Supporng FastIron Soware Release 08.0.95
CONFIGURATION GUIDE
RUCKUS FastIron DHCP
Conguraon Guide, 08.0.95
Part Number: 53-1005654-01
Publicaon Date: 11 September 2020
Copyright, Trademark and Proprietary Rights Informaon
©
2020 CommScope, Inc. All rights reserved.
No part of this content may be reproduced in any form or by any means or used to make any derivave work (such as translaon, transformaon,
or adaptaon) without wrien permission from CommScope, Inc. and/or its aliates ("CommScope"). CommScope reserves the right to revise or
change this content from me to me without obligaon on the part of CommScope to provide nocaon of such revision or change.
Export Restricons
These products and associated technical data (in print or electronic form) may be subject to export control laws of the United States of America. It is
your responsibility to determine the applicable regulaons and to comply with them. The following noce is applicable for all products or
technology subject to export control:
These items are controlled by the U.S. Government and authorized for export only to the country of ulmate desnaon for use by the ulmate
consignee or end-user(s) herein idened. They may not be resold, transferred, or otherwise disposed of, to any other country or to any person other
than the authorized ulmate consignee or end-user(s), either in their original form or aer being incorporated into other items, without rst
obtaining approval from the U.S. government or as otherwise authorized by U.S. law and regulaons.
Disclaimer
THIS CONTENT AND ASSOCIATED PRODUCTS OR SERVICES ("MATERIALS"), ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND,
WHETHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW, COMMSCOPE DISCLAIMS ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, FREEDOM FROM COMPUTER VIRUS, AND WARRANTIES ARISING FROM COURSE OF DEALING
OR COURSE OF PERFORMANCE. CommScope does not represent or warrant that the funcons described or contained in the Materials will be
uninterrupted or error-free, that defects will be corrected, or are free of viruses or other harmful components. CommScope does not make any
warranes or representaons regarding the use of the Materials in terms of their completeness, correctness, accuracy, adequacy, usefulness,
meliness, reliability or otherwise. As a condion of your use of the Materials, you warrant to CommScope that you will not make use thereof for
any purpose that is unlawful or prohibited by their associated terms of use.
Limitaon of Liability
IN NO EVENT SHALL COMMSCOPE, COMMSCOPE AFFILIATES, OR THEIR OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUPPLIERS, LICENSORS AND
THIRD PARTY PARTNERS, BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, OR
ANY DAMAGES WHATSOEVER, EVEN IF COMMSCOPE HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, WHETHER IN AN
ACTION UNDER CONTRACT, TORT, OR ANY OTHER THEORY ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIALS. Because some jurisdicons
do not allow limitaons on how long an implied warranty lasts, or the exclusion or limitaon of liability for consequenal or incidental damages,
some of the above limitaons may not apply to you.
Trademarks
ARRIS, the ARRIS logo, COMMSCOPE, RUCKUS, RUCKUS WIRELESS, the Ruckus logo, the Big Dog design, BEAMFLEX, CHANNELFLY, FASTIRON, ICX,
SMARTCELL and UNLEASHED are trademarks of CommScope, Inc. and/or its aliates. Wi-Fi Alliance, Wi-Fi, the Wi-Fi logo, Wi-Fi Cered, the Wi-Fi
CERTIFIED logo, Wi-Fi Protected Access, the Wi-Fi Protected Setup logo, Wi-Fi Protected Setup, Wi-Fi Mulmedia and WPA2 and WMM are
trademarks or registered trademarks of Wi-Fi Alliance. All other trademarks are the property of their respecve owners.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
2 Part Number: 53-1005654-01
Contents
Preface...................................................................................................................................................................................................................7
Document Convenons.............................................................................................................................................................................................. 7
Notes, Cauons, and Safety Warnings............................................................................................................................................................... 7
Command Syntax Convenons.................................................................................................................................................................................. 7
Document Feedback.................................................................................................................................................................................................. 8
RUCKUS Product Documentaon Resources............................................................................................................................................................. 8
Online Training Resources.......................................................................................................................................................................................... 8
Contacng RUCKUS Customer Services and Support................................................................................................................................................. 9
What Support Do I Need?.................................................................................................................................................................................. 9
Open a Case....................................................................................................................................................................................................... 9
Self-Service Resources........................................................................................................................................................................................9
About This Document...........................................................................................................................................................................................11
What's new in this document.................................................................................................................................................................................. 11
Supported Hardware................................................................................................................................................................................................ 13
Dynamic Host Conguraon Protocol Overview................................................................................................................................................... 15
DHCP overview.........................................................................................................................................................................................................15
DHCP Clients........................................................................................................................................................................................................ 17
DHCP Client.............................................................................................................................................................................................................. 17
DHCP Client Behavior on a Layer 3 Device....................................................................................................................................................... 18
DHCP Over Default Virtual Ethernet Port (Layer 3 Devices)............................................................................................................................. 18
Default Virtual Ethernet Port Creaon (Layer 3 Devices)................................................................................................................................. 18
Possible Reasons for Failure of Virtual Ethernet Port Creaon........................................................................................................................ 18
Enabling the DHCP Client for a Specic VE Port............................................................................................................................................... 19
DHCP Client in Connuous Discovery Mode (Layer 2 and Layer 3 Devices).....................................................................................................19
DHCP Client as a New Device........................................................................................................................................................................... 19
DHCP Client Behavior aer Reboot.................................................................................................................................................................. 21
BootP and DHCP relay parameters...........................................................................................................................................................................21
Conguring an IP helper address............................................................................................................................................................................. 22
Conguring the BOOTP and DHCP reply source address......................................................................................................................................... 22
Changing the IP address used for stamping BootP and DHCP requests................................................................................................................... 22
Changing the maximum number of hops to a BootP relay server........................................................................................................................... 23
DHCP Auto-Provisioning .......................................................................................................................................................................................... 24
Auto-Provisioning Using the booile.bin Opon..................................................................................................................................................... 25
DHCP Auto-Provisioning Using the Manifest File Opon......................................................................................................................................... 26
DHCP Auto-Provisioning Enhancements.................................................................................................................................................................. 27
Conguring DHCP Auto-Provisioning Enhancements...............................................................................................................................................29
DHCP auto-provisioning opons.............................................................................................................................................................................. 30
Disabling or re-enabling the DHCP client ................................................................................................................................................................ 30
DHCP auto-provisioning on Layer 2 and Layer 3 devices......................................................................................................................................... 31
Scenario 1: DHCP auto-provisioning on a Layer 3 device................................................................................................................................. 32
Scenario 2: DHCP auto-provisioning with a TFTP server in a dierent network.............................................................................................. 33
Scenario 3: DHCP client connected through a DHCP snooping device.............................................................................................................33
Scenario 4: DHCP client opon 12................................................................................................................................................................... 34
Scenario 5: DHCP auto-provisioning on a Layer 2 device................................................................................................................................. 34
Conguraon Notes and Feature Limitaons for DHCP Auto-Provisioning............................................................................................................. 35
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 3
High Availability and 802.1BR Consideraons..................................................................................................................................................36
Upgrade Consideraons................................................................................................................................................................................... 36
How DHCP Client-Based Auto-Provisioning and Flash Image Update Works................................................................................................... 36
Validang the IP Address and Lease Negoaon............................................................................................................................................. 36
Flash Image Download and Update ................................................................................................................................................................ 37
Auto-Provisioning Download and Update ....................................................................................................................................................... 37
Disabling or re-enabling auto-provisioning.............................................................................................................................................................. 38
Dynamic DHCP opons conguraon processing.................................................................................................................................................... 38
Discovery of SZ based on DHCP Opon 43 ..............................................................................................................................................................38
Conguraon notes and feature limitaons.................................................................................................................................................... 39
Verifying dynamic DHCP opons for a switch.......................................................................................................................................................... 40
Verifying dynamic DHCP opons for a router.......................................................................................................................................................... 42
DHCP Servers....................................................................................................................................................................................................... 45
DHCP Servers........................................................................................................................................................................................................... 45
Conguraon Consideraons for DHCP Servers.............................................................................................................................................. 46
Conguring the DHCP server and creang an address pool............................................................................................................................ 47
Default DHCP server sengs........................................................................................................................................................................... 50
DHCP server opons................................................................................................................................................................................................ 50
Recommendaons and limitaons.................................................................................................................................................................. 53
Upgrade consideraons................................................................................................................................................................................... 53
Disabling or re-enabling the DHCP server on the management port.......................................................................................................................54
Seng the wait me for ARP ping response............................................................................................................................................................55
DHCP relay agent informaon support (opon 82) ................................................................................................................................................ 55
Enabling relay agent informaon (opon 82).......................................................................................................................................................... 55
Conguring the IP address of the DHCP server........................................................................................................................................................ 56
Conguring the boot image..................................................................................................................................................................................... 56
Deploying an address pool conguraon to the server........................................................................................................................................... 56
Specifying default router available to the client...................................................................................................................................................... 57
Specifying DNS servers available to the client......................................................................................................................................................... 57
Conguring the domain name for the client............................................................................................................................................................ 57
Conguring the lease duraon for the address pool............................................................................................................................................... 58
Specifying addresses to exclude from the address pool.......................................................................................................................................... 58
Conguring the NetBIOS server for DHCP clients.................................................................................................................................................... 58
Conguring the subnet and mask of a DHCP address pool...................................................................................................................................... 59
Conguring the TFTP server..................................................................................................................................................................................... 59
Conguring X Window System Display Manager IP addresses (opon 49)..............................................................................................................59
Vendor specic informaon (opon 43 and opon 60) conguraons................................................................................................................... 60
Conguring vendor details and vendor specic informaon (opon 43 and opon 60) ................................................................................ 60
Enabling stac IP to MAC address mapping............................................................................................................................................................. 61
Conguring Avaya IP telephony (opons 176 and 242)........................................................................................................................................... 62
Conguring WPAD (opon 252)............................................................................................................................................................................... 64
Displaying DHCP server informaon........................................................................................................................................................................ 65
DHCPv4................................................................................................................................................................................................................ 67
DHCPv4 overview..................................................................................................................................................................................................... 67
DHCP Assist conguraon........................................................................................................................................................................................ 67
How DHCP Assist works................................................................................................................................................................................... 68
Conguring DHCP Assist................................................................................................................................................................................... 70
Dynamic ARP Inspecon Overview ......................................................................................................................................................................... 71
ARP Poisoning.................................................................................................................................................................................................. 71
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
4 Part Number: 53-1005654-01
How Dynamic ARP Inspecon Works............................................................................................................................................................... 71
Conguraon Notes and Feature Limitaons for DAI...................................................................................................................................... 73
Conguring Dynamic ARP Inspecon............................................................................................................................................................... 73
Conguring Dynamic ARP Inspecon on Mulple VLANs................................................................................................................................ 74
Disabling Syslog Messages for DAI................................................................................................................................................................... 75
Displaying ARP Informaon..............................................................................................................................................................................76
Conguring DAI to Support Mul-VRF............................................................................................................................................................. 76
Enabling Trust on a Port for a Specic VRF.......................................................................................................................................................77
DHCP Snooping........................................................................................................................................................................................................ 77
How DHCP Snooping Works............................................................................................................................................................................. 77
System Reboot and the Binding Database....................................................................................................................................................... 79
Conguraon Notes and Feature Limitaons for DHCP Snooping................................................................................................................... 79
Conguring DHCP Snooping............................................................................................................................................................................. 80
Conguring DHCP Snooping on Mulple VLANs.............................................................................................................................................. 81
Displaying DHCPv4 Snooping Informaon....................................................................................................................................................... 82
Conguring DHCPv4 Snooping for Mul-VRF...................................................................................................................................................83
DHCP Relay Agent Informaon and Opon 82 Inseron......................................................................................................................................... 83
Conguraon Notes for DHCP Opon 82......................................................................................................................................................... 84
DHCP Opon 82 Sub-opons........................................................................................................................................................................... 85
DHCP Opon 82 Conguraon.........................................................................................................................................................................86
IP Source Guard........................................................................................................................................................................................................ 91
Conguraon Notes and Feature Limitaons for IP Source Guard.................................................................................................................. 92
Enabling IP Source Guard on a Port or Range of Ports..................................................................................................................................... 93
Dening Stac IP Source Bindings.................................................................................................................................................................... 94
Enabling IP Source Guard for a VLAN............................................................................................................................................................... 94
Enabling IP Source Guard for a LAG Port for a VLAN........................................................................................................................................ 95
Enabling IP Source Guard on Mulple VLANs.................................................................................................................................................. 95
Binding IP Source Guard ACLs to Ports.............................................................................................................................................................96
Displaying Learned IP Addresses...................................................................................................................................................................... 97
DHCPv6................................................................................................................................................................................................................ 99
DHCPv6 overview..................................................................................................................................................................................................... 99
DHCP relay agent for IPv6........................................................................................................................................................................................ 99
Conguring a DHCPv6 relay agent....................................................................................................................................................................99
DHCPv6 relay agent include opons.............................................................................................................................................................. 100
Specifying the IPv6 DHCP relay include opons.............................................................................................................................................101
DHCPv6 Relay Agent Prex Delegaon Nocaon.......................................................................................................................................101
DHCPv6 Relay Agent Prex Delegaon Nocaon limitaons.....................................................................................................................102
Upgrade and downgrade consideraons....................................................................................................................................................... 102
Conguring DHCPv6 Relay Agent Prex Delegaon Nocaon................................................................................................................... 102
Enabling DHCPv6 Relay Agent Prex Delegaon Nocaon on an interface...............................................................................................103
Assigning the administrave distance to DHCPv6 stac routes..................................................................................................................... 103
Displaying DHCPv6 relay agent and prex delegaon informaon................................................................................................................ 104
Clearing the DHCPv6 delegated prexes and packet counters.......................................................................................................................105
DHCPv6 Snooping.................................................................................................................................................................................................. 105
How DHCPv6 Snooping Works....................................................................................................................................................................... 105
Conguraon Notes and Feature Limitaons for DHCPv6 Snooping............................................................................................................. 106
Conguring DHCPv6 Snooping....................................................................................................................................................................... 107
Conguring DHCPv6 Snooping on Mulple VLANs........................................................................................................................................ 108
Conguring DHCPv6 Snooping for Mul-VRF.................................................................................................................................................110
Displaying DHCPv6 Snooping Informaon..................................................................................................................................................... 110
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 5
DHCPv6 Server....................................................................................................................................................................................................... 111
Conguraon Consideraons for DHCPv6 Servers.........................................................................................................................................111
Conguring the Stateless DHCPv6 Server on Layer 3 Soware Images......................................................................................................... 112
Conguring the Stateful DHCPv6 Server on Layer 3 Soware Images........................................................................................................... 114
Conguring the Stateless DHCPv6 Server on Layer 2 Soware Images......................................................................................................... 115
Conguring the Stateful DHCPv6 Server on Layer 2 Soware Images........................................................................................................... 118
Displaying DHCPv6 Server Informaon.......................................................................................................................................................... 120
Vericaon of DHCPv6 Server Status............................................................................................................................................................. 121
Vericaon in Linux Mode............................................................................................................................................................................. 122
Prex Delegaon............................................................................................................................................................................................ 122
Prex Delegaon for ICX DHCPv6 Servers in Layer 3 Soware Images.......................................................................................................... 122
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
6 Part Number: 53-1005654-01
Preface
Document Convenons.............................................................................................................................................................. 7
Command Syntax Convenons...................................................................................................................................................7
Document Feedback...................................................................................................................................................................8
RUCKUS Product Documentaon Resources.............................................................................................................................. 8
Online Training Resources.......................................................................................................................................................... 8
Contacng RUCKUS Customer Services and Support................................................................................................................. 9
Document Convenons
The following table lists the text convenons that are used throughout this guide.
TABLE 1 Text Convenons
Convenon Descripon Example
monospace
Idenes command syntax examples
device(config)# interface ethernet 1/1/6
bold User interface (UI) components such
as screen or page names, keyboard
keys, soware buons, and eld
names
On the Start menu, click All Programs.
italics Publicaon tles Refer to the RUCKUS Small Cell Release Notes for more informaon.
Notes, Cauons, and Safety Warnings
Notes, cauons, and warning statements may be used in this document. They are listed in the order of increasing severity of potenal hazards.
NOTE
A NOTE provides a p, guidance, or advice, emphasizes important informaon, or provides a reference to related informaon.
ATTENTION
An ATTENTION statement indicates some informaon that you must read before connuing with the current acon or task.
CAUTION
A CAUTION statement alerts you to situaons that can be potenally hazardous to you or cause damage to hardware, rmware,
soware, or data.
DANGER
A DANGER statement indicates condions or situaons that can be potenally lethal or extremely hazardous to you. Safety labels are
also aached directly to products to warn of these condions or situaons.
Command Syntax Convenons
Bold and italic text idenfy command syntax components. Delimiters and operators dene groupings of parameters and their logical relaonships.
Convenon Descripon
bold text Idenes command names, keywords, and command opons.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 7
Convenon Descripon
italic text Idenes a variable.
[ ] Syntax components displayed within square brackets are oponal.
Default responses to system prompts are enclosed in square brackets.
{ x | y | z } A choice of required parameters is enclosed in curly brackets separated by vercal bars. You must select one of the opons.
x | y A vercal bar separates mutually exclusive elements.
< > Nonprinng characters, for example, passwords, are enclosed in angle brackets.
... Repeat the previous element, for example, member[member...].
\ Indicates a so” line break in command examples. If a backslash separates two lines of a command input, enter the enre command at
the prompt without the backslash.
Document Feedback
RUCKUS is interested in improving its documentaon and welcomes your comments and suggesons.
You can email your comments to RUCKUS at #[email protected]om.
When contacng us, include the following informaon:
Document tle and release number
Document part number (on the cover page)
Page number (if appropriate)
For example:
RUCKUS SmartZone Upgrade Guide, Release 5.0
Part number: 800-71850-001 Rev A
Page 7
RUCKUS Product Documentaon Resources
Visit the RUCKUS website to locate related documentaon for your product and addional RUCKUS resources.
Release Notes and other user documentaon are available at hps://support.ruckuswireless.com/documents. You can locate the documentaon by
product or perform a text search. Access to Release Notes requires an acve support contract and a RUCKUS Support Portal user account. Other
technical documentaon content is available without logging in to the RUCKUS Support Portal.
White papers, data sheets, and other product documentaon are available at hps://www.ruckuswireless.com.
Online Training Resources
To access a variety of online RUCKUS training modules, including free introductory courses to wireless networking essenals, site surveys, and
products, visit the RUCKUS Training Portal at hps://training.ruckuswireless.com.
Preface
Document Feedback
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
8 Part Number: 53-1005654-01
Contacng RUCKUS Customer Services and Support
The Customer Services and Support (CSS) organizaon is available to provide assistance to customers with acve warranes on their RUCKUS
products, and customers and partners with acve support contracts.
For product support informaon and details on contacng the Support Team, go directly to the RUCKUS Support Portal using hps://
support.ruckuswireless.com, or go to hps://www.ruckuswireless.com and select Support.
What Support Do I Need?
Technical issues are usually described in terms of priority (or severity). To determine if you need to call and open a case or access the self-service
resources, use the following criteria:
Priority 1 (P1)—Crical. Network or service is down and business is impacted. No known workaround. Go to the Open a Case secon.
Priority 2 (P2)—High. Network or service is impacted, but not down. Business impact may be high. Workaround may be available. Go to
the Open a Case secon.
Priority 3 (P3)—Medium. Network or service is moderately impacted, but most business remains funconal. Go to the Self-Service
Resources secon.
Priority 4 (P4)—Low. Requests for informaon, product documentaon, or product enhancements. Go to the Self-Service Resources
secon.
Open a Case
When your enre network is down (P1), or severely impacted (P2), call the appropriate telephone number listed below to get help:
Connental United States: 1-855-782-5871
Canada: 1-855-782-5871
Europe, Middle East, Africa, Central and South America, and Asia Pacic, toll-free numbers are available at hps://
support.ruckuswireless.com/contact-us and Live Chat is also available.
Worldwide toll number for our support organizaon. Phone charges will apply: +1-650-265-0903
We suggest that you keep a physical note of the appropriate support number in case you have an enre network outage.
Self-Service Resources
The RUCKUS Support Portal at hps://support.ruckuswireless.com oers a number of tools to help you to research and resolve problems with your
RUCKUS products, including:
Technical Documentaon—hps://support.ruckuswireless.com/documents
Community Forums—hps://forums.ruckuswireless.com/ruckuswireless/categories
Knowledge Base Arcles—hps://support.ruckuswireless.com/answers
Soware Downloads and Release Notes—hps://support.ruckuswireless.com/#products_grid
Security Bullens—hps://support.ruckuswireless.com/security
Using these resources will help you to resolve some issues, and will provide TAC with addional data from your troubleshoong analysis if you sll
require assistance through a support case or RMA. If you sll require help, open and manage your case at hps://support.ruckuswireless.com/
case_management.
Preface
Contacng RUCKUS Customer Services and Support
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 9
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
10 Part Number: 53-1005654-01
About This Document
What's new in this document...................................................................................................................................................11
Supported Hardware................................................................................................................................................................ 13
What's new in this document
The following table describes informaon added or modied in this guide for FastIron 08.0.95.
NOTE
The ICX 7550 Series Switches are not supported in release 08.0.95. Support for the ICX 7550 will be introduced in a later release.
TABLE 2 Summary of Enhancements in FastIronRelease 08.0.95
Feature Descripon Locaon
DHCPv4 and DHCPv6 Snooping Enhancements A number of changes and enhancements have been
introduced for DHCP and DHCPv6 Snooping as a
result of ACL rearchitecture. These inclue the
following:
DHCP Snooping can be congured for a
VLAN or VLANS even before the VLAN or
VLANS are created. VLANs and DHCP
Snooping conguraons on the VLANS
are not automacally deleted when the
VLAN is deleted.
When DHCP Snooping is enabled, client
and server packets are not allowed on
same port.
