-IF) #exit
SW (config) #int F0 / 2
SW (config-IF) #switchport MODE Access
SW (config- IF) 20 is #switchport Access VLAN
SW (config-IF) #exit
sw (config) #int VLAN 10
sw (config-IF) #ip address 10.1.1.1 255.255.255.0
sw (config-IF) #ip Helper-transfected DHCP broadcast address to 30.1.1.3 30.1.1.3 unicast before
sw (config the -if) #exit
SW (config) #int VLAN 20 is
SW (config-IF) #ip address 20.1.1.1 255.255.255.0
SW (config-IF) #ip Helper-address before forwarding DHCP broadcast to 30.1 30.1.1.3 unicast .1.3
3. Configuration Client the DHCP
(. 1) Configuration Rl
R1 (config) #int F0 /. 1
R1 (config-IF) #ip DHCP address
(2) Configuration R2
R2 (config) #int F0 /. 1
R1 (config-IF) address #ip dhcp
4. See Results:
according to the above configuration, after completion, the client R1 F0 / 0 will be able to receive the address 10.1.1.11, R2 client will
be able to receive the address and 20.1.1.11, then can the full network communication. In the above case, the server can be R3
Correct address allocation for network 10.1.1.0/24 R1, 20.1.1.0/24 subnet address can be correctly assigned to R2,
it is also R1 because switch receives a DHCP broadcast packets, the changed parameter giaddr 10.1.1.1,
after receiving the broadcast packet R2, the giaddr 20.1.1.1 parameters changed, so finally R3 can be the root server
according giaddr = 10.1.1.1 10.1.1.0/24 packet address allocation, according to the giaddr = 20.1 .1.1 package allocated
address of 20.1.1.0/24.
IP and MAC address binding
when configuring DHCP, address pools in addition to the removal of out of IP addresses, all addresses are sequentially
assigned to the client, so the client can not get an IP address is fixed, sometimes every fixed for certain
the same PC to assign IP addresses, then you can configure the DHCP server with a static IP address and some
MAC binding, only the corresponding MAC address in order to get the appropriate IP address. Cisco equipment in the static
method IP and MAC binding is, you need to bind an IP address to the MAC address, IP address for that alone
create an address pool, called the host pool, address pool need to specify the IP address and mask digits, and attach a
MAC address, after the IP address assigned to only the MAC address, host pool can only have one
IP address and a MAC address, if required for multiple customers IP and MAC binding , you have to separately for each
configured with their host pool customers, but also noted that, in the host pool, MAC address representation
And usual methods are not the same, such as the MAC address of a network card to the host aabb.ccdd.eeff, in the address pool,
need to prepend 01 (as represented by Ethernet type 01), the result is 01aa.bbcc.ddee.ff
. 1 . Pool configuration Host:
(. 1) arranged pool name
R1 (config) #ip DHCP Poo CCIE
(2) configure the IP address
R1 (DHCP-config) #host 10.1.1.100 / 24
(. 3) corresponding to the configuration of the IP address and MAC address
R1 (DHCP-config) identifier 01aa.bbcc.ddee.ff-Client #
2. Check the configuration:
(1) View address allocation server state
R1 SH # Binding DHCP IP
Bindings All Pools from Not Associated with the VRF:
the IP address Client-ID / Lease expiration the Type
Hardware address /
the User name
10.1.1.100 01aa.bbcc.ddee. Infinite Manual FF
r1 #
Description: From the above results, 10.1.1.100 IP address and MAC address aabb.ccdd.eeff has been hand-
made binding, as long as the MAC address after aabb.ccdd.eeff client requests an IP address in order to get
IP address 10.1.1.100.
DHCP ARP security 
the Cisco Security DHCP ARP design may not be absolutely safe, but also play a role in the original
this design requires a public hotspot billing Application of PVLAN (wireless public places), as shown in FIG. 4, R3 is
DHCP server to provide for the payment of R1 correct IP address in order to provide network services to customers when the server R3
after the end R1 provides IP address 10.1.1.2, you have to remember it's MAC address, under normal circumstances, such as
if the R1 exit , the server is not known, and when the fraudster has access to the network, can be posing 10.1.1.2
the Internet address, of course, R1 and R2 are certainly not the same MAC address, and if the time server
R3 since the automatic update MAC address of the ARP table, we can successfully make R2 online.
For these reasons, it is necessary to provide some kind of security mechanism between client and server R3 R1, the server that is
regularly questioned whether the ARP 10.1.1.2 there, if questioned, only R1 can answer.