DHCP Snooping can be congured on a
maximum of 511 VLANs.
DHCP Snooping cannot be enabled for a
VLAN that is a member of a VLAN group.
When conguring DHCP Snooping on a
range of VLANs or mul-VLAN, there
cannot not be any VLAN in the range that
is a member of a VLAN group or any
reserved VLAN.
For default VLAN ID changes,DHCPv4 and
DHCPv6 snooping are not automacally
congured on the new default VLAN, and
must be re-applied on the new default
VLAN. The DHCP Snooping conguraons
are not automacally congured on the
new default VLAN 4000.
ACLs are supported on member ports of
a VLAN on which DHCP snooping and
Dynamic ARP Inspecon (DAI) are
enabled. In previous releases, these were
mutually exclusive.
Refer to
DHCP Snooping on page 77
DHCPv6 Snooping on page 105
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 11
TABLE 2 Summary of Enhancements in FastIronRelease 08.0.95 (connued)
Feature Descripon Locaon
IP Source Guard (IPSG) and SG ACL Enhancements A number of changes and enhancements have been
introduced for IPSG ACLs. These include the
following:
A new command has been introduced to
bind an IPSG ACL to a port, VLAN, or
interface for incoming trac.
IPSG and SG ACL can be congured for
the same port. IPSG and ACLs are
supported together on the same device
with certain limitaons.
IPSG cannot be enabled on a per-port-
per-VLAN basis.
If IPSG is congured for a specied port
for a VLAN, it cannot be congured
globally for the VLAN.
IPSG Snooping can be congured on a
maximum of 511 VLANs.
RUCKUS devices do not support IPSG
with ingress IPv4 ACLs for the same port,
neither at VLAN-level, port-level, or
across dierent levels.
IPSG and SG ACL can be congured for
the same port.
To bind an IPSG ACL to an interface for
incoming trace, you must now use the
ip sg-access-group command.
IPSG is not supported for VLAN groups. If
upgrading from FastIron 08.0.92 to
FastIron 08.0.95, IPSG is not congured
for a VLAN group, even if this was
previously congured.
IPSG is not supported for VE interfaces.
When a client moves from one port to
another port in the same VLAN, the old
snoop entry for the client MAC address is
automacally updated. This occurs even
when the client acquires a new IP
address.
Duplicate IP entries across VLANS are
allowed in the DHCP snooping table.
When a client moves from one VLAN to
another and acquires the same address,
two snooping entries are maintained for
the same MAC address and IP address.
Opon-82 can be disabled or re-enabled
on mulple VLANs or a range of VLANS
using a single command, ip dhcp
snooping relay informaon disable.
IPSG can be enabled on tagged ports or
untagged ports in a VLAN.
Refer to IP Source Guard on page 91
DHCP Client on non-default Virtual Ethernet Ports The DHCP client can be enabled for a non-default
Virtual Ethernet (VE) port. By default, the DHCP
client is enabled for the default VE port. The DHCP
client can also be enabled for a non-default VE port.
Refer to Enabling the DHCP Client for a Specic VE
Port on page 19
About This Document
What's new in this document
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
12 Part Number: 53-1005654-01
TABLE 2 Summary of Enhancements in FastIronRelease 08.0.95 (connued)
Feature Descripon Locaon
Dynamic ARP Inspecon (DAI)Enhancements A number of changes and enhancements have been
introduced for DAI as a result of ACL rearchitecture.
These include the following:
DAI can be congured on a maximum of
511 VLANs.
The maximum number of stac DAI
entries that can be congured is 6000.
This value cannot be changed.
Refer to Dynamic ARP Inspecon Overview on page
71
Updates to address defects Minor updates on content throughout to address
defects.
All chapters.
Minor editorial updates Minor editorial updates were made throughout the
Conguraon Guide.
All chapters.
Supported Hardware
This guide supports the following RUCKUS products:
RUCKUS ICX 7850 Switch
RUCKUS ICX 7750 Switch
RUCKUS ICX 7650 Switch
RUCKUS ICX 7550 Switch
RUCKUS ICX 7450 Switch
RUCKUS ICX 7250 Switch
RUCKUS ICX 7150 Switch
For informaon about what models and modules these devices support, refer to the hardware installaon guide for the specic product family.
About This Document
Supported Hardware
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 13
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
14 Part Number: 53-1005654-01
Dynamic Host Conguraon Protocol
Overview
DHCP overview......................................................................................................................................................................... 15
DHCP overview
The Dynamic Host Conguraon Protocol (DHCP) is based on the Bootstrap Protocol (BOOTP) and provides several conguraon parameters stored
in DHCP server databases to DHCP clients upon request.
DHCP enables the automac conguraon of client systems. DHCP removes the need to congure devices individually. Clients can set network
properes by connecng to the DHCP server instead. This protocol consists of two components; a protocol to deliver host-specic conguraon
parameters from a DHCP server to a host, and a mechanism to allocate leased or permanent IP addresses to hosts. DHCP is built on a client-server
model, where designated DHCP server hosts allocate network addresses and deliver conguraon parameters to dynamically congured hosts.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 15
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
16 Part Number: 53-1005654-01
DHCP Clients
DHCP Client.............................................................................................................................................................................. 17
BootP and DHCP relay parameters........................................................................................................................................... 21
Conguring an IP helper address..............................................................................................................................................22
Conguring the BOOTP and DHCP reply source address.......................................................................................................... 22
Changing the IP address used for stamping BootP and DHCP requests................................................................................... 22
Changing the maximum number of hops to a BootP relay server............................................................................................23
DHCP Auto-Provisioning .......................................................................................................................................................... 24
Auto-Provisioning Using the booile.bin Opon..................................................................................................................... 25
DHCP Auto-Provisioning Using the Manifest File Opon......................................................................................................... 26
DHCP Auto-Provisioning Enhancements.................................................................................................................................. 27
Conguring DHCP Auto-Provisioning Enhancements............................................................................................................... 29
DHCP auto-provisioning opons.............................................................................................................................................. 30
Disabling or re-enabling the DHCP client ................................................................................................................................ 30
DHCP auto-provisioning on Layer 2 and Layer 3 devices..........................................................................................................31
Conguraon Notes and Feature Limitaons for DHCP Auto-Provisioning..............................................................................35
Disabling or re-enabling auto-provisioning.............................................................................................................................. 38
Dynamic DHCP opons conguraon processing.................................................................................................................... 38
Discovery of SZ based on DHCP Opon 43 .............................................................................................................................. 38
Verifying dynamic DHCP opons for a switch.......................................................................................................................... 40
Verifying dynamic DHCP opons for a router...........................................................................................................................42
DHCP Client
A host on an IP network can use BOOTP or DHCP to obtain its IP address from a BOOTP or DHCP server. To obtain the address, the client sends a
BOOTP or DHCP request.
The request is a subnet-directed broadcast and is addressed to UDP port 67. A limited IP broadcast is addressed to IP address 255.255.255.255 and
is not forwarded by the RUCKUS Layer 3 switch or other IP routers. When the BOOTP or DHCP client and server are on the same network, the server
receives the broadcast request and replies to the client. However, when the client and server are on dierent networks, the server does not receive
the client request, because the Layer 3 switch does not forward the request.
You can congure the Layer 3 switch to forward BOOTP or DHCP requests. To do so, congure a helper address on the interface that receives the
client requests, and specify the BOOTP or DHCP server IP address as the address you are helping the BOOTP or DHCP requests to reach. Refer to
Conguring an IP helper address on page 22. Instead of the server IP address, you can specify the subnet directed broadcast address of the IP
subnet the server is in.
The DHCP client supports the dynamic IP address allocaon method, where an IP address is assigned to a client for a limited period of me (or unl
the client explicitly relinquishes the address). Permanent IP address allocaon to the hosts and stacally assigned IP addresses are not supported.
RUCKUS devices support a DHCP client on physical ports, LAG ports, Virtual Ethernet ports, and Control Bridge (CB) ports (802.1BR-enabled). The
DHCP client is not supported on tunnel ports, stacking ports when stacking is enabled, or PE ports in 802.1BR-enabled RUCKUS devices.
NOTE
On a Layer 3 device, DHCP client support for PE ports on 802.1BR-enabled RUCKUS devices includes the ability to parcipate in the inial
DHCP IP discovery phase to create a default Virtual Ethernet port. However, because PE ports are considered Layer 2 switching ports, they
cannot be assigned an IP address.
The DHCP client is enabled by default at bootup on all RUCKUS devices.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 17
DHCP Client Behavior on a Layer 3 Device
On a layer 3 device, all physical ports act as DHCP clients by default. When a DHCP oer is received, an IP address gets assigned to the port (for
example, ethernet interface 1/1/1) on which the DHCP oer is received. No more DHCP oers are accepted on other ports at this point. If a virtual
ethernet (VE) port is congured on the default VLAN, that VE acts as the DHCP client. VEs congured on non-default VLANs (user created VLANs) do
not act as the DHCP client by default. You can change this behavior by designang one of the non-default VEs as the DHCP client instead of the
default VE.
Therefore, the DHCP client is funconal on the following ports based on the conguraon:
Physical ports when the user does not congure a default VE, or
The default VE congured by the user, or
A non-default VE if the user overrides the default behavior by designang a non-default VE as the DHCP client.
DHCP Over Default Virtual Ethernet Port (Layer 3 Devices)
The following enhancements mimic the behavior of a Layer 2 device when it is running the Layer 3 image:
The ICX device is managed even during cable movement from one in-band interface port to another.
Network devices that are connected downstream through an ICX device are managed no maer what ports are connected, as long as the
downstream ports belong to the default Virtual Ethernet port.
Using DHCP, acquiring an IP address or upgrading the conguraon uses zero-touch provisioning.
By default, the ICX device allows trac to pass across all ports (reachability).
A single MAC address per system is used for IP discovery, which allows the same IP address to be used all the me.
Default Virtual Ethernet Port Creaon (Layer 3 Devices)
The DHCP server is reachable through a physical port, and, if opon 43 VSI is congured on the DHCP server, DHCP server exchange opon 43 VSI,
“Create default VE” [not case-sensive], is sent through a DHCPACK message. A RUCKUS device congured as a DHCP client matches the VSI string
and creates the default Virtual Ethernet port.
NOTE
To create a Virtual Ethernet port, at least one port must be a member of the default VLAN of the device.
If Virtual Ethernet port creaon is successful, the IP address that is acquired through the physical port is released, and an IP address will be re-
acquired through the default Virtual Ethernet port.
If default Virtual Ethernet port creaon fails, the IP address acquired will be assigned to the physical interface port or ports connecng the DHCP
server if the connecng ports are Layer 3 ports.
Possible Reasons for Failure of Virtual Ethernet Port Creaon
The member ports of the default VLAN are queried to check for certain conguraons. If any of the items are found, default Virtual Ethernet
creaon fails without other condions being checked. The following congured items result in failure:
IP roung
VRF
IP policy
Route only
RPF mode
DHCP Clients
DHCP Client
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
18 Part Number: 53-1005654-01
IP mac
Enabling the DHCP Client for a Specic VE Port
The DHCP client can be enabled for a specic Virtual Ethernet (VE) port, either default or non-default. By default, the DHCP client is enabled for the
default VE port.
NOTE
When opon 43 is received as “Create Default VE” while running the DHCP client on the VE, a trap and syslog is generated to ignore
Opon 43.
NOTE
The DHCP client can be congured for only one specic VE port at a me.
NOTE
When this feature is enabled, DHCP-based zero touch provisioning will not be funconal.
The following task enables the DHCP client for a specied VE port.
1. Enter global conguraon mode.
device# configure terminal
2. Enable the DHCP client for a specied VE interface.
device(config)# ip dhcp-client ve 22
The following example enables the DHCP client for a specied VE port.
device# configure terminal
device(config)# ip dhcp-client ve 22
DHCP Client in Connuous Discovery Mode (Layer 2 and Layer 3 Devices)
Beginning with release 08.0.61, the DHCP-client discovery process starts automacally when the system boots up and runs in a connuous manner.
DHCP Discovery is aempted 5 mes based on the exponenal back-o algorithm, as per RFC 2131. Retries occur at these intervals: x+4 seconds,
where x is the starng system me, x+8 seconds, x+16 seconds, x+32 seconds, and x+64 seconds. Aer the DHCP client reaches the maximum
retransmission delay of 64 seconds, it waits 2 seconds and then restarts the discovery process. The ve-interval cycle repeats connuously.
NOTE
Discovery intervals may vary by +1 or -1 seconds, depending on system performance.
DHCP Client as a New Device
When the DHCP client device boots up without an IP address with the Layer 2 switch soware version, the client iniates DHCP discovery, which is a
subnet-directed broadcast. Refer to "DHCP client in connuous discovery mode" for more informaon.
The DHCP discovery broadcast is received by the DHCP servers present in the network. There are three possible responses to this message:
No response
Single response
More than one response
DHCP Clients
DHCP Client
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 19
If the client does not receive a DHCP server response, there is a possibility that the client could be disabled on the device. If the client receives a
response from the server (refer to "DORA process"), the client starts the DHCP request and obtains the IP address lease. If the client receives a
response from more than one server, the client acknowledges the rst response received, which is the default behavior.
NOTE
The DORA process is the standard Discover, Oer, Request, Acknowledge process used by DHCP to allocate IP addresses dynamically to
clients through a lease period. Refer to the following graphic for a descripon of the ICX implementaon.
In the Layer 3 soware image, when the DHCP client device boots up without any IP address, the client iniates the DHCP discovery on all ports.
DHCP discovery packets are sent from all DHCP client-eligible ports in the device. The default discovery mechanism is similar to the switch version.
The following owchart illustrates this discovery mechanism.
FIGURE 1 DHCP client device bootup with no IP address
DHCP Clients
DHCP Client
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
20 Part Number: 53-1005654-01
DHCP client behavior aer reboot
If the DHCP client device reboots with a previously obtained IP address, the DHCP client sends the DHCP request packet, which is a subnet-directed
broadcast packet from all the operaonally up ports of the device. Once the DHCP server responds posively to the request, the previously
obtained IP address is leased seamlessly. If the DHCP server responds in the negave, the previously obtained IP address will be released, and the
DHCP process restarts.
If the soware version is Layer 3, when the DHCP client comes up aer a reboot with a previously obtained IP address, the DHCP client sends the
DHCP request packets only on the ports where the DHCP client was enabled previously on the device.
DHCP Client Behavior aer Reboot
If the DHCP client device reboots with a previously obtained IP address, the DHCP client sends the DHCP request packet, which is a subnet-directed
broadcast packet from all the operaonally up ports of the device. Once the DHCP server responds posively to the request, the previously
obtained IP address is leased seamlessly. If the DHCP server responds in the negave, the previously obtained IP address will be released, and the
DHCP process restarts.
If the soware version is Layer 3, when the DHCP client comes up aer a reboot with a previously obtained IP address, the DHCP client sends the
DHCP request packets only on the ports where the DHCP client was enabled previously on the device.
BootP and DHCP relay parameters
The following parameters control the Layer 3 switch forwarding of BootP and DHCP requests:
Helper address - The BootP/DHCP server IP address. You must congure the helper address on the interface that receives the BootP/DHCP
requests from the client. The Layer 3 switch cannot forward a request to the server unless you congure a helper address for the server.
Gateway address - The Layer 3 switch places the IP address of the interface that received the BootP/DHCP request in the request packet
Gateway Address eld (somemes called the Router ID eld). When the server responds to the request, the server sends the response as
a unicast packet to the IP address in the Gateway Address eld. (If the client and server are directly aached, the Gateway ID eld is
empty, and the server replies to the client using a unicast or broadcast packet, depending on the server.)
By default, the Layer 3 switch uses the lowest-numbered IP address on the interface that receives the request as the Gateway address. You can
override the default by specifying the IP address you want the Layer 3 switch to use.
Hop count - Each router that forwards a BootP/DHCP packet increments the hop count by one. Routers also discard a forwarded BootP/
DHCP request instead of forwarding the request if the hop count is greater than the maximum number of BootP/DHCP hops allowed by
the router. By default, a RUCKUS Layer 3 switch forwards a BootP/DHCP request if its hop count is four or less but discards the request if
the hop count is greater than four. You can change the maximum number of hops the Layer 3 switch allows to a value from 1 through 15.
NOTE
The BootP/DHCP hop count is not the TTL parameter.
DHCP Clients
BootP and DHCP relay parameters
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 21
Conguring an IP helper address
To forward a client broadcast request for a UDP applicaon when the client and server are on dierent networks, you must congure a helper
address on the interface connected to the client.
Specify the server IP address or the subnet directed broadcast address of the server's IP subnet as the helper address. You can congure up to 16
helper addresses on each interface. You can congure a helper address on an Ethernet port or a virtual interface.
1. Enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter the interface conguraon mode.
device(config)# interface ethernet 1/1/2
3. Add a helper address for the server.
device(config-if-1/1/2)# ip helper-address 1 10.95.7.6
The commands in the example above add a helper address for server 10.95.7.6 to the port. If the port receives a client request for any of
the applicaons that the Layer 3 switch is enabled to forward, the Layer 3 switch forwards the client request to the server.
4. By default, an IP helper does not forward client broadcast requests to a server within the network. To forward a client broadcast request
when the client and server are on the same network, congure an IP helper with the unicast opon on the interface connected to the
client.
device(config-if-1/1/2)# ip helper-address 1 10.10.10.1 unicast
The previous example congures an IP helper unicast opon on unit 1, slot 1, port 2. The IP helper with unicast parameter forwards the
client request to the server 10.10.10.1, which is within the network.
Conguring the BOOTP and DHCP reply source address
You can congure the device so that a BOOTP/DHCP reply to a client contains the server IP address as the source address instead of the router IP
address.
1. Enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter the ip helper-use-responder-ip command.
device(config)# ip helper-use-responder-ip
Changing the IP address used for stamping BootP and
DHCP requests
When a Layer 3 switch forwards a BootP or DHCP request, the Layer 3 switch "stamps" the Gateway Address eld.
The default value the Layer 3 switch uses to stamp the packet is the lowest-numbered IP address congured on the interface that received the
request. If you want the Layer 3 switch to use a dierent IP address to stamp requests received on the interface, use either of the following
methods to specify the address.
DHCP Clients
Conguring an IP helper address
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
22 Part Number: 53-1005654-01
The BootP/DHCP stamp address is an interface parameter. You can change the parameter on the interface that is connected to the BootP/DHCP
client.
1. Enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter the interface conguraon mode.
device(config)# interface ethernet 1/1/1
3. Change the BootP or DHCP stamp address for requests received on port 1/1/1 to 10.157.22.26.
device(config-if-1/1/1)# ip bootp-gateway 10.157.22.26
The previous example changes the BootP or DHCP stamp address for requests received on port 1/1/1 to 10.157.22.26. The Layer 3 switch
will place this IP address in the Gateway Address eld of BootP or DHCP requests that the Layer 3 switch receives on port 1/1/1 and
forwards to the BootP or DHCP server.
The following example changes the BootP or DHCP stamp address.
device# configure terminal
device(config)# interface ethernet 1/1/1
device(config-if-1/1/1)# ip bootp-gateway 10.157.22.26
Changing the maximum number of hops to a BootP relay
server
Each BootP or DHCP request includes a Hop Count eld. The Hop Count eld indicates how many routers the request has passed through.
When the Layer 3 switch receives a BootP or DHCP request, the Layer 3 switch looks at the value in the Hop Count eld.
If the hop count value is equal to or less than the maximum hop count the Layer 3 switch allows, the Layer 3 switch increments the hop
count by one and forwards the request.
If the hop count is greater than the maximum hop count the Layer 3 switch allows, the Layer 3 switch discards the request.
You can change the maximum number of hops the Layer 3 switch allows for forwarded BootP or DHCP requests.
NOTE
The BootP and DHCP hop count is not the TTL parameter.
1. Enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Modify the maximum number of BootP or DHCP.
device(config)# bootp-relay-max-hops 10
The example allows the Layer 3 switch to forward BootP or DHCP requests that have passed through ten previous hops before reaching
the Layer 3 switch. Requests that have traversed 11 hops before reaching the switch are dropped. Since the hop count value inializes at
zero, the hop count value of an ingressing DHCP Request packet is the number of Layer 3 routers that the packet has already traversed.
DHCP Clients
Changing the maximum number of hops to a BootP relay server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 23
DHCP Auto-Provisioning
DHCP auto-provisioning allows Layer 2 and Layer 3 devices to automacally obtain leased IP addresses through a DHCP server, negoate address
lease renewal, and obtain ash image and conguraon les. The DHCP client and auto-provisioning are enabled by default on all DHCP client-
eligible ports. Auto-provisioning allows clients to boot up with the latest image and conguraon without manual intervenon. Refer to DHCP
server for details on DHCP server conguraon and opons.
NOTE
DHCP auto-provisioning is plaorm independent and does not dier in behavior or conguraon across plaorms.
DHCP Clients
DHCP Auto-Provisioning
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
24 Part Number: 53-1005654-01
FIGURE 2 DHCP Client-Based Auto-Provisioning
Auto-Provisioning Using the booile.bin Opon
You can congure the image name with a .bin extension on the server.
DHCP auto-provisioning using the booile.bin uses the following process.
1. Once a lease is obtained from the server, the device uses the informaon from the DHCP server to contact the TFTP server to update the
image le.
DHCP Clients
Auto-Provisioning Using the booile.bin Opon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 25
2. The device compares the le name of the requested ash image with the image stored in ash memory. In a stacking conguraon, the
device compares the le name with the image stored in the Acve Controller only.
3. If the .bin le names match, then the DHCP client skips the ash image download. If auto-provisioning is enabled, the DHCP client
proceeds with downloading the conguraon les. If the .bin le names are dierent, the DHCP client downloads the new image from a
TFTP server, and then writes the downloaded image to ash memory. In a stacking conguraon, the device copies the ash image to
ash in all stack member units.
4. The code determines which ash (primary or secondary) to use based on how the device is booted or based on the locaon specied in
opon 67. Refer to DHCP Auto-Provisioning Enhancements on page 27 for more details.
5. In a stacking conguraon, the member units use the same ash as the Acve Controller. Once the ash is updated with the newer ash
image, the device is reloaded and all member units in a stacking conguraon are reloaded as well. If auto-provisioning is enabled, the
DHCP client then proceeds to download the conguraon les.
6. If the DHCP client detects that the new image is older than the current running image, the device connues to reload aer a syslog
nocaon that the device is downgrading and may lose the conguraon. The following example shows a syslog nocaon.
Downloaded boot-image ICXR07030F2b1.bin is downgraded version of ICXR08030F2b1.bin.
Device is downgrading and the configuration may be lost.
DHCP Auto-Provisioning Using the Manifest File Opon
Support for DHCP auto-provisioning using the manifest le opon was introduced in FastIron 08.0.40.
The bundle of Image le, boot loader, and PoE rmware can be congured as a .txt le on the DHCP server using opon 67. Auto-provisioning using
the manifest le uses the following process.
NOTE
From FastIron 08.0.90 release onward, if the booted applicaon image is not a Unied FastIron Image (UFI), the DHCP manifest upgrade
will connue even if the image versions in ash image and Boot lename opon image name are same.
1. Once a lease is obtained from the server, the device uses the informaon from the DHCP server to contact the TFTP server to update the
image le.
The manifest le is downloaded.
2. Aer downloading the manifest le, the device unzips the le and compares the le name of the requested ash image (for example,
SPR08040q054.bin) and boot image (for example, spz10106b002.bin) with the images stored in ash memory. In a stacking conguraon,
the device compares the le name with the image stored in the Acve Controller only.
3. If the ash image matches, the DHCP client skips the ash image download. If auto-provisioning is enabled, the DHCP client proceeds with
downloading the conguraon les.
4. If the ash image is dierent, the device downloads the new ash image from the TFTP server and checks for the boot image. If the boot
image matches, the DHCP client skips the boot image. If the boot image does not match, the DHCP client downloads the new boot image
from the TFTP server, and then writes the downloaded image to ash memory. In a stacking conguraon, the device copies the ash and
boot image to ash in all stack member units.
5. The code determines which ash (primary or secondary) to use based on how the device is booted or based on the locaon specied in
opon 67. Refer to DHCP Auto-Provisioning Enhancements on page 27 for more details.
6. In a stacking conguraon, the member units use the same ash as the Acve Controller. Once the ash is updated with the newer ash
image, the device is reloaded and all member units in a stacking conguraon are reloaded as well. If auto-conguraon is enabled, the
DHCP client then proceeds to download the conguraon les aer the reload.
DHCP Clients
DHCP Auto-Provisioning Using the Manifest File Opon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
26 Part Number: 53-1005654-01
7. If the DHCP client detects that the new image is older than the current running image, the device connues to reload aer a syslog
nocaon that the device is downgrading and may lose the conguraon. The following example shows a syslog nocaon.
Downloaded boot-image ICXR07030F2b1.bin is downgraded version of ICXR08030F2b1.bin.
Device is downgrading and the configuration may be lost.
DHCP Auto-Provisioning Enhancements
Auto-provisioning allows DHCP clients to boot up with the latest ash image and conguraon without manual intervenon. DHCP auto-
provisioning enhancements have been introduced in FastIron 08.0.80 so that you can override the default behavior. The current behavior is that the
ICX device (DHCP client) is forced to download the applicaon image type based on the current version of the device.
When DHCP auto-provisioning enhancements are congured for opon 67, the applicaon image type (router or switch) and the ash image
locaon (primary or secondary) can be congured as part of opon 67 along with the le name. This means that you can decide the image type and
the ash memory locaon to which the DHCP client should be upgraded. The DHCP client then upgrades to a specic image type and ash locaon
as received by opon 67 from the server.
When opon 67 is received from the server, the DHCP client triggers DHCP auto-provisioning based on the image type and ash locaon specied in
opon 67. If a specied image type and ash locaon is not received from the server, the DHCP client behaves according to the default sengs.
DHCP Clients
DHCP Auto-Provisioning Enhancements
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 27
FIGURE 3 DHCP Auto-Provisioning Enhancements
Conguring DHCP auto-provisioning enhancements for opon 67 is useful if, for example, you want to download a Layer 3 image on a switch
running a Layer 2 image (or download a Layer 2 image on a router running a Layer 3 image) using DHCP auto-provisioning.
DHCP auto-provisioning enhancements allow opon 67 to be congured with up to three ASCII strings, separated by a space, where each ASCII
string congures a specic operaon. The example below congures the “8080_manifest.txt boot image, router as the image type, and the ash
image as primary.
device(config-dhcp-GenericOption)# option 67 ascii fi8080_manifest.txt router primary
The example below congures the “8080_manifest.txt boot image, router as the image type, and the ash image as secondary.
device(config-dhcp-GenericOption)# option 67 ascii fi8080_manifest.txt router secondary
The example below congures the “8080_manifest.txt boot image, switch as the image type, and the ash image as secondary.
device(config-dhcp-GenericOption)# option 67 ascii fi8080_manifest.txt switch secondary
DHCP Clients
DHCP Auto-Provisioning Enhancements
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
28 Part Number: 53-1005654-01
The example below congures the “8080_manifest.txt boot image, switch as the image type, and the ash image as primary.
device(config-dhcp-GenericOption)# option 67 ascii fi8080_manifest.txt switch primary
For informaon on conguraon notes and feature limitaons for DHCP auto-provisioning, refer to Conguraon Notes and Feature Limitaons for
DHCP Auto-Provisioning on page 35.
Conguring DHCP Auto-Provisioning Enhancements
The applicaon image type (router or switch), the ash image (primary or secondary), and the le name to be used by the DHCP client can all be
congured as part of opon 67 using one command. The following task congures the “8080_manifest.txt” boot image, router as the image type,
and the ash image as primary as part of opon 67.
1. Use the congure terminal command to enter global conguraon mode.
device# configure terminal
2. Enable the DHCP server.
device(config)# ip dhcp-server enable
3. Create a DHCP server address pool.
device(config)# ip dhcp-server pool GenericOption
4. Congure the DHCP server address pool.
device(config-dhcp-GenericOption)# dhcp-default-router 10.10.70.1
device(config-dhcp-GenericOption)# network 10.10.70.0 255.255.254.0
device(config-dhcp-GenericOption)# lease 1 0 0
device(config-dhcp-GenericOption)# dns-server 10.10.64.1 8.8.8.8
device(config-dhcp-GenericOption)# domain-name office.s-cloud.net
5. Use the opon command with the 67 opon, specifying a le name, the ash image locaon, and the image type, to congure opon 67
with both the image type and ash image locaon.
device(config-dhcp-GenericOption)# option 67 ascii “fi8080_manifest.txt router primary”
In this example, boot image 8080_manifest.txt, router as the image type, and ash image as primary is congured to be used by the
DHCP client.
NOTE
The conguraon of the image type and ash locaon for opon 67 is case insensive.
6. Use the deploy command to acvate the DHCP server address pool.
device(config-dhcp-GenericOption)# deploy
DHCP Clients
Conguring DHCP Auto-Provisioning Enhancements
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 29
The following example congures the “8080_manifest.txt boot image, router as the image type, and ash image as primary as part of opon 67
using one command.
device# configure terminal
device(config)# ip dhcp-server enable
device(config)# ip dhcp-server pool GenericOption
device(config-dhcp-GenericOption)# dhcp-default-router 10.10.70.1
device(config-dhcp-GenericOption)# network 10.10.70.0 255.255.254.0
device(config-dhcp-GenericOption)# lease 1 0 0
device(config-dhcp-GenericOption)# dns-server 10.10.64.1 8.8.8.8
device(config-dhcp-GenericOption)# domain-name office.s-cloud.net
device(config-dhcp-GenericOption)# option 67 ascii “fi8080_manifest.txt router primary”
device(config-dhcp-GenericOption)# deploy
DHCP auto-provisioning opons
The following opons are supported by the client for auto-provisioning.
TABLE 3 DHCP auto-upgrade supported opons
DHCP opon Descripon
001 Subnet mask
003 Router IP (default route)
006 Domain name server
012 Host name
015 Domain name
043 Vendor-specic informaon
066 TFTP server name
067 Boot le (image)
150 TFTP server IP address
Disabling or re-enabling the DHCP client
The DHCP client is enabled by default. You can disable or re-enable DHCP client on a switch or a router.
1. On a switch, enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter the no ip dhcp-client enable command to disable the DHCP client.
device(config)# no ip dhcp-client enable
3. On a switch, enter the ip dhcp-client enable command to re-enable the DHCP client.
device(config)# ip dhcp-client enable
4. On a router, enter the ip dhcp-client disable command to disable the DHCP client service on all physical interface and virtual interface
level.
device(config)# ip dhcp-client disable
DHCP Clients
DHCP auto-provisioning opons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
30 Part Number: 53-1005654-01
5. On a router, enter the no ip dhcp-client disable command to re-enable the DHCP client service on all physical interface and virtual
interface level.
device(config)# no ip dhcp-client disable
6. On a router, enter the interface conguraon mode.
device(config)# interface ethernet 2/1/1
7. Enter the no ip dhcp-client enable command to disable the DHCP client.
device(config-if-e1000-2/1/1)# no ip dhcp-client enable
8. On a router, enter the ip dhcp-client enable command at the interface conguraon level to re-enable the DHCP client.
device(config-if-e1000-2/1/1)# ip dhcp-client enable
9. On a router, enter the ip dhcp-client enable command at the virtual interface level to re-enable the DHCP client.
device(config-if-ve1)# ip dhcp-client enable
DHCP auto-provisioning on Layer 2 and Layer 3 devices
DHCP auto-provisioning enhancements have been introduced for Layer 2 and Layer 3 devices.
If the non-default VLAN has mulple untagged ports connected to dierent DHCP servers, the rst port that received the IP address oer
will be considered and the other port will not receive an IP address. This behavior applies for default VLANs, too.
Aer an image update and device reload, the opon 3 (router) installs the default route to maintain the connecvity with the TFTP or
DHCP servers. In releases prior to FastIron 8.0.40, opon 3 was supported only on Layer 2 devices. The default route added by the DHCP
client device from opon 3 (router) will be of the lowest metric (254). If the device has a default route, the DHCP provided route is also
appended to the roung table.
TABLE 4 Dierences between switch and router image DHCP clients
Layer 2 DHCP client Layer 3 DHCP client
IP address is congured on the switch (globally) IP address is congured on the specic client port
IP default gateway is congured as “Default gateway X.X.X.X (opon 3) Default route is congured as “IP route” with distance metric 254
The following scenarios illustrate DHCP auto-provisioning in dierent environments.
DHCP Clients
DHCP auto-provisioning on Layer 2 and Layer 3 devices
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 31
Scenario 1: DHCP auto-provisioning on a Layer 3 device
In this scenario, the DHCP client and server are part of the same network, but the TFTP server is part of a dierent network. Here the DHCP client
device needs a default route for TFTP server reachability.
1. The FastIron router (DHCP client) connected to the DHCP server is booted.
2. The client obtains a dynamic IP address lease from the DHCP server through the untagged member port 2 of the VLAN 2 (which is a non-
default VLAN) along with other DHCP server opons.
3. Once DHCP server opons are enabled, the router opon 3 is processed and installs the default route onto the device. Opons 6,12, 15,
and 150 are processed as well.
4. If auto-provisioning is enabled and the image le comparison is successful, the client downloads the new image using the TFTP server IP
address specied in the DHCP server.
5. If auto-provisioning is enabled, the client downloads the conguraon le aer connecng to the TFTP server and applies the running
conguraon on the device.
DHCP Clients
DHCP auto-provisioning on Layer 2 and Layer 3 devices
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
32 Part Number: 53-1005654-01
Scenario 2: DHCP auto-provisioning with a TFTP server in a dierent network
In this scenario, the DHCP client and server are connected in the same network, but the TFTP server is connected in a dierent network through the
DHCP server. Here the DHCP client device needs a default route to reach the TFTP server. The steps are the same as in scenario 1, except that the
TFTP server will be reachable aer the new image update as the router opon 3, which is the default gateway IP address 192.0.0.1, is installed.
Scenario 3: DHCP client connected through a DHCP snooping device
In this scenario, the DHCP client and server are connected through ports on which DHCP snooping or relay agent are enabled and are part of non-
default VLANs. The working scenario is the same as Scenario 1.
DHCP Clients
DHCP auto-provisioning on Layer 2 and Layer 3 devices
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 33
Scenario 4: DHCP client opon 12
In this scenario, the DHCP clients 1 and 2 are connected to the DHCP server in the same subnet. Subsequently, both receive the same host name.
The DHCP client 3 is connected to the DHCP server in a dierent subnet and it is assigned with the host name of the second pool.
Scenario 5: DHCP auto-provisioning on a Layer 2 device
DHCP Clients
DHCP auto-provisioning on Layer 2 and Layer 3 devices
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
34 Part Number: 53-1005654-01
In this scenario, auto-provisioning on a Layer 2 device occurs as follows:
1. The DHCP client device is powered on.
2. The client sends the DHCP discovery packets on all DHCP client-eligible ports that are up.
3. The client obtains the dynamic IP address from the DHCP server along with opon 3.
4. Once the new router image is brought up, the client tries to connect to the TFTP server using the default route.
Conguraon Notes and Feature Limitaons for DHCP
Auto-Provisioning
The following conguraon notes and feature limitaons apply to DHCP auto-provisioning.
For Layer 2 devices, DHCP auto-provisioning is available for default VLANs and management VLANs.
Although the DHCP server may provide mulple addresses, only one IP address is installed at a me.
DHCP auto-provisioning is not supported together with DHCP snooping.
Beginning with FastIron 08.0.70, POE rmware is bundled with the ICX image le. If the ICX soware is upgraded, the POE rmware is
automacally updated aer the upgrade completes.
The DHCP client does not iniate auto-provisioning aer a stack switchover. You must disable and re-enable the DHCP client aer a stack
switchover for auto-provisioning to start.
When the Layer 2 switch acts as a DHCP client, the show ip command does not display the image le name if the booile on the DHCP
server is congured as manifest.txt.
During the DHCP auto-provisioning process, the client accepts either the TFTP server name or the TFTP server IP address. If the server
name is congured, the client ignores the server IP address.
During auto-provisioning using the manifest.txt le, the boot image download is skipped if the ash images are the same.
The DHCP server accepts more than one default router in the address pool if the image is a Layer 2 image.
The DHCP client contacts the TFTP server to obtain the hostnameMAC-cong.cfg le only ve mes if the TFTP server is busy or not
reachable. If the TFTP server is reachable, the DHCP client contacts the TFTP server only once.
In a stacking conguraon, the DHCP client ash image download waits ve minutes for all member units to join and update. Aer ve
minutes, the DHCP client downloads the new image from the TFTP server using the TFTP server IP address (opon 150), if it is available. If
the TFTP server IP address is not available, the DHCP client requests the TFTP le from the DHCP server.
If the enable aaa console command is congured, the DHCP client does not request the conguraon les.
The following conguraon rules apply to DHCP auto-provisioning:
To enable ash image update (ip dhcp-client auto-update enable command), you must also enable the auto-conguraon (ip dhcp-client
enable command).
The image le name to be updated must have the extension .bin or .txt.
The DHCP opon 067 booile name is used for an image update if it has the extension .bin or .txt.
The DHCP opon 067 booile name is used for the conguraon download if it does not have the extension .bin or .txt.
If the DHCP opon 067 booile name is not congured or does not have the extension .bin or .txt, then auto-provisioning does not occur.
In releases prior to FastIron 08.0.40, while updang the image using opon 67, the image types (Layer 2 or Layer 3) must match. For
example, if the DHCP client with a Layer 3 image downloads an updated Layer 2 image using opon 67, the conguraon download fails.
DHCP Clients
Conguraon Notes and Feature Limitaons for DHCP Auto-Provisioning
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 35
The following conguraon rules apply to DHCP auto-provisioning enhancements:
Only “router” or “switch” can be used for specifying an image type. If any other value is entered, the DHCP client accepts and stores the
values specied in the string. However, these values cannot be used and the DHCP client behavior will not change based on the opon 67
conguraons.
Only “primary” or “secondary” can be used for specifying the ash image. If any other value is entered, the DHCP client accepts and
stores the values specied in the string. However, these values cannot be used and the DHCP client behavior will not change based on the
opon 67 conguraons.
For SPX plaorms, the DHCP client downloads the boot images based on opon 67 and the DHCP client is not responsible for SPX
formaon once DHCP auto-provisioning is completed.
The received opon 67 value for the boot image name is not saved in the DHCP client conguraon.
Because DHCP auto-provisioning enhancements allow the upgrading of a router image to a switch image, and a switch image to a router
image, all necessary conguraons required as a result of this upgrade must be carried out.
DHCP auto-provisioning enhancements are only supported beginning with FastIron 08.0.80. If the DHCP client image is downgraded to
that of a prior release, and opon 67 is received by the DHCP client with the image type and ash locaon specied, DHCP auto-
provisioning does not work because the DHCP client expects only a specied le type. Opon 67 must be recongured on the DHCP
server for the format supported for the parcular release.
High Availability and 802.1BR Consideraons
In an ICX stack, aer switchover between acve and standby devices, the DHCP process re-acquires IP addresses and follows the upgrade process.
DHCP is supported on 802.1BR-enabled devices as a normal stacking device. In a Campus Fabric (SPX) conguraon, the DHCP client is able to send
packets through all CB and PE ports. PE ports can be members of the VE.
Upgrade Consideraons
When upgrading from FastIron 08.0.60 or previous releases to FastIron 08.0.61 or later, if the rules to create the default VE are met, the default VE
is created, the DHCP client is enabled over the default VE, and the IP address is acquired.
How DHCP Client-Based Auto-Provisioning and Flash Image Update Works
Auto-provisioning is enabled by default. To disable auto-provisioning, refer to Disabling or re-enabling the DHCP client on page 30 and Disabling or
re-enabling auto-provisioning on page 38 respecvely.
Validang the IP Address and Lease Negoaon
The following steps describe the IP address validaon and lease negoaon process.
1. At bootup, the device automacally checks its conguraon for an IP address.
2. If the device does not have a stac IP address, it requests the lease of an address from the DHCP server:
If the server responds, it leases an IP address to the device for the specied lease period.
If the server does not respond (aer four tries), the DHCP client process is ended.
DHCP Clients
Conguraon Notes and Feature Limitaons for DHCP Auto-Provisioning
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
36 Part Number: 53-1005654-01
3. If the device has a dynamic address, the device asks the DHCP server to validate that address. If the server does not respond, the device
connues to use the exisng address unl the lease expires. If the server responds, and the IP address is outside of the DHCP address pool
or has been leased to another device, it is automacally rejected, and the device receives a new IP address from the server. If the exisng
address is valid, the lease connues.
NOTE
The lease me interval is congured on the DHCP server, not on the client device. The ip dhcp-client lease command is set by
the system, and is non-operaonal to a user.
4. If the exisng address is stac, the device keeps it and the DHCP client process is ended.
5. For a leased IP address, when the lease interval reaches the renewal point, the device requests a renewal from the DHCP server:
If the device is able to contact the DHCP server at the renewal point in the lease, the DHCP server extends the lease. This process can
connue indenitely.
If the device is unable to reach the DHCP server aer four aempts, it connues to use the exisng IP address unl the lease expires.
When the lease expires, the dynamic IP address is removed and the device contacts the DHCP server for a new address.
Flash Image Download and Update
NOTE
The ash image download and update process only occurs when the client device reboots, or when the DHCP client has been disabled
and then re-enabled.
Once a lease is obtained from the server, the device compares the le name of the requested ash image with the image stored in ash memory. In
a stacking conguraon, the device compares the le name with the image stored in the Acve Controller only.
If the .bin le names match, then the DHCP client skips the ash image download. If auto-provisioning is enabled, the DHCP client
proceeds with downloading the conguraon les.
If the .bin le names are dierent, then the DHCP client downloads the new image from a TFTP server and then writes the downloaded
image to ash memory. In a stacking conguraon, the device copies the ash image to ash in all stack member units.
The code determines which ash (primary or secondary) to use based on how the device is booted. In a stacking conguraon, the member units
use the same ash as the Acve Controller. Once the ash is updated with the newer ash image, the device is reloaded, and any member units in a
stacking conguraon are reloaded as well. If auto-provisioning is enabled, the DHCP client then proceeds to download the conguraon les.
Auto-Provisioning Download and Update
During auto-provisioning, the device requests the conguraon les from the TFTP server in the following order.
1. booile name provided by the DHCP server (if congured).
2. hostnameMAC-cong.cfg (for example: ICX001p-Switch0000.005e.4d00-cong.cfg).
3. hostnameMAC.cfg (for example: ICX002p-Switch0000.005e.4d00.cfg).
4. A new le format has been introduced based on the host name as part of DHCP opon 12 support. For example _router.cfg.
5. When the DHCP client switch looks for the conguraon le in the TFTP server, a conguraon le in the format such as <icx>-<switch |
router>.cfg will be ignored. Instead the following le format is expected.
Old format: ICX7650-router.cfg New format: ICX7650.cfg
< ICX7650>.cfg appends the exisng conguraon.
DHCP Clients
Conguraon Notes and Feature Limitaons for DHCP Auto-Provisioning
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 37
6. ruckus.cfg (applies to all devices), (for example: ruckus.cfg appends the exisng conguraon).
If the device successfully contacts the TFTP server and the server has the conguraon le, the les are merged. If there is a conict, the server le
takes precedence. If the device is unable to contact the TFTP server, or if the les are not found on the server, the TFTP part of the conguraon
download process ends.
Disabling or re-enabling auto-provisioning
DHCP auto-provisioning is enabled by default. You can disable or re-enable DHCP auto-provisioning on a switch or a router.