In the completion of this mechanism, it is necessary to support feature two, the first is the Update Arp, in an address pool mode
to open the following formula, this feature is regularly interrogated network DHCP client; the second is Authorized
ARP (ARP authorization), open only at the Ethernet interface, the interface is disabled from further automatically by ARP
new MAC address learning and, this way, the interface does not have to manually configure the IP access device, because the hand
after working configuration IP access, the server does not update its ARP table, will not be able to complete the second floor of the new device
MAC address of the package, it can not communicate with the new device, only legitimate DHCP client to function properly through
letters, so, if you assign IP addresses to remote clients, will not be able to do so to protect, and to the remote client
next hop side must be your own client, because if not, can not communicate, because ARP absence of
its entry into .
1. Security configuration the ARP:
(. 1) enable the DHCP function
R3 (config) #service DHCP
(2) the DHCP address pool
R3 (config) #ip dhcp pool ccie1 address pool named ccie1
R3 (DHCP-config) #network 10.1.1.0 255.255 .255.0 available to the client address segment
R3 (dhcp-config) # default -router 10.1.1.1 gateway
R3 (dhcp-config) #update arp ARP interrogation open periodically
(3) does not remove the address provided to the client
R3 (config) #ip dhcp excluded- address 10.1.1.1 10.1.1.10 to remove 10.1.1.1 10.1.1.10
(. 4) is turned on at the interface Authorized ARP
R3 (config) #int F0 / 0
R3 (config-IF) # Router (config-if) # arp authorized prohibits dynamically update ARP
R3 (config-iF) # ARP timeout 60 60 seconds client no-answer deleting an ARP entry
Note: the above configuration Thereafter, when the DHCP client obtains an IP address from the server, server will be set
on the IP address of the inquiry, if there is no answer 60 seconds, begins with the ARP table to delete the entry.
DHCP snooping 
shown in Figure 5, only the right to obtain the client IP 10.1.1.0/24 R1 from the network server R3
address can properly access, if another error occurs when a network DHCP server (R2 in FIG. ),
R2 sent to the client address 20.1.1.0/24 R1, then R1 will cause a network outage, in this case,
you need to prohibit illegal DHCP server to provide DHCP services to the network, which requires DHCP Snooping
( DHCP Snooping). DHCP snooping is done on the switch, such as the figure above, just tell exchange
machine, only F0 / 3 DHCP reply sent to the address only forwarded to the client, the response sent by the other interface systems address
system is discarded. To do this, we must tell the switch, F0 / 3 interface is a DHCP address it could trust,
Other interfaces are not credible, can not provide DHCP reply, then in the realization of this function, you need to
interface is divided into trusted and untrusted interfaces on an interface on the switch, the default switch are all connected untrustworthy
mouth, which is He said that after the switch is turned on DHCP Snooping, DHCP service is not on any one interface
device to provide services. When configuring DHCP Snooping on the switch, which must be specified in a VLAN
to listen, not listening to other VLAN exempted from the above rule restrictions.
1. Configuring DHCP Snooping on the switch
Note: All interfaces on the switch all assigned to VLAN1
(1) After DHCP Snooping on the switch
sw (config) #ip dhcp snooping DHCP Snooping Is
sw (config) #ip dhcp snooping vlan 1 Enable DHCP on the switch snooping
(2) the corresponding interface becomes trusted interface (default all untrusted)
SW (config-IF) #ip DHCP Snooping trust
2. See order:
(1) View DHCP Snooping
Sw # SH IP DHCP Snooping
Description: By following the above configuration, only the switch on the F0 / 3 interface (trusted interface) device can be
A DHCP request, while all other interfaces, such as R2 over DHCP response will be discarded. but you
Will find that, after that, R1 or R3 can not get sent to the DHCP server address. This is because the open
switch default DHCP snooping relay will produce the effect, the giaddr parameters DHCP request packet is about to change
into 0.0.0.0, the effect of such a relay switch is not closed, when the relay server receives a and
when the request packet is set to 0.0.0.0 giaddr instead of the IP address, the default is to discard the packet without making a response
, so the server R3 discards the request packet. R1 can let customers receive the normal DHCP provided
IP address, DHCP server will make a request for the package even if the giaddr 0.0.0.0 also respond. Configuration such as
the:
R3 (config-IF) #ip DHCP Relay Trusted Information
Finally, from the above figure, if R3 is not in itself a DHCP server, the DHCP server also if the remote
network, it is necessary to provide a relay R3 and forwards the request packet to server, then R3 except in interface
ip dhcp relay information Trusted addition, must configure ip helper-address, both are indispensable.