1. On a switch or a router enter the global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter the no ip dhcp-client auto-update enable command to disable DHCP auto-provisioning.
device(config)# no ip dhcp-client auto-update enable
3. Enter the ip dhcp-client auto-update enable command to enable DHCP auto-provisioning aer it has been disabled.
device(config)# ip dhcp-client auto-update enable
Dynamic DHCP opons conguraon processing
The system can dierenate between manually congured DHCP opons and DHCP opons that were obtained dynamically from the server.
Manually congured DHCP opons are retained even when the dynamic IP address is released.
To help idenfy them, the keyword dynamic is appended to output for all dynamic DHCP opons that are reected in the running conguraon.
NOTE
Only the IP address and the default gateway/default route are persistent across reloads (aer the write memory is executed to save the
conguraon). The remaining DHCP opons that are obtained from the DHCP server are relearned when the ICX device reboots.
It is not possible to manually congure the dynamic opon. If you aempt to congure a dynamic opon manually, an error is displayed stang
“Manual conguraon is not allowed for this opon."
NOTE
If a stac IP Address is congured manually for the device aer obtaining a dynamic IP Address and DHCP opons from the DHCP server,
all DHCP opons are released along with the dynamic IP Address.
Discovery of SZ based on DHCP Opon 43
Beginning with SmartZone release 5.0, the administrator can monitor and manage switches and routers in the ICX 7000 series switches running
FastIron version 08.0.80 or above. ICX (the DHCP client) can parse the value of DHCP opon 43 containing SZ IP addresses received from the DHCP
server and connect to Smartzone.
This feature works in the following manner:
The DHCP client sends the VCI opon as "Ruckus CPE" to the DHCP Server in every request packet.
The DHCP client processes the vendor specic informaon (VSI) opon data during the RENEW & REBIND process.
The SZ IP Address data received through VSI is not displayed in the running conguraon.
DHCP Clients
Disabling or re-enabling auto-provisioning
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
38 Part Number: 53-1005654-01
The show ip dhcp-client opons command displays the received VSI data in TLV format. The data can be displayed in two formats based
on data received. Refer to the show ip dhcp-client opons command for more informaon.
If the DHCP client fails to parse the received VSI data, or is not able to extract the SZ IP addresses from the VSI data received, the SZ IP
addresses are not passed to the FSM API.
The example below shows how a DHCP server can be congured to send SmartZone IP addresses to ICX devices using DHCP Opon 43.
Congure DHCP Opon 43 on the DHCP server, using RKUS.scg-address to idenfy the SmartZone IP addresses. A single SmartZone IP address or a
comma-separated list can be congured. SmartZone IP addresses are sent with a sub-opon value of 6. The ICX device ignores all other data in
DHCP Opon 43 if SmartZone IP addresses are present. The following example shows a DHCP Opon 43 conguraon on a DHCP server. The IP
addresses listed are examples only.
subnet 192.168.12.0 netmask 255.255.255.0 {
range 192.168.12.100 192.168.12.199;
option routers 192.168.12.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.12.255;
option ntp-servers 192.168.11.22;
class "Ruckus AP" {
match if option vendor-class-identifier = "Ruckus CPE";
option vendor-class-identifier "Ruckus CPE";
default-lease-time 86400;
vendor-option-space RKUS;
option RKUS.scg-address "192.168.11.200, 192.168.11.201, 192.168.11.202";
}
}
Conguraon notes and feature limitaons
The following conguraon notes and feature limitaons apply for discovery of SZ based on DHCP opon 43:
The vendor-specic informaon data received from the DHCP server must be in simple ASCII text format.
The VCI opon must be congured as “Ruckus CPE” and sent to the to DHCP server during DHCP discovery and renew. The DHCP server
than lls the VSI opon data in the oer packet that is sent to client in response.
A maximum of 128 characters(bytes) of VSI data can be received and processed by the DHCP client. If the received VSI data size is more
than 128 characters, the DHCP client does not save or process the received data.
With the excepon of the value “create default ve”, the DHCP client treats any received opon 43 data as TLV format.
The DHCP client passes the IP address list to the FSM API only when the received VSI data is in TLV format with Sub-opon Code 6, and the
corresponding data is in IP addresses format with commas (,) separang the IP addresses.
DHCP Clients
Discovery of SZ based on DHCP Opon 43
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 39
Verifying dynamic DHCP opons for a switch
You can idenfy dynamically obtained DHCP opons for a switch.
1. On a switch enter the show running-cong command. Examine the output to idenfy dynamically obtained opons. These opons have a
dynamic” tag appended to them in the running conguraon.
device> show running-config
Current configuration:
!
ver 08.0.61b1T211
!
stack unit 1
module 1 icx7250-24-port-management-module
module 2 icx7250-sfp-plus-8port-80g-module
!
!
!
vlan 1 name DEFAULT-VLAN by port
!
!
!
hostname TestHostName dynamic
ip address 10.10.10.2 255.255.255.0 dynamic
ip dns domain-list ManualDomain.com
ip dns domain-list testStaticDomain.com
ip dns domain-list testDomain.com dynamic
ip dns server-address 20.20.20.8 20.20.20.9 20.20.20.5 10.10.10.5(dynamic)
ip default-gateway 10.10.10.1 dynamic
!
!
!
interface ethernet 1/1/21
disable
!
interface ethernet 1/2/2
speed-duplex 1000-full
!
interface ethernet 1/2/4
speed-duplex 1000-full
!
interface ethernet 1/2/5
speed-duplex 1000-full
!
interface ethernet 1/2/6
speed-duplex 1000-full
!
interface ethernet 1/2/7
speed-duplex 1000-full
!
interface ethernet 1/2/8
speed-duplex 1000-full
!
!
!
lldp run
!
!
end
DHCP Clients
Verifying dynamic DHCP opons for a switch
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
40 Part Number: 53-1005654-01
2. On a switch enter the show conguraon command. Examine the output to idenfy dynamically obtained opons. These opons have a
dynamic” tag appended to them in the running conguraon.
device> show configuration
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.61b1T211
!
stack unit 1
module 1 icx7250-24-port-management-module
module 2 icx7250-sfp-plus-8port-80g-module
!
!
vlan 1 name DEFAULT-VLAN by port
!
!
!
!
ip address 10.10.10.2 255.255.255.0 dynamic
ip dns domain-list ManualDomain.com
ip dns domain-list testStaticDomain.com
ip dns server-address 20.20.20.8 20.20.20.9 20.20.20.5
ip default-gateway 10.10.10.1 dynamic
!
!
!
interface ethernet 1/1/21
disable
!
interface ethernet 1/2/2
speed-duplex 1000-full
!
interface ethernet 1/2/4
speed-duplex 1000-full
!
interface ethernet 1/2/5
speed-duplex 1000-full
!
interface ethernet 1/2/6
speed-duplex 1000-full
!
interface ethernet 1/2/7
speed-duplex 1000-full
!
interface ethernet 1/2/8
speed-duplex 1000-full
!
lldp run
!
end
DHCP Clients
Verifying dynamic DHCP opons for a switch
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 41
Verifying dynamic DHCP opons for a router
You can idenfy dynamically obtained DHCP opons for a router.
1. On a router enter the show running-cong command. Examine the output to idenfy dynamically obtained opons. These opons have a
dynamic” tag appended to them in the running conguraon.
device> show running-config
Current configuration:
!
ver 08.0.61b1T213
!
stack unit 1
module 1 icx7250-24-port-management-module
module 2 icx7250-sfp-plus-8port-80g-module
!
!
vlan 1 name DEFAULT-VLAN by port
!
!
!
hostname TestHostName dynamic
ip dns domain-list ManualDomain.com
ip dns domain-list testDomain.com dynamic
ip dns domain-list testStaticDomain.com
ip dns server-address 20.20.20.8 20.20.20.9 10.10.10.5(dynamic) 20.20.20.5
ip route 0.0.0.0/0 10.10.10.1 distance 254 dynamic
!
!
interface ethernet 1/1/7
ip address 10.10.10.2 255.255.255.0 dynamic
!
interface ethernet 1/1/21
disable
!
interface ethernet 1/2/2
speed-duplex 1000-full
!
interface ethernet 1/2/4
speed-duplex 1000-full
!
interface ethernet 1/2/5
speed-duplex 1000-full
!
interface ethernet 1/2/6
speed-duplex 1000-full
!
interface ethernet 1/2/7
speed-duplex 1000-full
!
interface ethernet 1/2/8
speed-duplex 1000-full
!
!
lldp run
!
!
end
DHCP Clients
Verifying dynamic DHCP opons for a router
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
42 Part Number: 53-1005654-01
2. On a router enter the show conguraon command. Examine the output to idenfy dynamically obtained opons. These opons have a
dynamic” tag appended to them in the running conguraon.
device> show configuration
!
Startup-config data location is flash memory
!
Startup configuration:
!
ver 08.0.61b1T213
!
stack unit 1
module 1 icx7250-24-port-management-module
module 2 icx7250-sfp-plus-8port-80g-module
!
!
vlan 1 name DEFAULT-VLAN by port
!
!
!
ip dns domain-list ManualDomain.com
ip dns domain-list testStaticDomain.com
ip dns server-address 20.20.20.8 20.20.20.9 20.20.20.5
ip route 0.0.0.0/0 10.10.10.1 distance 254 dynamic
!
!
!
interface ethernet 1/1/7
ip address 10.10.10.2 255.255.255.0 dynamic
!
interface ethernet 1/1/21
disable
!
interface ethernet 1/2/2
speed-duplex 1000-full
!
interface ethernet 1/2/4
speed-duplex 1000-full
!
interface ethernet 1/2/5
speed-duplex 1000-full
!
interface ethernet 1/2/6
speed-duplex 1000-full
!
interface ethernet 1/2/7
speed-duplex 1000-full
!
interface ethernet 1/2/8
speed-duplex 1000-full
!
!
lldp run
!
!
end
DHCP Clients
Verifying dynamic DHCP opons for a router
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 43
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
44 Part Number: 53-1005654-01
DHCP Servers
DHCP Servers............................................................................................................................................................................ 45
DHCP server opons.................................................................................................................................................................50
Disabling or re-enabling the DHCP server on the management port....................................................................................... 54
Seng the wait me for ARP ping response............................................................................................................................ 55
DHCP relay agent informaon support (opon 82) ................................................................................................................. 55
Enabling relay agent informaon (opon 82).......................................................................................................................... 55
Conguring the IP address of the DHCP server........................................................................................................................ 56
Conguring the boot image......................................................................................................................................................56
Deploying an address pool conguraon to the server........................................................................................................... 56
Specifying default router available to the client.......................................................................................................................57
Specifying DNS servers available to the client..........................................................................................................................57
Conguring the domain name for the client............................................................................................................................ 57
Conguring the lease duraon for the address pool................................................................................................................58
Specifying addresses to exclude from the address pool...........................................................................................................58
Conguring the NetBIOS server for DHCP clients..................................................................................................................... 58
Conguring the subnet and mask of a DHCP address pool...................................................................................................... 59
Conguring the TFTP server..................................................................................................................................................... 59
Conguring X Window System Display Manager IP addresses (opon 49).............................................................................. 59
Vendor specic informaon (opon 43 and opon 60) conguraons................................................................................... 60
Enabling stac IP to MAC address mapping............................................................................................................................. 61
Conguring Avaya IP telephony (opons 176 and 242)............................................................................................................62
Conguring WPAD (opon 252)............................................................................................................................................... 64
Displaying DHCP server informaon........................................................................................................................................ 65
DHCP Servers
All FastIron devices can be congured to funcon as DHCP servers.
DHCP introduces the concept of a lease on an IP address. The DHCP server can allocate an IP address for a specied amount of me or can extend a
lease for an indenite amount of me. DHCP provides greater control of address distribuon within a subnet. This feature is crucial if the subnet has
more devices than available IP addresses. In contrast to BOOTP, which has two types of messages that can be used for leased negoaon, DHCP
provides seven types of messages.
DHCP allocates temporary or permanent network IP addresses to clients. When a client requests the use of an address for a me interval, the DHCP
server guarantees not to reallocate that address within the requested me and tries to return the same network address each me the client makes
a request. The period of me for which a network address is allocated to a client is called a lease. The client may extend the lease through
subsequent requests. When the client is done with the address, the address can be released back to the server. By asking for an indenite lease,
clients may receive a permanent assignment.
DHCP clients can be IP phones, desktops, or network devices, as illustrated in the following gure. The clients can be connected directly or through
other networks using relays. The DHCP server provides informaon such as the DNS server name, TFTP server name, and also the image to pick for
bootup to the DHCP client. Once the client obtains the IP address, TFTP server name, and boot image name, the client can download the image
from the TFTP server and boot with that image.
In some environments, it may be necessary to reassign network addresses due to exhauson of the available address pool. In this case, the
allocaon mechanism reuses addresses with expired leases.
The DHCP server is disabled by default on all FastIron devices.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 45
FIGURE 4 DHCP server usage
Conguraon Consideraons for DHCP Servers
The following conguraon consideraons apply to DHCP servers, the DHCP binding database, and DHCP address pools:
The DHCP server is supported in the Layer 2 and Layer 3 soware images.
The DHCP server is not supported on non-default VRF.
In the event of a controlled or forced switchover, a DHCP client requests from the DHCP server the same IP address and lease assignment
that it had before the switchover. Aer the switchover, the DHCP server will be automacally re-inialized on the new Acve Controller or
management module.
For DHCP client hitless support in a stack, the stack mac command must be used to congure the MAC address, so that the MAC address
does not change in the event of a switchover or failover. If stack mac is not congured, the MAC address/IP address pair assigned to a
DHCP client will not match aer a switchover or failover. Furthermore, in the Layer 3 router image, if the stack mac conguraon is
changed or removed and the management port has a dynamic IP address, when a DHCP client tries to renew its lease from the DHCP
server, the DHCP server will assign a dierent IP address.
If any address from the congured DHCP pool is used, for example, by the DHCP server or TFTP server, you must exclude the address from
the network pool.
Ensure that DHCP clients do not send DHCP request packets with a Maximum Transmission Unit (MTU) larger than 1500 bytes. RUCKUS
devices do not support DHCP packets with an MTU larger than 1500 bytes.
DHCP binding database
The IP addresses that have been automacally mapped to the MAC addresses of hosts are found in the DHCP binding database in the
DHCP server.
An address conict occurs when two hosts use the same IP address. During address assignment, the DHCP server checks for conicts. If a
conict is detected, the address is removed from the pool. The address will not be assigned unl the administrator resolves the conict.
The following table shows IP DHCP binding scalability for RUCKUS ICX devices for a stand-alone switch or a stack:
DHCP Servers
DHCP Servers
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
46 Part Number: 53-1005654-01
Device IP DHCP binding scalability
RUCKUS ICX 7150 500
RUCKUS ICX 7250 500
RUCKUS ICX 7450 500
RUCKUS ICX 7550 500
RUCKUS ICX 7650 500
RUCKUS ICX 7750 500
RUCKUS ICX 7850 500
DHCP address pools
A DHCP address pool can be congured with a name that is a symbolic string (such as "cabo") or an integer (such as 0).
Conguring a DHCP address pool also puts the router into DHCP pool conguraon mode, where the pool parameters can be congured.
If the DHCP server address is part of a congured DHCP address pool, you must exclude the DHCP server address from the network pool.
While in DHCP server pool conguraon mode, the system will place the DHCP server pool in pending mode and the DHCP server will not
use the address pool to distribute informaon to clients. To acvate the pool, use the deploy command.
DHCP opons are supported on a per-pool basis as required by the DHCP clients to be serviced in the sub-network.
DHCP denes a process by which the DHCP server knows the IP subnet in which the DHCP client resides, and the DHCP server can assign
an IP address from a pool of valid IP addresses in that subnet.
If the client is directly connected (the giaddr eld is zero), the DHCP server matches the DHCP DISCOVER message with DHCP pools that
contain the subnets congured on the receiving interface. If the client is not directly connected (the giaddr eld of the DHCP DISCOVER
message is not zero), the DHCP server matches the DHCP DISCOVER message with a DHCP pool that has the subnet that contains the IP
address in the giaddr eld.
Conguring the DHCP server and creang an address pool
Perform the following steps to congure the DHCP server. Before you can congure the various DHCP server opons, you must create an address
pool on your FastIron device.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enable the DHCP server.
device(config)# ip dhcp-server enable
3. Create a DHCP server address pool.
device(config)# ip dhcp-server pool cabo
4. Congure the DHCP server address pool.
device(config-dhcp-cabo)# network 172.16.1.0/24
device(config-dhcp-cabo)# domain-name ruckuswireless.com
device(config-dhcp-cabo)# dns-server 172.16.1.2 172.16.1.3
device(config-dhcp-cabo)# netbios-name-server 172.16.1.2
device(config-dhcp-cabo)# lease 0 0 5
DHCP Servers
DHCP Servers
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 47
5. To disable DHCP, enter the no ip ip dhcp-server enable command.
device(config)# no ip dhcp-server enable
6. Use the clear ip dhcp-server binding command to delete a specic lease or all lease entries from the lease binding database.
device(config)# clear ip dhcp-server binding *
The asterisk used in the example above clears all the IP addresses.
DHCP Servers
DHCP Servers
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
48 Part Number: 53-1005654-01
DHCP server conguraon
The following owchart illustrates the DHCP server conguraon procedure.
FIGURE 5 DHCP server conguraon owchart
DHCP Servers
DHCP Servers
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 49
Default DHCP server sengs
TABLE 5 DHCP server default sengs
Parameter Default Value
DHCP server Disabled
Lease database expiraon me 86400 seconds
The duraon of the lease for an assigned IP address 43200 seconds (one day)
Maximum lease database expiraon me 86400 seconds
DHCP server with opon 82 Disabled
DHCP server unknown circuit ID for opon 82 Permit range lookup
IP distribuon mechanism Linear
DHCP server opons
A FastIron device congured as a DHCP server can support up to 500 DHCP clients.
Where a FastIron device is congured as a DHCP server, you can congure DHCP opons. These opons are passed to the connected DHCP clients
and allow conguraon of parameters such as default router, host name, and domain name server.
The list of supported DHCP opons is shown in the following table:
TABLE 6 DHCP server opons
Opon Number Opon Name Descripon / Notes
1 Subnet Mask Species the client subnet mask (per RFC 950). This is not congurable using the opon command. This opon is
congured using the network (dhcp) command.
Network <router IP> <subnet mask>
3 Router Opon Species an IP addresses of the default router on the client subnet. Only one router can be specied.
NOTE
Opon 3 is not supported on non-default VRFs and management VRFs.
NOTE
Opon 3 funcons only when there is no previously congured route on the DHCP client. If the route
received by the DHCP client from the DHCP server is already congured on the client, the following
syslog message is displayed: DHCP: Failed to congure default gateway.
4 Time Server Species a list of Time Servers available to the client. Time Servers are listed in order of preference.
5 Name Server Species a list of Name Servers available to the client. Name Servers are listed in order of preference.
6 Domain Name Server Species a list of Domain Name System (RFC 1035) name servers available to the client. Servers are listed in order
of preference.
7 Log Server Species a list of UDP log servers available to the client. Servers are listed in order of preference.
8 Quotes Server Species a list of Quotes servers available to the client. Servers are listed in order of preference.
9 LPR Server Species a list of Line Printer Servers available to the client. Servers are listed in order of preference.
10 Impress Server Species a list of Imagen Impress Servers available to the client. Servers are listed in order of preference.
11 RLP Server Species a list of Resource Locaon Servers available to the client. Servers are listed in order of preference.
12 Hostname Congures the host name that can be assigned to the DHCP clients.
15 Domain name Species the domain name the client should use when resolving host names using the Domain Name System.
16 Swap Server Species the IP address of the client Swap Server.
17 Root Path Species the path name (entered as an ASCII character string) that contains the client root disk.
DHCP Servers
DHCP server opons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
50 Part Number: 53-1005654-01
TABLE 6 DHCP server opons (connued)
Opon Number Opon Name Descripon / Notes
18 Extension File Species a le, retrievable through TFTP, that contains informaon that can be interpreted in the same way as the
vendor-extension eld within the BOOTP response, with the following excepons:
the length of the le is unconstrained
all references to instances of this opon in the le are ignored
21 Policy Filter Species Policy Filters for non-local source roung. The lters consist of a list of IP addresses and masks that specify
desnaon/mask pairs with which to lter incoming source routes. Any source-routed datagram whose next-hop
address does not match one of the lters should be discarded by the client.
28 Broadcast Address Species the Broadcast Address in use on the client subnet.
32 Router Request Species the address to which the client should transmit router solicitaon requests.
33 Stac Route Species a list of Stac Routes that the client should install in its roung cache. If mulple routes to the same
desnaon are specied, they are listed in descending order of priority. The routes consist of a list of IP address
pairs. The rst address is the desnaon address, and the second address is the router for the desnaon. Note
that the default route (0.0.0.0) is an illegal desnaon for a stac route.
40 NIS Domain Species the NIS domain (entered as an ASCII character string) for the client.
41 NIS Servers Species a list of IP addresses for NIS servers available to the client. Servers are listed in order of preference.
42 NTP Servers Species a list of IP addresses for NTP servers available to the client. Servers are listed in order of preference.
43 Vendor Specic Species vendor-specic informaon. This allows clients and servers to exchange vendor-specic informaon. The
vendor is specied in the Vendor Class Idener opon (opon 60).
44 NetBIOS Name Srv Species a list of NetBIOS Name Servers (NBNS) (RFC 1001 and RFC 1002). NBNS servers are listed in order of
preference.
45 NetBIOS Dist Srv Species a list of NetBIOS Datagram Distribuon Servers (NBDD) servers (RFC 1001 and RFC 1002). NBDD servers
are listed in order of preference.
47 NetBIOS Scope Species the NetBIOS over TCP/IP scope parameter (RFC 1001 and RFC 1002) for the client.
48 X Window Font Species a list of IP addresses of X Window System Font servers available to the client. X Window System Font
servers are listed in order of preference.
49 X Window Manager Species a list of IP addresses of X Window System Display Managers available to the client. X Window System
Display Managers are listed in order of preference.
50 Address Request Species an IP address used in a client request (DHCPDISCOVER) to allow the client to request a parcular IP
address be assigned.
56 DHCP Message This opon is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the
event of a failure. A client may use this opon in a DHCPDECLINE message to indicate the why the client declined
the oered parameters. The message consists ASCII text, which the client may display on an available output
device.
60 Vendor Class Idener Species the Vendor Class Idener. This is used in conjuncon with opon 43 (Vendor Specic informaon),
allowing clients and servers to exchange vendor-specic informaon.
62 NetWare/IP Domain Species the NetWare/IP Domain Name used by the NetWare/IP product.
64 NIS-Domain-Name Species the NIS+ domain (entered as an ASCII character string) for the client.
65 NIS-Server-Addr Species a list of IP addresses for NIS+ servers available to the client. Servers are listed in order of preference.
66 TFTP server hostname or
IP address
Species the address or name of the TFTP server available to the client.
67 Boot File name Species a boot image to be used by the client.
68 Home-Agent-Addrs Species a list of IP addresses for Mobile IP Home Agents available to the client. Agents are listed in order of
priority.
69 SMTP-Server Species a list of Simple Mail Transport Protocol (SMTP) Servers available to the client. Servers are listed in order of
priority.
70 POP3-Server Species a list of Post Oce Protocol (POP3) Servers available to the client. Servers are listed in order of priority.
71 NNTP-Server Species a list ofNetwork News Transport Protocol (NNTP) Servers available to the client. Servers are listed in order
of priority.
DHCP Servers
DHCP server opons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 51
TABLE 6 DHCP server opons (connued)
Opon Number Opon Name Descripon / Notes
72 WWW-Server Species a list of World Wide Web (WWW) Servers available to the client. Servers are listed in order of priority.
73 Finger-Server Species a list of Finger Servers available to the client. Servers are listed in order of priority.
74 IRC-Server Species a list of Internet Relay Chat (IRC) Servers available to the client. Servers are listed in order of priority.
75 StreetTalk-Server Species a list of StreetTalk Servers available to the client. Servers are listed in order of priority.
76 STDA-Server Species a list of StreetTalk Directory Assistance (STDA)Servers available to the client. Servers are listed in order of
priority.
85 NDS Servers Species the IP addresses for Novell Directory Services (NDS) servers available to the client. Servers are listed in
order of priority.
86 NDS Tree Name Species the name of the Novell Directory Services (NDS) Tree to which the client will connect.
88 BCMCS Domain List Species a list of Broadcast and Mulcast Service (BCMCS) Controller domains.
89 BCMCS IPv4 addr Species a list of IP addresses for Broadcast and Mulcast Service (BCMCS) controllers. Controllers are listed in
order of priority.
94 Client NDI Species the Network Interface Idener (NDI) for the client.
95 LDAP This opon is supported if the opon value type is IP, ASCII, or HEX
98 User-Auth Species a list of URLs, each poinng to a user authencaon service that is capable of processing authencaon
requests encapsulated in the User Authencaon Protocol (UAP).
If a URL does not contain a port component, the normal default port is assumed (port 80 for hp and port 443 for
hps)
If a URL does not include a path component, the path /uap is assumed.
100 Pcode Species the TZ-POSIX string used to provide mezone details.
101 Tcode Species the TZ-Database string used to provide mezone details.
102 - 111 Removed/Unassigned These opons are supported if the value type is dened as IP, ASCII, or HEX
112 Nenfo Address This opon is supported if the opon value type is IP, ASCII, or HEX
113 Nenfo Tag This opon is supported if the opon value type is IP, ASCII, or HEX
114 URL This opon is supported if the opon value type is IP, ASCII, or HEX
120 SIP Servers Species the IP address or, preferably, the DNS fully qualied domain name to be used by the Session Iniaon
Protocol (SIP) client to locate a SIP server.
125 V-I VendorSpeciInfo This opon is supported if the value type is dened as IP, ASCII, or HEX This opon is supported if the value type is
dened as IP, ASCII, or HEX
126 - 127 Removed/Unassigned These opons are supported if the opon value type is IP, ASCII, or HEX
128 - 135 PXE-VendorSpecic These opons are supported if the opon value type is IP, ASCII, or HEX
137 V4_LOST Species the fully qualied domain name (FQDN) to be used by the client to locate a Locaon-to-Service
Translaon (LoST) server.
141 SIP UA Domains Species a list of domain names to search for Session Iniaon Protocol (SIP) User Agent Conguraon.
142 IPv4-ANDSF Species the IP addresses for Access Network Discover and Selecon Funcon (ANDSF) Servers available to the
client. The servers are listed in order of priority.
146 RDNSS Selecon This opon is supported if the opon value type is IP, ASCII, or HEX
147 - 148 Unassigned These opons are supported if theopon value type is IP, ASCII, or HEX
150 TFTP Server Addr Species the address of the TFTP Server available to the client. Note that only one TFTP server IP address can be
dened.
156 dhcp-state This opon is supported if the opon value type is IP, ASCII, or HEX
160 Capve-Portal This opon is supported if the opon value type is IP, ASCII, or HEX
161 - 174 Unassigned These opons are supported if the opon value type is IP, ASCII, or HEX
175 Etherboot This opon is supported if the opon value type is IP, ASCII, or HEX
176 IP Tele-VoiceSrvr Congures the IP telephone voice parameters for Avaya IP phones running as DHCP clients.
DHCP Servers
DHCP server opons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
52 Part Number: 53-1005654-01
TABLE 6 DHCP server opons (connued)
Opon Number Opon Name Descripon / Notes
177 PktCable-CableHome This opon is supported if the opon value type is IP, ASCII, or HEX
178 - 206 Unassigned These opons are supported if theopon value type is IP, ASCII, or HEX
209 Cong File Species the conguraon le to be used in a PXELINUX environment.
210 Path Prex Species a path prex for the conguraon le used in a a PXELINUX environment.
213 V4_ACCESS_DOMAIN Species the access network domain name available to the client for the purposes of discovering a Local
Informaon Server (LIS).
214 - 218 Unassigned These opons are supported if the opon value type is IP, ASCII, or HEX
221 VSS This opon is supported if the opon value type is IP, ASCII, or HEX
222 - 223 Unassigned These opons are supported if the opon value type is IP, ASCII, or HEX
224 - 241 Reserved These opons are supported if the opon value type is IP, ASCII, or HEX
242 IP Tele-DataSrvr Congures the IP telephone data parameters for Avaya IP phones running as DHCP clients.
243 - 251 Reserved These opons are supported if the opon value type is P, ASCII, or HEX
252 WPAD Congures the Proxy-Auto Cong (PAC) le locaon string for the Web Proxy Auto-Discovery (WPAD) supported
DHCP clients.
253 - 254 Reserved These opons are supported if the opon value type is IP, ASCII, or HEX
NOTE
Opons not listed in the table are not supported or not congurable using the opon command.
A DHCP server assigns and manages IPv4 addresses from mulple address pools, using dynamic address allocaon. The DHCP server also contains
the relay agent to forward DHCP broadcast messages to network segments that do not support these types of messages.
Recommendaons and limitaons
The list of supported DHCP opons is extensive. However, the number of opons that can be passed to the client is limited by the size of the ACK
packet. It is recommended that you congure essenal opons only for the specic DHCP server address pool.
The following opons (if congured) are priorized, with addional opons added as needed:
3 - Router Opon
6 - Domain Name Server
12 - Hostname
15 - Domain name
66 - TFTP server hostname or IP address
67 - Boot le name
60 - Vendor-Specic Informaon
DHCP opons are not validated by the DHCP server. You must ensure the values are congured correctly.
Upgrade consideraons
In FastIron 08.0.61 or earlier releases, it was possible to congure a subset of these DHCP opons using specic commands. For example, dhcp-
default-router allows conguraon of the DHCP default router (which is now also congurable using DHCP opon 3). When upgrading to FastIron
08.0.70, any congured DHCP opons are retained. However, the conguraon is stored and shown in the new opons format. The following table
shows the opons available in earlier releases and a mapping between the new opon format and the corresponding commands available in earlier
releases.
DHCP Servers
DHCP server opons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 53
Opon number and name Command in release 08.0.70 Command in release 08.0.61 and earlier
1 - Subnet Mask network router-IP subnet mask
Note that this essenal opon is congured using
the network command. It is not congurable using
the opon command.
network router-IP subnet mask
3 - Router Opon opon 3 ip router -IP dhcp-default-router router -IP
6 - Domain Name Server opon 6 ip server-IP-address dns-server server-IP-address
12 - Hostname opon 12 ascii hostname host-name hostname
15 - Domain name opon 15 ascii domain-name domain-name ascii-string-domain-name
47 - NetBIOS over TCP/IP Name Server opon 47 ip Server-IP netbios-name-server Server-IP
49 - X Window System Display Manager opon 49 ip XWindow-manager-IP xwindow-manager XWindow-manager-IP
66 - TFTP server hostname opon 66 ascii TFTP-server-hostname tp-server TFTP-server-hostname
67 - Booile name opon 67 ascii booile-name booile booile-name
150 - TFTP server IP address opon 150 ip TFTP-server-IP tp-server TFTP-server-IP
176 - ip-telephony voice server opon 176 mcipadd mcport,… ip-telephony voice mcipadd mcport,…
242 - ip-telephony data server opon 242 mcipadd mcport,… ip-telephony data mcipadd mcport,…
252 - Proxy-Auto Cong (PAC) opon 252 ascii URL-to-cong-le wpad URL-to-cong-le
60 - Vendor-Specic Informaon opon 60 ascii VCI vendor-class ascii-string-VCI
Note that the exisng commands are sll supported. However, it is recommended that you congure these using the opon command where
appropriate. The conguraon is stored and shown in the opons format, irrespecve of whether the opon is congured using the opon
command or the commands available in previous releases.
Disabling or re-enabling the DHCP server on the
management port
By default, when the DHCP server is enabled on the FastIron device, the server responds to DHCP client requests received on the management port.
If required, you can prevent the response to DHCP client requests received on the management port by disabling DHCP server support on the port.
When the DHCP server is disabled, DHCP client requests that are received on the management port are discarded.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Disable the DHCP server funconality on the management port.
device(config)# no ip dhcp-server mgmt
3. Enable the DHCP server funconality on the management port, as required.
device(config)# ip dhcp-server mgmt
DHCP Servers
Disabling or re-enabling the DHCP server on the management port
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
54 Part Number: 53-1005654-01
Seng the wait me for ARP ping response
You can set the number of seconds to wait for a response to an ARP ping packet on the DHCP server.
At startup, the server reconciles the lease binding database by sending an ARP ping packet out to every client. If there is no response to the ARP
ping packet within a set amount of me (set in seconds), the server deletes the client from the lease binding database. The minimum seng is 5
seconds and the maximum is 30 seconds.
NOTE
Do not alter the default value unless it is necessary. Increasing the value of this mer may increase the me to get console access aer a
reboot.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Specify the number of seconds to wait for a response to an ARP ping packet.
device(config)# ip dhcp-server arp-ping-timeout 20
The following example congures a wait ARP ping packet meout response to 20 seconds.
device# configure terminal
device(config)# ip dhcp-server arp-ping-timeout 20
DHCP relay agent informaon support (opon 82)
The DHCP relay agent informaon opon (DHCP opon 82) enables a DHCP relay agent to include informaon about itself when forwarding client-
originated DHCP packets to a DHCP server. The DHCP server uses this informaon to implement IP address assignments, or other parameter-
assignment policies.
In a metropolitan Ethernet-access environment, the DHCP server can centrally manage IP address assignments for a large number of subscribers. If
DHCP opon 82 is disabled, a DHCP policy can only be applied per subnet, rather than per physical port. When DHCP opon 82 is enabled, a
subscriber is idened by the physical port through which it connects to the network.
Enabling relay agent informaon (opon 82)
Complete the following steps to acvate DHCP opon 82.
This opon enables the DHCP server to echo relay agent informaon in all replies.
NOTE
It is not possible to congure relay agent echo (opon 82) using the opon command. The command and syntax to congure opon 82 is
shown below.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Acvate DHCP opon 82.
device(config)# ip dhcp-server relay-agent-echo enable
DHCP Servers
Enabling relay agent informaon (opon 82)
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 55
Conguring the IP address of the DHCP server
Complete the following steps to specify the IP address of the selected DHCP server.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Specify the server idener.
device(config)# ip dhcp-ser server-identifier 10.1.1.144
Conguring the boot image
The boot image species a boot image name to be used by the DHCP client.
In this task example, the DHCP client should use the boot image called "ICX". This variable can have an extension of .bin, .txt, or .cfg.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify a boot image name to be used by the DHCP client.
device(config-dhcp-cabo)# option 67 ascii icx
Deploying an address pool conguraon to the server
Complete the following steps to send an address pool conguraon to the DHCP server.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Deploy the address pool to the DHCP server.
device(config-dhcp-cabo)# deploy
DHCP Servers
Conguring the IP address of the DHCP server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
56 Part Number: 53-1005654-01
Specifying default router available to the client
Complete the following steps to specify the IP address of the default router for a client.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the IP address of the default router for the client.
device(config-dhcp-cabo)# option 3 ip 10.2.1.141
NOTE
Specify one default router IP address only. Do not enter mulple router addresses.
Specifying DNS servers available to the client
Complete the following steps to specify the DNS servers available to the client.
1. Enter global conguraon mode by issuing the congure terminal command
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the IP addresses of the DNS servers that are available to the DHCP clients.
device(config-dhcp-cabo)# option 6 ip 10.2.1.143 10.2.2.142
Conguring the domain name for the client
Complete the following steps to congure the domain name for the client.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the domain name for the client.
device(config-dhcp-cabo)# option 15 ascii sierra
DHCP Servers
Conguring the domain name for the client
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 57
Conguring the lease duraon for the address pool
Complete the following steps to specify the lease duraon for the address pool.
You can set a lease duraon for days, hours, or minutes, or any combinaon of the three.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Set the lease duraon for the address pool.
device(config-dhcp-cabo)# lease 1 4 32
In the example, the lease duraon has been set to one day, four hours, and 32 minutes.
Specifying addresses to exclude from the address pool
Complete the following steps to specify the addresses that should be excluded from the address pool.
You can specify a single address or a range of addresses that should be excluded from the address pool.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the address that should be excluded from the address pool.
device(config-dhcp-cabo)# excluded-address 10.2.3.44
Conguring the NetBIOS server for DHCP clients
You can specify the IP address of NetBIOS WINS servers that are available to Microso DHCP clients.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the NetBIOS server for the DHCP client.
device(config-dhcp-cabo)# option 47 ip 192.168.1.55
DHCP Servers
Conguring the lease duraon for the address pool
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
58 Part Number: 53-1005654-01
Conguring the subnet and mask of a DHCP address pool
You can congure the subnet network and mask of the DHCP address pool.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Specify the subnet network and mask length of the DHCP address pool.
device(config-dhcp-cabo)# option 1 ip 10.2.3.44/24
Conguring the TFTP server
You can specify the address or name of the TFTP server to be used by the DHCP clients.
NOTE
If DHCP opons 66 (TFTP server name) and 150 (TFTP server IP address) are both congured, the DHCP client ignores opon 150 and tries
to resolve the TFTP server name (opon 66) using DNS.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Create and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Congure a TFTP server by specifying its IP address or server name.
device(config-dhcp-cabo)# option 150 ip 10.7.5.48
device(config-dhcp-cabo)# option 66 ascii tftp.domain.com
The rst example congures a TFTP server by specifying its IP address, while the second example congures a TFTP server by specifying its
server name.
Conguring X Window System Display Manager IP
addresses (opon 49)
Opon 49 of RFC 2132 species a list of IP addresses of systems that are running the X Window System Display Manager and are available to the
client.
The X Window client is a DHCP client in a network that solicits conguraon informaon by broadcasng a DHCP discovery packet on bootup or
when the DHCP client is enabled. The DHCP server provides the IP addresses of systems running the X Window System Display Managers available
in the network in their preferred order as part of the DHCP oer message.
On receipt of a discovery packet from the client, a DHCP oer message must be sent back. Opon 49 must be added with the IP addresses of
systems running the X Window System Display Manager in the network, along with other mandatory opons. You can congure a maximum of
three IP addresses in a DHCP server pool.
DHCP Servers
Conguring X Window System Display Manager IP addresses (opon 49)
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 59
NOTE
Opon 49 is ignored if the client is a non-X Window client.
1. Enter global conguraon mode.
device# configure terminal
2. Congure an address pool in the DHCP server and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Enter the xwindow-manager command along with the IP addresses of the X Window System Display Managers separated by spaces.
device(config-dhcp-cabo)# option 49 ip 10.38.12.1 10.38.12.3 10.38.12.5
The following example congures the IP addresses of systems running the X Window System Display Manager in the DHCP conguraon pool.
device# configure terminal
device(config)# ip dhcp-server pool cabo
device(config-dhcp-cabo)# option 49 ip 10.38.12.1 10.38.12.3 10.38.12.5
Vendor specic informaon (opon 43 and opon 60)
conguraons
RUCKUS devices running as DHCP servers can be congured with opon 43 and opon 60.
Conguring the DHCP opon 60 helps in idenfying the incoming DHCP client. If the vendor class idener (VCI) adversed by the DHCP client
matches with the DHCP server, the server makes a decision to exchange the vendor-specic informaon (VSI) congured as part of DHCP opon 43.
The RUCKUS ICX DHCP server can recognize the DHCP client device using the VCI (opon 60) and pass specic informaon to this device type only
(using opon 43). However, the DHCP server can be congured to always pass addional informaon using opon 43 (regardless of the client).
In summary:
Opon 60 denes the vendor type and conguraon value.
Opon 43 denes vendor specic informaon.
If opon 60 is congured, the vendor specic informaon (dened in opon 43) is returned to clients that provide the appropriate vendor
type and conguraon value.
If opon 60 is not congured, the vendor specic informaon is sent to all clients.
Conguring vendor details and vendor specic informaon (opon 43 and opon
60)
RUCKUS devices running as DHCP servers can be congured with opon 43 and opon 60. The following task congures opon 60 and opon 43 for
a device running as a DHCP server.
To congure opon 60 and opon 43.
1. Enter global conguraon mode.
device# configure terminal
DHCP Servers
Vendor specic informaon (opon 43 and opon 60) conguraons
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
60 Part Number: 53-1005654-01
2. Create a DHCP server pool.
device(config)# ip dhcp-server pool ruckus
NOTE
Save the conguraon to retain the conguraon through warm or cold reboots.
3. Specify (opon 60) the vendor type and conguraon value for the DHCP client using the opon command.
device(ip dhcp-server pool ruckus)# option 60 ascii “Ruckus CPE”
NOTE
If the ascii opon contains a space, you must enter it with double quotes as shown in the previous example.
4. Specify (opon 43) the vendor specic informaon using the opon command.
device(ip dhcp-server pool ruckus)# option 43 hex 0108c0a80a01c0a81401
5. Deploy the conguraon using the deploy command.
device(ip dhcp-server pool ruckus)# deploy
The following example congures opon 60 and opon 43 (hex) for a Ruckus Access Point (AP).
device# configure terminal
device(config)# ip dhcp-server pool ruckus
device(ip dhcp-server pool ruckus)# option 60 ascii “Ruckus CPE”
device(ip dhcp-server pool ruckus)# option 43 hex 010cc0a80a01c0a81401c0a81e01
device(ip dhcp-server pool ruckus)# deploy
The following example congures opon 60 and opon 43 (ASCII) for a Ruckus AP.
device# configure terminal
device(config)# ip dhcp-server pool ruckus
device(ip dhcp-server pool ruckus)# option 60 ascii “Ruckus CPE”
device(ip dhcp-server pool ruckus)# option 43 ascii ruckusconfig
device(ip dhcp-server pool ruckus)# deploy
The following example congures the smartzone (SZ) IP list in TLV format for the DHCP server.
device# configure terminal
device(config)# ip dhcp-server pool ruckus
device(ip dhcp-server pool ruckus)# option 60 ascii “Ruckus CPE”
device(ip dhcp-server pool ruckus)# option 43 hex
0x010b31312e31312e31312e3131030f3131322e3131322e3131322e313132061731302e31302e31302e31302c31322e31322
e31322e3132
device(ip dhcp-server pool ruckus)# deploy
Enabling stac IP to MAC address mapping
Based on the client MAC address, you can stacally congure the IP address to the MAC address in the DHCP server.
This conguraon is useful when you want to have selected clients assigned with parcular IP addresses from the server. Whenever a DHCP
discover message is received from these clients, based on the stac conguraon, the IP address will be assigned with the other required
parameters.
1. Enter global conguraon mode.
device# configure terminal
DHCP Servers
Enabling stac IP to MAC address mapping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 61
2. Create a DHCP server pool.
device(config)# ip dhcp-server pool cabo
3. Enter the stac-mac-ip-mapping command followed by the IP address and MAC address for mapping.
device(config-dhcp-cabo)# static-mac-ip-mapping 10.10.10.29 0010.9400.0005
The following example enables the stac MAC address to IP address mapping.
device# configure terminal
device(config)# ip dhcp-server pool cabo
device(config-dhcp-cabo)# static-mac-ip-mapping 10.10.10.29 0010.9400.0005
Conguring Avaya IP telephony (opons 176 and 242)
Avaya IP telephones use site-specic opons 176 and 242 as a method to obtain parameters from the DHCP server.
On receipt of a discovery packet from the Avaya IP telephone client, a DHCP oer message must be sent back. Opons 176 and 242 must be added
with the details of IP telephony voice and data servers present in the network, along with mandatory opons.
Opon 176 is used for voice server representaon.
Opon 242 is used for data servers.
The following table lists the parameters for each opon:
Opon Paramaters
Opon 176: Voice server opons mcipadd ip-address
Species the IP telephony server port number. The default is 1719.
mcport portnum
Species the IP telephony server port number. The default is 1719.
tpsrvr/hpsrvr/tlssrvr server-ip-address
Species the IP addresses of the TFTP, HTTP, and TLS servers.
l2qaud or l2qsig prio
Species the IP telephony L2QAUD or L2QSIG priority value. The range is from 1 to 6. The default value is 6.
l2qvlan vlan-id
Species the IP telephony L2QVLAN number. The default is 0.
vlantest secs
The number of seconds a phone aempts to return to the previously known voice VLAN. This is not applicable for the
default VLAN.
DHCP Servers
Conguring Avaya IP telephony (opons 176 and 242)
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
62 Part Number: 53-1005654-01
Opon Paramaters
Opon 242: Data server opons mcipadd ip-address
IP address of the gatekeeper. Atleast one IP address is required.
mcport portnum
Species IP telephony server port number. The default is 1719.
tpsrvr/hpsrvr/tlssrvr server ip-address
Species the IP addresses of the TFP, HTTP, and TLS servers.
l2qaud or l2qsig prio
L2QAUD is the IP telephony L2 audio priority value. L2QSIG is the IP telephony L2 signaling priority value. This range is
from 1 through 6. The default value is 6.
l2qvlan vlan-id
Species the IP telephony L2QVLAN number. The default is 0.
vlantest secs
The number of seconds a phone aempts to return to the previously known voice VLAN. This is not applicable for the
default VLAN.
NOTE
Opons 176 and 242 are ignored for non-Avaya IP telephone clients.
1. Enter global conguraon mode.
device# configure terminal
2. Congure an address pool in the DHCP server and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Enter the opon command followed by the supported parameters. The parameters you can add for IP telephony data are mcipadd,
mcport, hpsrvr, l2qaud, l2qsig, l2qvlan, tpsrvr, tlssrvr, and vlantest.
The following example species the MCIP address and MCPORT of the data server.
device(config-dhcp-cabo)# option 242 mcipadd 1.1.1.2 mcport 1719
4. Enter the opon command followed by the supported parameters. The parameters you can add for IP telephony voice are mcipadd,
mcport, hpsrvr, l2qaud, l2qsig, l2qvlan, tpsrvr, tlssrvr, and vlantest.
The following example species the MCIP address and MCPORT of the voice server.
device(config-dhcp-cabo)# option 176 mcipadd 1.1.1.2 mcport 1719
DHCP Servers
Conguring Avaya IP telephony (opons 176 and 242)
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 63
5. Enter the show ip dhcp-server address-pools command to view and verify the IP telephony opons.
device(config)# show ip dhcp-server address-pools
Showing all address pool(s):
Pool Name: dhcp
Time elapsed since last save: 00d:00h:00m:00s
Total number of active leases: 0
Address Pool State: pending
Pool Configured Options:
lease: 1 0 0
network: 10.10.10.0 255.255.255.0
option 3 (Default-Router ): ip 10.10.10.1
option 60 (Vendor Class Id ): hex FF
option 176 (IP Tele-VoiceSrvr ): MCIPADD=10.10.10.1,MCPORT=1719
option 242 (IP Tele-DataSrvr ): MCIPADD=10.10.10.1,MCPORT=1719
Conguring WPAD (opon 252)
The Web Proxy Auto-Discovery (WPAD) protocol is used by web browsers to locate a Proxy Auto-Cong (PAC) le automacally.
The WPAD protocol can use a DNS or DHCP server to locate a PAC le. DHCP detecon involves the URL being pushed to the user in the DHCP
assignment, while DNS detecon is based on an informed guess, using known informaon about the DNS. A web browser that supports both
methods checks the DHCP assignment rst, and then aempts the DNS method. If the browser is unable to load a PAC le through the DHCP or DNS
methods, it will allow direct Internet access.
NOTE
The PAC le must have the le name wpad.dat for the DNS method to funcon.
1. Enter global conguraon mode.
device# configure terminal
2. Congure an address pool in the DHCP server and enter DHCP server pool conguraon mode.
device(config)# ip dhcp-server pool cabo
3. Enter the opon command followed by the full network locaon of the PAC le.
device(config-dhcp-cabo)# option 252 ascii http://172.26.67.243:8080/wpad.dat
4. Enter the show ip dhcp-server address-pools command to view the congured network locaon of the PAC le.
device(config)# show ip dhcp-server address-pools
Showing all address pool(s):
Pool Name: test
Time elapsed since last save: 00d:00h:01m:21s
Total number of active leases: 1
Address Pool State: active
Pool Configured Options:
lease: 1 0 0
network: 50.50.50.0 255.255.255.0
option 252 (WPAD ): http://172.26.67.243:8080/wpad.dat
DHCP Servers
Conguring WPAD (opon 252)
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
64 Part Number: 53-1005654-01
Displaying DHCP server informaon
The following DHCP show commands can be entered from any level of the CLI.
Use one of the commands to view DHCP server informaon. The commands do not need to be entered in the specied order.
Display a specic acve lease, or all acve leases.
device# show ip dhcp-server binding
Bindings from all pools:
IP Address Client-ID/ Lease expiration Type
Hardware address
192.168.1.2 0000.005d.a440 0d:0h:29m:31s Automatic
192.168.1.3 0000.00e1.26c0 0d:0h:29m:38s Automatic
Display informaon about a specic address pool or all address pools.
device# show ip dhcp-server address-pools
Showing all address pool(s):
Pool Name: dhcp
Time elapsed since last save: 00d:00h:00m:00s
Total number of active leases: 0
Address Pool State: pending
Pool Configured Options:
lease: 1 0 0
network: 10.10.10.0 255.255.255.0
option 3 (Default-Router ): ip 10.10.10.1
option 6 (Domain Server ): ip 192.168.1.100
option 15 (Domain Name ): ascii example.com
option 44 (NETBIOS Name Srv ): ip 192.168.1.101
option 60 (Vendor Class Id ): hex 00
option 67 (Bootfile-Name ): ascii example.bin
option 150 (TFTP Server Addr ): ip 192.168.1.103
option 176 (IP Tele-VoiceSrvr ): MCIPADD=10.10.10.1,MCPORT=5,HTTPSRVR=20.20.20.1,L2QAUD=5,
option 242 (IP Tele-DataSrvr ): MCIPADD=10.10.10.1,
Display the lease binding database that is stored in ash memory.
device# show ip dhcp-server flash
Address Pool Binding:
IP Address Client-ID/ Lease expiration Type
Hardware address
192.168.1.2 0000.005d.a440 0d:0h:18m:59s Automatic
192.168.1.3 0000.00e1.26c0 0d:0h:19m:8s Automatic
Display informaon about acve leases, deployed address pools, undeployed address pools, and server upme.
device# show ip dhcp-server summary
DHCP Server Summary:
Total number of active leases: 2
Total number of deployed address-pools: 1
Total number of undeployed address-pools: 0
Server uptime: 0d:0h:8m:27s
Display DHCP conguraon informaon on a Layer 2 device.
device(config)# show ip
Switch IP address: 10.44.16.116
Subnet mask: 255.255.255.0
Default router address: 10.44.16.1
TFTP server address: 10.44.16.41
Configuration filename: foundry.cfg
Image filename: None
DHCP Servers
Displaying DHCP server informaon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 65
Display IP address informaon for a Layer 2 device.
device(config)# show ip address
IP Address Type Lease Time Interface
10.44.16.116 Dynamic 174 0/1/1
Display IP address informaon for a Layer 3 device.
device(config)# show ip address
IP Address Type Lease Time Interface
10.44.3.233 Dynamic 672651 0/1/2
10.0.0.1 Static N/A 0/1/15
Display the Layer 2 device conguraon using the show run command.
device(config)# show run
Current configuration:
!
ver 08.0.40
!
module 1 icx-24-port-base-module
!
!ip dns domain-list englab.ruckuswireless.com
ip dns domain-list companynet.com
ip dns server-address 10.31.2.10
ip route 0.0.0.0/0 10.25.224.1
!ipv6 raguard policy p1
!ipv6 dns server-address 200::1 8000::60 7000::61
!!
end
Display the Layer 3 device conguraon using the show run command.
device(config)# show run
Current configuration:
!
ver 08.0.40
!
module 1 icx7650-20-qxg-port-management-module
module 2 icx7650-qsfp-6port-qsfp-240g-module
!
vlan 1 name DEFAULT-VLAN by port
!
ip dns server-address 10.44.3.111
interface ethernet 0/1/2
ip address 10.44.3.233 255.255.255.0 dynamic
ip dhcp-client lease 691109
interface ethernet 0/1/15
ip address 10.0.0.1 255.0.0.0
ip helper-address 1 10.44.3.111
!
end
DHCP Servers
Displaying DHCP server informaon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
66 Part Number: 53-1005654-01
DHCPv4
DHCPv4 overview..................................................................................................................................................................... 67
DHCP Assist conguraon........................................................................................................................................................ 67
Dynamic ARP Inspecon Overview ..........................................................................................................................................71
DHCP Snooping.........................................................................................................................................................................77
DHCP Relay Agent Informaon and Opon 82 Inseron..........................................................................................................83
IP Source Guard........................................................................................................................................................................ 91
DHCPv4 overview
The Dynamic Host Conguraon Protocol for DHCPv4 enables DHCP servers to pass conguraon parameters such as IPv4 addresses to IPv4 hosts.
On FastIron devices, you can congure Dynamic ARP Inspecon, DHCPv4 snooping, and IP Source Guard together. The RUCKUS implementaon of
these features provides enhanced network security by ltering untrusted DHCP packets.
The Dynamic Host Conguraon Protocol (DHCP) is based on the Bootstrap Protocol (BOOTP) and provides conguraon parameters such as IP
addresses, default routes, DNS server addresses, access control, QoS policies, and security policies stored in DHCP server databases to DHCP clients
upon request. DHCP enables the automac conguraon of client systems. DHCP removes the need to congure devices individually. Clients can set
network properes by connecng to the DHCP server instead. This protocol consists of two components; a protocol to deliver host-specic
conguraon parameters from a DHCP server to a host, and a mechanism to allocate network addresses to hosts.
DHCP is built on a client-server model, where designated DHCP server hosts allocate network addresses and deliver conguraon parameters to
dynamically congured hosts.
DHCP Assist conguraon
DHCP Assist allows a RUCKUS Layer 2 switch to assist a router that is performing mul-neng on its interfaces as part of its DHCP relay funcon.
DHCP Assist ensures that a DHCP server that manages mulple IP subnets can readily recognize the requester IP subnet, even when that server is
not on the client local LAN segment. The RUCKUS Layer 2 switch does so by stamping each request with its IP gateway address in the DHCP
discovery packet.
NOTE
RUCKUS Layer 2 switches provide BOOTP/DHCP assistance by default on an individual port basis. Refer to Changing the IP address used
for stamping BOOTP and DHCP requests in the RUCKUS FastIron Layer 3 Roung Conguraon Guide.
By allowing mulple subnet DHCP requests to be sent on the same wire, you can reduce the number of router ports required to support secondary
addressing, as well as reduce the number of DHCP servers required by allowing a server to manage mulple subnet address assignments.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 67
FIGURE 6 DHCP requests in a network without DHCP Assist on the Layer 2 switch
In a network operang without DHCP Assist, hosts can be assigned IP addresses from the wrong subnet range because a router with mulple
subnets congured on an interface cannot disnguish among DHCP discovery packets received from dierent subnets.
In the example depicted, a host from each of the four subnets supported on a Layer 2 switch requests an IP address from the DHCP server. These
requests are sent transparently to the router. Because the router is unable to determine the origin of each packet by subnet, it assumes the lowest
IP address or the "primary address" is the gateway for all ports on the Layer 2 switch and stamps the request with that address.
When the DHCP request is received at the server, it assigns all IP addresses within that range only.
With DHCP Assist enabled on a RUCKUS Layer 2 switch, correct assignments are made because the Layer 2 switch provides the stamping service.
How DHCP Assist works
Upon iniaon of a DHCP session, the client sends out a DHCP discovery packet for an address from the DHCP server. When the DHCP discovery
packet is received at a RUCKUS Layer 2 switch with the DHCP Assist feature enabled, the gateway address congured on the receiving interface is
inserted into the packet. This address inseron is also referred to as stamping.
DHCPv4
DHCP Assist conguraon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
68 Part Number: 53-1005654-01
FIGURE 7 DHCP requests in a network with DHCP Assist operang on a FastIron switch
When the stamped DHCP discovery packet is then received at the router, it is forwarded to the DHCP server. The DHCP server then extracts the
gateway address from each request and assigns an available IP address within the corresponding IP subnet. The IP address is then forwarded back
to the workstaon that originated the request.
NOTE
When DHCP Assist is enabled on any port, Layer 2 broadcast packets are forwarded by the CPU. Unknown unicast and mulcast packets
are sll forwarded in hardware, although selecve packets such as IGMP, are sent to the CPU for analysis. When DHCP Assist is not
enabled, Layer 2 broadcast packets are forwarded in hardware.
NOTE
The DHCP relay funcon of the connecng router must be turned on.
DHCPv4
DHCP Assist conguraon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 69
FIGURE 8 DHCP oers are forwarded back toward the requesters
Conguring DHCP Assist
You can associate a gateway list with a port. You must congure a gateway list when DHCP Assist is enabled on a RUCKUS Layer 2 switch.
The gateway list contains a gateway address for each subnet that will be requesng addresses from a DHCP server. The list allows the stamping
process to occur. Each gateway address dened on the Layer 2 switch corresponds to an IP address of the RUCKUS router interface or other router
involved.
When mulple IP addresses are congured for a gateway list, the Layer 2 switch inserts the addresses into the discovery packet in a round-robin
fashion. Up to 32 gateway lists can be dened for each Layer 2 switch.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
DHCPv4
DHCP Assist conguraon
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
70 Part Number: 53-1005654-01
2. Congure the required gateway lists. Up to eight addresses can be dened for each gateway list in support of ports that are mulhomed.
device(config)# dhcp-gateway-list 1 10.95.5.1
device(config)# dhcp-gateway-list 2 10.95.6.1
device(config)# dhcp-gateway-list 3 10.95.1.1 10.95.5.1
3. Enter interface conguraon mode and associate gateway list 1 with interface 1/1/2.
device(config)# interface ethernet 1/1/2
device(config-if-e1000-1/1/2)# dhcp-gateway-list 1
4. Associate gateway list 2 with interface 1/1/8.
device(config)# interface ethernet 1/1/8
device(config-if-e1000-1/1/8)# dhcp-gateway-list 2
5. Associate gateway list 3 with interface 1/1/14
device(config)# interface ethernet 1/1/14
device(config-if-e1000-1/1/14)# dhcp-gateway-list 3
Dynamic ARP Inspecon Overview
For enhanced network security, you can congure the RUCKUS device to inspect and keep track of Dynamic Host Conguraon Protocol (DHCP)
assignments.
Dynamic ARP Inspecon (DAI) enables the RUCKUS device to intercept and examine all ARP request and response packets in a subnet and discard
packets with invalid IP-to-MAC address bindings. DAI can prevent common man-in-the-middle (MITM) aacks such as ARP cache poisoning, and
disallow misconguraon of client IP addresses.
DAI allows only valid ARP requests and responses to be forwarded and supports Mul-VRFs with overlapping address spaces.
ARP Poisoning
ARP provides IP communicaon within a Layer 2 broadcast domain by mapping an IP address to a MAC address. Before a host can talk to another
host, it must map the IP address to a MAC address rst. If the host does not have the mapping in its ARP table, it creates an ARP request to resolve
the mapping. All computers on the subnet receive and process the ARP requests, and the host whose IP address matches the IP address in the
request sends an ARP reply.
An ARP poisoning aack can target hosts, switches, and routers connected to the Layer 2 network by poisoning the ARP caches of systems
connected to the subnet and by intercepng trac intended for other hosts on the subnet. For instance, a malicious host can reply to an ARP
request with its own MAC address, thereby causing other hosts on the same subnet to store this informaon in their ARP tables or replace the
exisng ARP entry. Furthermore, a host can send gratuitous replies without having received any ARP requests. A malicious host can also send out
ARP packets claiming to have an IP address that actually belongs to another host (for example, the default router). Aer the aack, all trac from
the device under aack ows through the aacker computer and then to the router, switch, or host.
How Dynamic ARP Inspecon Works
Dynamic ARP Inspecon (DAI) allows only valid ARP requests and responses to be forwarded.
A RUCKUS device on which DAI is congured completes the following tasks:
Intercepts ARP packets received by the system CPU
Inspects all ARP requests and responses received on untrusted ports
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 71
Veries that each of the intercepted packets has a valid IP-to-MAC address binding before updang the local ARP table, or before
forwarding the packet to the appropriate desnaon
Drops invalid ARP packets
When you enable DAI on a VLAN, by default, all member ports are untrusted. You must manually congure trusted ports. In a typical network
conguraon, ports connected to host ports are untrusted. You congure ports connected to other switches or routers as trusted.
DAI inspects ARP packets received on untrusted ports. DAI carries out the inspecon based on IP-to-MAC address bindings stored in a trusted
binding database. For the RUCKUS device, the binding database is the ARP table and the DHCP snooping table, which supports DAI, DHCP snooping,
and IP Source Guard. To inspect an ARP request packet, DAI checks the source IP address and source MAC address against the ARP table. For an ARP
reply packet, DAI checks the source IP, source MAC, desnaon IP, and desnaon MAC addresses. DAI forwards the valid packets and discards
those with invalid IP-to-MAC address bindings.
When ARP packets reach a trusted port, DAI lets them through, as shown in the following gure.
FIGURE 9 Dynamic ARP Inspecon at Work
ARP and DHCP Snoop Entries
DAI uses the IP-to-MAC mappings in the ARP table to validate ARP packets received on untrusted ports. DAI relies on the following entries:
Dynamic ARP: Normal ARP learned from trusted ports.
Stac ARP: Stacally congured IP address, MAC address, and port mapping.
Inspecon ARP: Stacally congured IP-to-MAC mapping, where the port is inially unspecied. The actual physical port mapping will be
resolved and updated from validated ARP packets.
DHCP-Snooping ARP: Informaon collected from snooping DHCP packets when DHCP snooping is enabled on VLANs. DHCP snooping
entries are stored in a dierent table and are not part of the ARP table.
The status of an ARP entry is either valid or pending:
Valid : The mapping is valid, and the port is resolved. This is always the case for stac ARP entries.
Pending: For normal dynamic ARP entries before they are resolved. Their status changes to valid when they are resolved, and the port is
mapped. Refer to System Reboot and the Binding Database on page 79.
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
72 Part Number: 53-1005654-01
Conguraon Notes and Feature Limitaons for DAI
The following conguraon notes and limitaons apply when conguring Dynamic ARP Inspecon (DAI):
The maximum number of stac DAI entries that can be congured is 6000. This value cannot be changed.
DAI can be congured on a maximum of 511 VLANs.
DAI is supported on a VLAN without a VE, or on a VE with or without an assigned IP address.
DAI is supported on LAG ports.
For default VLAN ID changes, DAI must be re-applied on the new default VLAN.
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspecon (DAI) are enabled.
Conguring Dynamic ARP Inspecon
Dynamic ARP Inspecon is disabled by default and the trust seng of ports is untrusted by default.
You must rst congure stac ARP or ARP inspecon entry for hosts congured with a stac IP address. Otherwise, when DAI checks ARP packets
from these hosts against entries in the ARP table, it will not nd any entries for them, and the RUCKUS device will not allow or learn ARP from an
untrusted host.
Complete the following steps to congure DAI.
1. Enter global conguraon mode.
device# configure terminal
2. (Oponal) Congure an ARP inspecon entry only if there are hosts congured with a stac IP address.
device(config)# arp 10.20.20.12 0000.0002.0003 inspection
This command denes an ARP inspecon entry in the stac ARP table and maps the device IP address 10.20.20.12 with its MAC address,
0000.0002.0003. The ARP entry will be moved to the ARP table once the DAI receives a valid ARP packet with the matching IP and MAC
addresses on a device port. Unl then, the ARP entry will remain in Pend (pending) status.
NOTE
Dynamic ARP Inspecon must be enabled to use stac ARP inspecon entries.
3. Enable Dynamic ARP Inspecon on an exisng VLAN.
device(config)# ip arp inspection vlan 2
The command enables DAI on VLAN 2. ARP packets from untrusted ports in VLAN 2 will undergo DAI.
4. Enable trust on any ports that will bypass DAI.
a) To enable trust on a port, enter interface conguraon mode.
device(config)# interface ethernet 1/1/4
b) Enable trust on the port.
device(config-if-e10000-1/1/4)# arp inspection trust
These commands set the trust seng of port 1/1/4 to trusted.
5. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC address binding database.
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 73
The following example congures a DAI table entry, enables DAI on VLAN 2, and designates port 1/1/4 as trusted.
device# configure terminal
device(config)# arp 10.20.20.12 0000.0002.0003 inspection
device(config)# ip arp inspection vlan 2
device(config)# interface ethernet 1/1/4
device(config-if-e10000-1/1/4)# arp inspection trust
Conguring Dynamic ARP Inspecon on Mulple VLANs
Dynamic ARP Inspecon (DAI) can be enabled on mulple VLANs using one command. The following task congures mulple VLANs and enables
DAI on most of the congured VLANs using a single command.
Complete the following steps to congure DAI for mulple VLANs.
NOTE
DAI can be congured on a maximum of 511 VLANs.
1. Enter global conguraon mode.
device# configure terminal
2. Congure the port-based VLANs.
device(config)# vlan 100 to 150
3. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-100-150)# tagged ethernet 1/1/12
4. Use the exit command to return to global conguraon mode.
device(config-mvlan-100-150)# exit
5. Congure more port-based VLANs.
device(config)# vlan 151 to 200
6. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-151-200)# tagged ethernet 1/1/12
7. Use the exit command to return to global conguraon mode.
device(config-mvlan-151-200)# exit
8. Use the ip arp inspecon command with the to keyword, specifying a VLAN range, to enable DAI on mulple VLANs.
device(config)# ip arp inspection vlan 100 to 150 160 170 to 200
The command enables DAI on VLANs 100 through 150, VLAN 160, and VLANs 170 through 200. ARP packets from untrusted ports in this
VLAN range will undergo DAI.
NOTE
The maximum number of VLANS that can be congured using the to keyword is 1024.
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
74 Part Number: 53-1005654-01
9. Enable trust on any ports that will bypass DAI.
a) To enable trust on a port, enter interface conguraon mode.
device(config)# interface ethernet 1/1/12
b) Enable trust on the port.
device(config-if-e10000-1/1/12)# arp inspection trust
10. Enable DHCP snooping to populate the DHCP snooping IP-to-MAC address binding database. Refer to the RUCKUS FastIron DHCP
Conguraon Guide for more informaon.
The following example congures a DAI table entry, congures mulple VLANs, and enables DAI on most of the congured VLANS. Port 1/1/12 is
designated as trusted.
device# configure terminal
device(config)# arp 10.20.20.12 0000.0002.0003 inspection
device(config)# vlan 100 to 150
device(config-mvlan-100-150)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# vlan 151 to 200
device(config-mvlan-151-200)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# ip arp inspection vlan 100 to 150 160 170 to 200
device(config)# interface ethernet 1/1/12
device(config-if-e10000-1/1/12)# arp inspection trust
Disabling Syslog Messages for DAI
You can disable syslog messages for Dynamic ARP Inspecon (DAI). Syslog messages are enabled by default on RUCKUS ICX devices.
Complete the following steps to disable DAI messages.
1. Enter global conguraon mode.
device# configure terminal
2. Enter the following command to disable syslog messages.
device(config)# ip arp inspection syslog disable
If you want to re-enable DAI syslog messages, use the no form of the command.
The following example disables DAI syslog messages.
device# configure terminal
device(config)# ip arp inspection syslog disable
The following example re-enables the DAI syslog messages.
device# configure terminal
device(config)# no ip arp inspection syslog disable
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 75
Displaying ARP Informaon
You can use various show commands to view informaon about ARP.
Use the following commands to view ARP-related informaon. The commands do not need to be entered in the specied order, and can be used to
view the ARP table as well as ARP inspecon status and trusted or untrusted ports.
1. Display the ARP table.
device> show arp
Total number of ARP entries: 2
Entries in default routing instance:
No. IP Address MAC Address Type Age Port Status
1 10.1.1.100 0000.0000.0100 Dynamic 0 1/1/1*2/1/25 Valid
2 10.37.69.129 02e0.5215.cae3 Dynamic 0 mgmt1 Valid
2. Display the ARP inspecon entries.
device> show ip arp inspection entries
Total entries : 2
DHCP Snooping Learnt entries: 1
ARP Learnt entries : 1
Static entries : 0
IP Address Mac Address VRF Entry Type
10.177.144.1 02e0.52da.d665 default-vrf arp table entry
1.1.8.197 00c1.0400.0001 default-vrf dhcp snoop entry
Conguring DAI to Support Mul-VRF
DAI supports Mul-VRF. You can deploy mulple Virtual Roung and Forwarding instances (VRFs) on a RUCKUS Ethernet switch. Each VLAN having a
Virtual Ethernet (VE) interface is assigned to a VRF.
You can enable DAI on individual VLANs and assign any interface as the ARP inspecon trusted interface. If an interface is a tagged port in this VLAN,
you can turn on the trusted port per VRF, so that trac intended for other VRF VLANs will not be trusted.
1. Enter global conguraon mode using the congure terminal command.
device# configure terminal
2. Congure DAI on a VLAN.
device(config)# ip arp inspection vlan 2
This example congures DAI on VLAN 2.
3. Add a stac ARP inspecon entry for a specic VRF.
device(config)# vrf one-ipv4
4. Add a stac ARP inspecon entry for the VRF.
device(config-vrf-one-ipv4)# arp 5.5.5.5 00a2.bbaa.0033 inspection
This example creates a stac ARP inspecon entry for the VRF named "one-ipv4."
DHCPv4
Dynamic ARP Inspecon Overview
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
76 Part Number: 53-1005654-01
Enabling Trust on a Port for a Specic VRF
The default trust seng for a port is untrusted. Leave the trust sengs for ports that are connected to host ports as untrusted.
The VRF must already exist.
1. Enter global conguraon mode using the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/4
3. Enable trust for the specic VRF.
device(config-if-e10000-1/1/4)# arp inspection trust vrf vrf2
This example congures the VRF named "vrf2" as a trusted VRF on port 1/1/4.
DHCP Snooping
DHCP snooping enables the RUCKUS device to lter untrusted DHCP packets in a subnet. DHCP snooping can ward o man-in-the-middle (MIM)
aacks, such as a rogue DHCP server sending false DHCP server reply packets with the intenon of misdirecng other users. DHCP snooping can
also stop unauthorized DHCP servers and prevent errors stemming from user misconguraon of DHCP servers.
DHCP snooping is oen used with Dynamic ARP Inspecon (DAI) and IP Source Guard (IPSG).
How DHCP Snooping Works
When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to
DHCP servers). A VLAN with DHCP snooping enabled forwards DHCP request packets from clients and discards DHCP server reply packets on
untrusted ports. DHCP server reply packets on trusted ports to DHCP clients are forwarded, as shown in the following gures.
FIGURE 10 DHCP Snooping at Work on an Untrusted Port
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 77
FIGURE 11 DHCP Snooping at Work on a Trusted Port
NOTE
Trusted client ports can lead to DHCP starvaon and spoong aacks. When DHCP snooping is enabled, DHCP request packets received
on trusted ports are dropped.
DHCP Snooping Deployment over a LAG
The following gure shows DHCP snooping deployment over a LAG. The LAG is between an access switch and a distribuon switch.
FIGURE 12 DHCP Snooping Deployment over a LAG
DHCP Binding Database
DHCP server reply packets are forwarded to DHCP clients on trusted ports. The DHCP server reply packets collect client IP-to-MAC address binding
informaon, which is saved in the DHCP binding database. This informaon includes MAC addresses, IP addresses, lease me, VLAN numbers, and
port numbers.
Beginning with FastIron 8.0.30b, the DHCP binding database in the RUCKUS device is decoupled from the ARP database. For more informaon, refer
to ARP and DHCP Snoop Entries on page 72.
The lease me is refreshed when the client renews or rebinds its IP address with the DHCP server; otherwise, the RUCKUS device removes the entry
when the lease me expires.
Client IP-to-MAC address mappings
Client IP addresses need not be on directly connected networks, as long as the client MAC address is learned on the client port and the client port is
on the same VLAN as the DHCP server port. In this case, the system learns the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP
snooping enabled does not require a VE interface.
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
78 Part Number: 53-1005654-01
In earlier releases, in the Layer 3 soware image, DHCP snooping did not learn the secure IP-to-MAC address mapping for a client, if the client port
was not a Virtual Ethernet (VE) interface with an IP subnet address. In other words, the client IP address had to match one of the subnets of the
client port in order for DHCP to learn the address mapping.
System Reboot and the Binding Database
To allow DHCP snooping, and all dependent features such as IP Source Guard (IPSG) and Dynamic ARP Inspecon (DAI), to work smoothly across a
system reboot, the binding database is saved to a le system inline without any delay.
Conguraon Notes and Feature Limitaons for DHCP Snooping
The following notes, limitaons, and restricons apply to DHCP snooping:
DHCP snooping is supported on LAG ports. If a LAG port is removed or undeployed, DHCP snooping entries for that LAG are deleted.
DHCP snooping is supported on Mul-Chassis. Trunking (MCT) clients. DHCP snooping is not supported on the MCT peer for the MCT
VLAN.
If IP Source Guard (IPSG) is congured, the recommended maximum number of DHCP snooping entries for a stack is 8192. Although the
maximum number of DHCP snooping entries for a stack can exceed 8192, system performance may go down once this number is
exceeded. Refer to Conguraon Notes and Feature Limitaons for IP Source Guard on page 92 for more informaon on the
recommended number of entries for RUCKUS ICX devices.
DHCP snooping is not supported along with DHCP auto-conguraon.
When a client moves from one port to another port in the same VLAN, the old snoop entry for the client MAC address is automacally
updated. This occurs even when the client acquires a new IP address. In previous releases, two snoop entries were maintained with both
the old IP address and the new IP address.
Duplicate IP entries across VLANs are allowed in the DHCP snooping table. When a client moves from one VLAN to another and acquires
the same address, two snooping entries are maintained for the same MAC address and IP address.
Layer 2 MAC movement is supported.
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspecon (DAI) are enabled. Refer to Client
IP-to-MAC address mappings on page 78 for more informaon. In previous releases, these were mutually exclusive.
DHCP snooping supports DHCP relay agent informaon (DHCP opon 82). Refer to DHCP Relay Agent Informaon and Opon 82 Inseron
on page 83 for more informaon.
For default VLAN ID changes, DHCP snooping must be re-applied on the new default VLAN. DHCP snooping is not automacally congured
on the new default VLAN. Therefore, when DHCP Snooping is congured for the default VLAN (for example, VLAN 1), if the default VLAN is
changed from VLAN 1 to VLAN 4000, the DHCP Snooping conguraons remain congured on the old default VLAN 1. The DHCP Snooping
conguraons are not automacally congured on the new default VLAN 4000. In previous releases, DHCP Snooping conguraons were
automacally removed from the old default VLAN and automacally moved to the new default VLAN.
DHCP snooping cannot be enabled for a VLAN that is a member of a VLAN group.
DHCP snooping doesn't depend on MAC learning and MAC collisions. However, the total number of client(s) or host(s) in a system is
limited by the system MAX limits for Layer 2 MAC Addresses.
DHCP snooping entries learnt on a member port of a VLAN are deleted except for exible authencaon enabled ports, if the port is
removed from the membership of that VLAN.
DHCP Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCP Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
When DHCP Snooping is enabled, client and server packets are not allowed on same port.
DHCP snooping can be congured on a maximum of 511 VLANs.
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 79
When conguring DHCP snooping on a range of VLANs or mul-VLAN, there cannot not be any VLAN in the range that is a member of a
VLAN group or any reserved VLAN. Otherwise, onguraon will be rejected for the enre range.
Conguring DHCP Snooping
DHCP snooping can be enabled on VLANs, aer which the trust seng of ports connected to a DHCP server must be changed to trusted. DHCP
packets for a VLAN with DHCP snooping enabled are inspected.
NOTE
DHCP snooping is disabled by default. When enabled, the trust seng of ports is "untrusted" by default. DHCP snooping must be enabled
on the client and the DHCP server VLANs.
NOTE
DHCP Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCP Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
1. Enter global conguraon mode by using the congure terminal command.
device# configure terminal
2. Enable DHCP snooping on a VLAN.
device(config)# ip dhcp snooping vlan 2
3. Change the trust seng of the ports that are connected to the DHCP server to trusted at the interface conguraon level.
device(config-if-e10000-1/1/1)# dhcp snooping trust
4. If required, disable the learning of DHCP clients on ports at the interface conguraon level. Disabling the learning of DHCP clients can be
congured on a range of ports as well.
device(config-if-e10000-1/1/1)# dhcp snooping client-learning disable
5. Clear the DHCP binding database. You can remove all entries in the database or for a specic IP address only.
The rst command removes all entries from the DHCP binding database and the second removes entries for a specic IP address.
device# clear dhcp
device# clear dhcp 10.10.102.4
The following example congures VLAN 2 and VLAN 20, and enables DHCP snooping on the two VLANs.
device(config)# vlan 2
device(config-vlan-2)# untagged ethernet 1/1/3 to 1/1/4
device(config-vlan-2)# router-interface ve 2
device(config-vlan-2)# exit
device(config)# ip dhcp snooping vlan 2
device(config)# vlan 20
device(config-vlan-20)# untagged ethernet 1/1/1 to 1/1/2
device(config-vlan-20)# router-interface ve 20
device(config-vlan-20)# exit
device(config)# ip dhcp snooping vlan 20
On VLAN 2, client ports 1/1/3 and 1/1/4 are untrusted. By default all client ports are untrusted. Therefore, only DHCP client request packets
received on ports 1/1/3 and 1/1/4 are forwarded. On VLAN 20, ports 1/1/1 and 1/1/2 are connected to a DHCP server. DHCP server ports are set to
trusted.
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
80 Part Number: 53-1005654-01
device(config)# interface ethernet 1/1/1
device(config-if-e10000-1/1/1)# dhcp snooping trust
device(config-if-e10000-1/1/1)# exit
device(config)# interface ethernet 1/1/2
device(config-if-e10000-1/1/2)# dhcp snooping trust
device(config-if-e10000-1/1/2)# exit
Thus, DHCP server reply packets received on ports 1/1/1 and 1/1/2 are forwarded, and client IP address and MAC address binding informaon is
collected. The example also sets the DHCP server address for the local relay agent.
device(config)# interface ve 2
device(config-vif-2)# ip address 10.20.20.1/24
device(config-vif-2)# ip helper-address 1 10.30.30.4
device(config-vif-2)# interface ve 20
device(config-vif-20)# ip address 10.30.30.1/24
Conguring DHCP Snooping on Mulple VLANs
DHCP snooping can be enabled on mulple VLANs using one command. The following task congures mulple VLANs and enables DHCP snooping
on most of the congured VLANs using a single command.
NOTE
DHCP snooping can be congured on a maximum number of 511 VLANs at one me.
NOTE
DHCP Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCP Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
NOTE
When conguring DHCP snooping on a range of VLANs or mul-VLAN, there cannot not be any VLAN in the range that is a member of a
VLAN group or any reserved VLAN. Otherwise, conguraons fail on the enre range.
1. Enter global conguraon mode.
device# configure terminal
2. Congure the port-based VLANs.
device(config)# vlan 100 to 150
3. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-100-150)# tagged ethernet 1/1/12
4. Use the exit command to return to global conguraon mode.
device(config-mvlan-100-150)# exit
5. Congure more port-based VLANs.
device(config)# vlan 151 to 200
6. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-151-200)# tagged ethernet 1/1/12
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 81
7. Use the exit command to return to global conguraon mode.
device(config-mvlan-151-200)# exit
8. Use the ip dhcp snooping command with the to keyword, specifying a VLAN range, to enable DHCP snooping on mulple VLANs.
device(config)# ip dhcp snooping vlan 100 to 150 160 170 to 200
9. Change the trust seng of the ports that are connected to the DHCP server to trusted at the interface conguraon level.
a) To enable trust on a port, enter interface conguraon mode.
device(config)# interface ethernet 1/1/12
b) Enable trust on the port.
device(config-if-e10000-1/1/12)# dhcp snooping trust
The following example congures VLANs 100 through 200, and enables DHCP snooping on VLANs 100 through 150, VLAN 160, and VLANs 170
through 200.
device# configure terminal
device(config)# vlan 100 to 150
device(config-mvlan-100-150)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# vlan 151 to 200
device(config-mvlan-151-200)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# ip dhcp snooping vlan 100 to 150 160 170 to 200
device(config)# interface ethernet 1/1/12
device(config-if-e10000-1/1/12)# dhcp snooping trust
Displaying DHCPv4 Snooping Informaon
You can use various show commands to view informaon about DHCPv4 snooping.
Use one of the following commands to view DHCPv4 snooping informaon. The commands do not need to be entered in the specied order.
1. Display the DHCP snooping learned entries.
device> show ip dhcp snooping info
Dhcp snooping Info
Total Learnt Entries 1
Learnt DHCP Snoop Entries
IP Address Mac Address Port/Lag Vlan lease VRF
1.1.0.4 00c7.0400.0001 1/2/4 1 3597 default-vrf
2. Display the DHCP snooping status for a VLAN and the trusted and untrusted ports in the VLAN.
device> show ip dhcp snooping vlan 2
IP DHCP snooping VLAN 2: Enabled
3. Display the DHCP snooping binding database.
device> show ip dhcp snooping
IP DHCP snooping enabled on 24 VLAN(s):
VLAN(s): 1001 to 1024
DHCPv4
DHCP Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
82 Part Number: 53-1005654-01
Conguring DHCPv4 Snooping for Mul-VRF
DHCP supports Mul-VRF. You can deploy mulple Virtual Roung and Forwarding instances (VRFs) on a RUCKUS Ethernet switch. Each VLAN with a
Virtual Ethernet (VE) interface is assigned to a VRF.
You can enable DHCP snooping on individual VLANs and assign any interface as the DHCP trust interface. If an interface is a tagged port in this VLAN,
you can turn on the trust port per VRF, so that trac intended for other VRF VLANs is not trusted.
1. Enter global conguraon mode using the congure terminal command.
device# configure terminal
2. Congure DHCP snooping on a specic VLAN.
device(config)# ip dhcp snooping vlan 2
3. Set the port as a trusted port. The trust port seng for DHCP snooping can be specied per VRF.
device(config)# interface ethernet 1/1/4
device(config-if-e10000-1/1/4)# dhcp snooping trust vrf vrf2
The default trust seng for a port is untrusted. For ports that are connected to host ports, leave their trust sengs as untrusted.
4. Congure the IP helper address on the client port if the client and server are in the same VLAN and the client and server ports are Layer 3
interfaces with IP addresses.
device(config)# interface ve 2
device(config-vif-2)# ip helper-address 1 10.1.1.2
If the client and server are in dierent VLANs, congure the server port as the trust port.
5. Clear any entry specic to a VRF instance, as required.
device(config)# clear dhcp 10.3.3.5 vrf one
DHCP Relay Agent Informaon and Opon 82 Inseron
DHCP relay agent informaon, also known as DHCP opon 82, enables a DHCP relay agent to insert informaon about a client's identy into a DHCP
client request being sent to a DHCP server. This opon can be used to assist DHCP servers to implement dynamic address policy.
The RUCKUS device inserts DHCP opon 82 when relaying DHCP request packets to DHCP servers. When DHCP server reply packets are forwarded
back to DHCP clients, and sub-opon 2 as as Remote ID (RID) matches the local port MAC address, then DHCP opon 82 is deleted. The VLAN and
port informaon is used to forward the DHCP reply.
DHCP packets use the following process:
Before relaying a DHCP discovery packet or DHCP request packet from a client to a DHCP server, the ICX switch adds agent informaon to
the packet.
Before relaying a DHCP reply packet from a DHCP server to a client, the ICX switch removes relay agent informaon from the packet.
The DHCP relay agent (the FastIron switch) inserts DHCP opon 82 aributes when relaying a DHCP request packet to a DHCP server.
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 83
FIGURE 13 DHCP Opon 82 Aributes Added to the DHCP Packet
The ICX switch deletes DHCP opon 82 aributes before forwarding a server reply packet back to a DHCP client.
FIGURE 14 DHCP Opon 82 Aributes Removed from the DHCP Packet
DHCP opon 82 inseron or deleon is available only when DHCP snooping is enabled on both client and server ports.
Conguraon Notes for DHCP Opon 82
DHCP snooping and DHCP opon 82 are supported on a per-VLAN basis.
DHCP opon 82 follows the same conguraon rules and limitaons described for DHCP snooping. For more informaon, refer to
Conguraon Notes and Feature Limitaons for DHCP Snooping on page 79.
Opon-82 can be disabled or re-enabled on mulple VLANs or a range of VLANS using a single command, ip dhcp snooping relay
informaon disable.
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
84 Part Number: 53-1005654-01
DHCP Opon 82 Sub-opons
The RUCKUS implementaon of DHCP opon 82 supports the following sub-opons:
Sub-opon 1: Circuit ID
Sub-opon 2: Remote ID
Sub-opon 6: Subscriber ID
Sub-opon 1: Circuit ID
The Circuit ID (CID) idenes the circuit or port from which a DHCP client request was sent. The ICX switch uses this informaon to relay DHCP
responses back to the proper circuit; for example, the port number on which the DHCP client request packet was received.
RUCKUS ICX devices support the general CID packet format. This simple format encodes the CID type, actual informaon length, VLAN ID, slot
number, and port number. This format is compable with the format used by other vendors’ devices. The following gure illustrates the general CID
packet format.
FIGURE 15 General CID Packet Format
Sub-opon 2: Remote ID
The Remote ID (RID) idenes the remote host end of the circuit (the relay agent). RUCKUS devices use the MAC address to idenfy itself as the
relay agent. The following gure illustrates the RID packet format.
FIGURE 16 RID Packet Format
Sub-opon 6: Subscriber ID
The Subscriber ID (SID) is a unique idencaon number that enables an Internet Service Provider (ISP) to perform the following acons:
Idenfy a subscriber
Assign specic aributes to that subscriber (for example, host IP address, subnet mask, and domain name server.
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 85
Trigger accounng
The following gure illustrates the SID packet format.
FIGURE 17 SID Packet Format
The second byte (N in the gure) is the length of the ASCII string that follows. The ICX switch supports up to 50 ASCII characters.
DHCP Opon 82 Conguraon
DHCP opon 82 is automacally enabled when you enable DHCP snooping on a VLAN. There are no addional conguraon steps to enable DHCP
opon 82. Refer to Conguring DHCP Snooping on page 80 to enable DHCP snooping.
When processing DHCP packets, the ICX device applies the following default behavior when DHCP opon 82 is enabled:
Subjects all ports in the VLAN to DHCP opon 82 processing
Uses the general CID packet format
Uses the standard RID packet format
Replaces relay agent informaon received in DHCP packets with its own informaon
Does not enable SID processing
When DHCP opon 82 is enabled, you can oponally:
Disable DHCP opon 82 processing on individual ports in the VLAN, on all ports of the VLAN, or globally on all VLANs.
Congure the device to drop the DHCP packet with exisng relay agent Informaon, or keep the relay agent informaon in a DHCP packet
instead of replacing it with its own Informaon.
Congure Subscriber ID (SID), Circuit ID (CID) or Remote ID (RID) processing.
The following table details the supported conguraon and expected funconality for DHCP opon 82.
TABLE 7 DHCP Opon 82 Supported Conguraon
Conguraon Port-Cong VLAN-Cong Global-Cong Funconality
Default. Enable Enable Enable Opon 82 enabled
Disabled globally. Disable Disable Disable Opon 82 disabled
Disabled globally, enabled on
port.
Enable Enable Disable Opon 82 enabled
Disabled globally, enabled on
port, disabled on VLAN.
Enable Disable Disable Opon 82 enabled
Enabled globally, enabled on
port, disabled on VLAN.
Enable Disable Enable Opon 82 disabled
Enabled globally, disabled on
port, disabled on VLAN.
Disable Disable Enable Opon 82 disabled
Enabled globally, disabled on
port, enabled on VLAN.
Disable Enable Enable Opon 82 disabled
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
86 Part Number: 53-1005654-01
TABLE 7 DHCP Opon 82 Supported Conguraon (connued)
Conguraon Port-Cong VLAN-Cong Global-Cong Funconality
Disabled globally, disabled on
port, disabled on VLAN.
Disable Disable Disable Opon 82 disabled
Disabling or Re-enabling DHCP Opon 82 Processing on an Interface
By default, when DHCP opon 82 is enabled on a VLAN, DHCP packets received on all member ports of the VLAN are subject to DHCP opon 82
processing. You can disable or re-enable this processing on one or more member ports of the VLAN.
DHCP opon 82 is automacally enabled when you enable DHCP snooping on the VLAN.
1. To disable DHCP opon 82, enter global conguraon mode by using the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/4
3. Disable DHCP opon 82 on the interface.
device(config-if-e1000-1/1/4)# no dhcp snooping relay information
4. Re-enable DHCP opon 82 as required at the interface conguraon level.
device(config-if-e1000-1/1/4)# dhcp snooping relay information
5. You can also re-enable DHCP opon 82 aer it has been disabled on a range of ports. First, specify the range of ports at the global
conguraon level and then enter the dhcp snooping relay informaon command.
device(config)# interface ethernet 1/1/1 to 1/1/5
device(config-mif-1/1/1-1/1/5)# dhcp snooping relay information
The following example disables DHCP opon 82.
device# configure terminal
device(config)# interface ethernet 1/1/4
device(config-if-e1000-1/1/4)# no dhcp snooping relay information
The following example re-enables DHCP opon 82 at the interface conguraon level.
device# configure terminal
device(config)# interface ethernet 1/1/4
device(config-if-e1000-1/1/4)# dhcp snooping relay information
The following example re-enables DHCP opon 82 on a range of ports.
device(config)# interface ethernet 1/1/1 to 1/1/5
device(config-mif-1/1/1-1/1/5)# dhcp snooping relay information
Disabling DHCP Opon 82 Globally and Re-enabling It for an Interface
By default, when DHCP opon 82 is enabled on a VLAN, DHCP packets received on all member ports of the VLAN are subject to DHCP opon 82
processing. You can disable or re-enable this processing globally for all VLANs. The following task disables DHCP opon 82 globally for all VLANs so
that it is not enabled when DHCP snooping is congured for VLAN 100. It then re-enables DHCP opon 82 for a specied Ethernet interface.
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 87
DHCP opon 82 is automacally enabled when you enable DHCP snooping on the VLAN.
1. Enter global conguraon mode.
device# configure terminal
2. Use the ip dhcp snooping relay informaon disable command to disable DHCP opon 82 globally for all ports and VLANs.
device(config)# ip dhcp snooping relay information disable
3. Use the ip dhcp snooping command and specify a VLAN to congure DHCP snooping for the VLAN.
device(config)# ip dhcp snooping vlan 100
DHCP opon 82 is not enabled when DHCP snooping is congured for VLAN 100.
4. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/1
5. Re-enable DHCP opon 82 as required at the interface conguraon level.
device(config-if-e1000-1/1/1)# dhcp snooping relay information
The following example disables DHCP opon 82 globally for all ports and VLANs so that it is not enabled when DHCP snooping is congured for
VLAN 100.
device# configure terminal
device(config)# ip dhcp snooping relay information disable
device(config)# ip dhcp snooping vlan 100
The following example disables DHCP opon 82 globally for all ports and VLANS, and re-enables it for interface Ethernet 1/1/1.
device# configure terminal
device(config)# ip dhcp snooping relay information disable
device(config)# ip dhcp snooping vlan 100
device(config)# interface ethernet 1/1/1
device(config-if-e1000-1/1/1)# dhcp snooping relay information
The following example disables DHCP opon 82 for VLAN 100 aer it was automacally enabled when DHCP snooping was congured for VLANs
100, 200, and 300.
device# configure terminal
device(config)# ip dhcp snooping vlan 100 to vlan 300
device(config)# ip dhcp snooping relay information disable vlan 100
Disabling or Re-enabling DHCP Opon 82 Processing on all VLAN Member Ports
You can disable or re-enable DHCP opon 82 processing globally, and disable and re-enable as necessary on specied VLANs. The following task
disables DHCP opon 82 globally. IP DHCP snooping is then enabled for VLANs 100, 200, and 300, but DHCP opon 82 is not automacally enabled
because it has been disabled globally. DHCP opon 82 is then re-enabled on all ports for VLAN 100.
1. Enter global conguraon mode.
device# configure terminal
2. Use the ip dhcp snooping relay informaon disable command to disable DHCP opon 82 globally for all VLANs.
device(config)# ip dhcp snooping relay information disable
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
88 Part Number: 53-1005654-01
3. Use the ip dhcp snooping command, specifying VLANs as required, to congure DHCP snooping for the specied VLANs.
device(config)# ip dhcp snooping vlan 100 to 300
4. Enable DHCP opon 82 on all ports for VLAN 100.
device(config)# no ip dhcp snooping relay information disable vlan 100
The following example disables DHCP opon 82 globally and enables IP DHCP snooping for VLANs 100 through 300. DHCP opon 82 is then disabled
on all ports for VLAN 100.
device# configure terminal
device(config)# ip dhcp snooping relay information disable
device(config)# ip dhcp snooping vlan 100 to 300
device(config)# no ip dhcp snooping relay information disable vlan 100
The following example automacally enables DHCP opon 82 for VLANs 100, 200, and 300. It then disables DHCP opon 82 globally for all ports on
VLAN 100.
device# configure terminal
device(config)# ip dhcp snooping vlan 100 to 300
device(config)# ip dhcp snooping relay information disable vlan 100
The following example disables DHCP opon 82 globally for all VLANs and ports.
device# configure terminal
device(config)# ip dhcp snooping vlan 100 to 300
device(config)# ip dhcp snooping relay information disable
Warning - DHCP snooping relay information will be disabled on all port(s) & VLAN(s). You can enable it on
individual ports/VLAN(s)
device(config)#
The following example disables DHCP opon 82 globally for all ports and VLANs and re-enables it for VLAN 100.
device# configure terminal
device(config)# ip dhcp snooping vlan 100 to 500
device(config)# ip dhcp snooping relay information disable
Warning - DHCP snooping relay information will be disabled on all port(s) & VLAN(s). You can enable it on
individual ports/VLAN(s)
device(config)# no ip dhcp snooping relay information disable vlan 100
The following example enables DHCP opon 82 for a specied range of VLANs.
device# configure terminal
device(config)# ip dhcp snooping relay information disable vlan 11 to 15
Changing the DHCP Relay Agent Forwarding Policy
When the device receives a message containing relay agent informaon, by default the device replaces the informaon with its own relay agent
informaon. This behavior can be changed if required.
You can congure the device to keep the informaon instead of replacing it, or to drop (discard) messages that contain relay agent informaon.
1. Enter global conguraon mode by using the congure terminal command.
device# configure terminal
2. Congure the device to keep the relay agent informaon contained in a DHCP message.
device(config)# ip dhcp relay information policy keep
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 89
3. Alternately, congure the device to drop the DHCP packet with exisng relay agent Informaon.
device(config)# ip dhcp relay information policy drop
4. Congure the device back to the default behavior if required.
device(config)# ip dhcp relay information policy replace
Conguring DHCP Snooping Relay Informaon Sub-opons
You can congure DHCP relay agent sub-opons such as the Subscriber ID (SID), Circuit ID (CID) or Remote ID (RID) opons.
1. Enter global conguraon mode.
device# configure terminal
2. Enable DHCP snooping and DHCP opon 82 on a VLAN.
device(config)# ip dhcp snooping vlan 1
3. Enter interface conguraon mode for port 1/1/4.
device(config)# interface ethernet 1/1/4
4. Enable interface 1/1/4 to insert the SID, CID, or RID informaon in the DHCP packets.
device(config-if-e1000-1/1/4)# dhcp snooping relay information subscriber-id Brcd01
In the example, the SID is Brcd01.
The following example enables interface 1/1/4 to insert the CID informaon in the DHCP packets.
device(config-if-e1000-1/1/4)# dhcp snooping relay information circuit-id circuit01
The following example enables interface 1/1/4 to insert the RID informaon in the DHCP packets.
device(config-if-e1000-1/1/4)# dhcp snooping relay information remote-id remote01
Displaying DHCP Opon 82 Informaon
You can use various show commands to view informaon about DHCP opon 82 processing.
Use one of the following commands to view DHCP opon 82 processing. The commands do not need to be entered in the specied order.
1. Enter the show ip dhcp relay informaon command to display informaon about the Circuit ID, Remote ID, and forwarding policy for
DHCP Opon 82.
device(config)# show ip dhcp relay information
Relay Agent Information: format: Circuit-ID: vlan-port
Remote-ID : stack mac
Policy : replace
2. Enter the show ip dhcp snooping vlan command to display informaon about the trusted ports, untrusted ports, and ports on which
DHCP opon 82 is disabled.
device# show ip dhcp snooping vlan 1
IP DHCP snooping VLAN 1: Enabled
Trusted Ports : ethe 3
Untrusted Ports : ethe 1 to 2 ethe 4 to 24
Relay Info. disabled Ports: ethe 10
DHCPv4
DHCP Relay Agent Informaon and Opon 82 Inseron
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
90 Part Number: 53-1005654-01
3. Enter the show interfaces ethernet command.
device# show interfaces ethernet 1/1/1
GigabitEthernet1/1/1 is up, line protocol is up
Port up for 40 minutes 10 seconds
Hardware is GigabitEthernet, address is 0000.0000.0002 (bia 0000.0000.0002)
Configured speed auto, actual 1Gbit, configured duplex fdx, actual fdx
Configured mdi mode AUTO, actual MDI
Member of L2 VLAN ID 1, port is untagged, port state is FORWARDING
BPDU guard is Disabled, ROOT protect is Disabled
Link Error Dampening is Disabled
STP configured to ON, priority is level0
Flow Control is config enabled, oper enabled, negotiation disabled
mirror disabled, monitor disabled
Not member of any active trunks
Not member of any configured trunks
No port name
IPG MII 96 bits-time, IPG GMII 96 bits-time
IP MTU 1500 bytes
300 second input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
300 second output rate: 264 bits/sec, 0 packets/sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 multicasts, 0 unicasts
0 input errors, 0 CRC, 0 frame, 0 ignored
0 runts, 0 giants
0 packets output, 0 bytes, 0 underruns
Transmitted 0 broadcasts, 0 multicasts, 0 unicasts
0 output errors, 0 collisions
Relay Agent Information option: Enabled, Subscriber-ID: Ruckus001
The output shows that DHCP opon 82 is enabled on the device and the congured Subscriber ID is Ruckus001.
NOTE
The port up or down me is required only for physical ports and not for loopback, VE, or tunnel ports.
Conguring the Source IP Address of a DHCP Client Packet on the DHCP Relay Agent
You can enable the DHCP server to know the source subnet or network of a DHCP client packet.
By default, a DHCP relay agent forwards a DHCP client packet with the source IP address set to the IP address of the outgoing interface to the DHCP
server. You can congure ACLs on a DHCP server to provide or block DHCP services to parcular subnets or networks. The ip bootp-use-in-ip
command congures a DHCP relay agent to set the source IP address of a DHCP client packet with the IP address of the incoming interface for the
packet. This reveals the source subnet or network of a DHCP client packet to the DHCP server and enables the DHCP server to process or discard the
DHCP trac according to the congured ACLs.
Enter the ip bootp-use-in-ip command in global conguraon mode of the DHCP relay agent.
device(config)# ip bootp-use-intf-ip
IP Source Guard
You can use IP Source Guard (IPSG) together with Dynamic ARP Inspecon (DAI) on untrusted ports.
The RUCKUS implementaon of the IPSG technology supports conguraon on a port and specic VLAN memberships on a port.
When IPSG is rst enabled, only DHCP packets are allowed, while all other IP trac is blocked. IP Source Guard allows IP trac when the system
learns valid IP addresses. The system learns of a valid IP address from DHCP snooping.
When a new IP source entry binding on the port is created or deleted, an access-list with a permit lter for the IP address is added or deleted. By
default, if IPSG is enabled without any IP source binding on the port, an ACL that denies all IP trac is loaded on the port.
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 91
Conguraon Notes and Feature Limitaons for IP Source Guard
The following conguraon notes and feature limitaons apply to IP Source Guard (IPSG):
IPSG is supported on LAGs.
If you change the default VLAN ID when IPSG is enabled on a LAG, then IPSG is not inherited. All IPSG conguraon is lost for the VLAN if
the default VLAN ID is changed.
IPSG funcons across reload.
RUCKUS ICX devices do not support IPSG and dynamic ACLs on the same port.
RUCKUS devices do not support IPSG with ingress IPv4 ACLs for the same port, neither at VLAN-level, port-level, or across dierent levels.
For ports with IPSG enabled, a special ingress IPv4 ACL viz SGACL has been introduced. Therefore, IPSG and SG ACL can be congured for
the same port.
When IPSG is enabled for a LAG at the VLAN-level or VLAG-interface-level, IPSG entries learned on the LAG ports remain intact if the non-
last member port of lag is removed. However, when the last member port is removed, it causes the LAG to undeploy. In that case, the
IPSG entry is also ushed out.
IPSG is not supported for VLAN groups. If upgrading from FastIron 08.0.92 to FastIron 08.0.95, IPSG is not congured for a VLAN group,
even if this was previously congured.
IPSG is not supported for VE interfaces.
When conguring IPSG on a range of ports, the conguraon succeeds on all valid ports.
IPSG and IPv6 ACLs are supported for the same port.
IP Source Guard cannot be enabled on a per-port-per-VLAN basis.
IPSG can be enabled on tagged ports or untagged ports in a VLAN.
IPSG snooping can be congured on a maximum of 511 VLANs.
For router images, IPSG cannot be congured in interface subtype conguraon mode for tagged ports of a VLAN.
IPSG and ACLs are supported together on the same device, as long as they are not congured on the same port or VLAN. If IPSG is enabled
for a port, VLAN, or interface level, ACLs cannot be applied to inbound trac on the port for the VLAN or interface using the ip access-
group command. When IPSG is congured for a port at the VLAN or interface level, an error will occur if you aempt to apply an ACL to
inbound trac. To bind an IPSG ACL to an interface for incoming trac, use the ip sg-access-group command. Refer to the ip sg-access-
group command in the RUCKUS FastIron Command Reference command for more informaon.
If IPSG is congured for a specied port for a VLAN, it cannot be congured globally for the VLAN. Beginning with FastIron 08.0.40a, IPSG
can be enabled with Flexible Authencaon using the authencaon source-guard-protecon enable command. Refer to the RUCKUS
FastIron Security Conguraon Guide for more informaon.
For ICX 7750 plaorms, it is not possible to bind IPSG ACLs for interfaces or VLANs when IPSG ACLs are created with a TCP or UDP protocol
lter that has the “neq” opon on both the source and desnaon addresses.
Some RUCKUS devices with lesser TCAM (such as the ICX 7150) are limited to 256 IPSG entries. The scaling number of 256 entries per port
in the ICX 7150 and 512 entries per port in the other plaorms is not guaranteed and depends on the rules regarding free TCAM. The
amount of free TCAM determines the number of allowed IPSG entries because IPSG is programmed in the TCAM and there are fewer
TCAM rules.
The recommended number of entries for RUCKUS ICX devices is outlined in the following table:.
TABLE 8
Recommneded Number of Entries for Ruckus ICX Devices
Devices Recommended Maximum Number of IPSG Entries Per Device
RUCKUS ICX 7150 512
RUCKUS ICX 7250 3072
RUCKUS ICX 7450 2816
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
92 Part Number: 53-1005654-01
TABLE 8 Recommneded Number of Entries for Ruckus ICX Devices (connued)
Devices Recommended Maximum Number of IPSG Entries Per Device
RUCKUS ICX 7550 2048
RUCKUS ICX 7650 4096
RUCKUS ICX 7750 2048
RUCKUS ICX 7850 1526
The recommended maximum number of IPSG entries for the stacking system for RUCKUS ICX 7250, ICX 7450, ICX 7750, ICX 7650, ICX
7750, and ICX 7850 devices is 8192.
When IPSG and DHCP snooping are enabled on SPX Virtual (PE) ports and DHCP clients are learned on the port, system performance may
be degraded if more than 256 clients are learned on the same port. This is applicable for all plaorms used as PE ports.
You can enable IPSG on a range of ports within a given slot only. Enabling IPSG across mulple slots is not supported.
If you enable IPSG in a network topology that has DHCP clients, you must also enable DHCP snooping. If you do not enable DHCP
snooping, all IP trac, including DHCP packets, is blocked.
If you enable IIPSG in a network topology that does not have DHCP clients, you must create an IP source binding for each client that is
allowed access to the network. Data packets are blocked if you do not create an IP source binding for each client.
IPSG protecon enables concurrent support with MAC authencaon.
IPSG supports mul-VRF instances.
Rate-liming based on source IP address cannot be combined with IPSG. Thus, a xed rate-limit input cannot be congured when IPSG is
enabled on the port.
Enabling IP Source Guard on a Port or Range of Ports
IP Source Guard is disabled by default. You can enable IP Source Guard on DHCP snooping untrusted ports.
1. Enter global conguraon mode.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/1
3. Enable IP Source Guard on the port.
device(config-if-e10000-1/1/1)# source-guard enable
4. To enable IP Source Guard on a range of ports, enter interface conguraon mode and specify the range of ports.
device(config-if-e10000-1/1/1)# interface ethernet 1/1/21 to 1/1/25
When enabling IP Source Guard on a range of ports, you can choose only a range of ports within a given slot.
5. Enable IP Source Guard on the range of ports specied in the previous step.
device(config-mif-1/1/21-1/1/25)# source-guard enable
NOTE
If you try to congure IP Source Guard across dierent modules, the following error message displays.
device(config)# interface ethernet 2/1/10 to 12/1/10
Error - cannot configure multi-ports on different slot
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 93
Dening Stac IP Source Bindings
You can manually enter valid IP addresses in the binding database.
Note that because stac IP source bindings consume system resources, you should avoid unnecessary bindings.
1. Enter global conguraon mode.
device# configure terminal
2. Enter the ip source binding command followed by a valid IP address and the interface number. Entering the VLAN number is oponal.
device(config)# ip source binding 10.10.10.1 ethernet 1/2/4 vlan 4
If you enter a VLAN number, the binding applies to that VLAN only. If you do not enter a VLAN number, the stac binding applies to all
VLANs associated with the port.
Enabling IP Source Guard for a VLAN
You can enable IP Source Guard (IPSG) on a switch or a router for a range of ports in a VLAN or on the enre VLAN.
1. Enter global conguraon mode.
device# configure terminal
2. Congure the port-based VLAN.
device(config)# vlan 12
3. Add ports Ethernet 1/1/5 through 1/1/8 as untagged ports.
device(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
4. Add ports Ethernet 1/1/23 through Ethernet 1/1/24 as tagged ports.
device(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
5. Enable IPSG on the tagged ports.
device(config-vlan-12)# source-guard enable ethernet 1/1/23 to 1/1/24
The following example congures IPSG on a VLAN.
device# configure terminal
device(config)# vlan 12
device(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
device(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
device(config-vlan-12)# source-guard enable ethernet 1/1/23 to 1/1/24
The following example congures IPSG on a single port on a VLAN.
device# configure terminal
device(config)# vlan 12
device(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
device(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
device(config-vlan-12)# source-guard enable ethernet 1/1/23
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
94 Part Number: 53-1005654-01
The following example congures IPSG on all ports on a VLAN.
device# configure terminal
device(config)# vlan 12
device(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
device(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
device(config-vlan-12)# source-guard enable
The following example congures IPSG on a LAG interface on a VLAN.
device# configure terminal
device(config)# vlan 12
device(config-vlan-12)# untagged ethernet 1/1/5 to 1/1/8
device(config-vlan-12)# tagged ethernet 1/1/23 to 1/1/24
device(config-vlan-12)# source-guard enable lag 1
Enabling IP Source Guard for a LAG Port for a VLAN
You can enable IP Source Guard for a LAG port for a VLAN.
1. Enter global conguraon mode.
device# configure terminal
2. Congure the port-based VLAN.
device(config)# vlan 12
3. Add port LAG 9 as a tagged port.
device(config-vlan-12)# tagged lag 9
4. Enable Source Guard on the tagged port.
device(config-vlan-12)# source-guard enable lag 9
The following example congures IP Source Guard for a LAG port for a VLAN.
device# configure terminal
device(config)# vlan 12
device(config-vlan-12)# tagged lag 9
device(config-vlan-12)# source-guard enable lag 9
Enabling IP Source Guard on Mulple VLANs
You can enable IP Source Guard (IPSG) on a switch or a router for a range of ports in mulple VLANs or all ports on mulple VLANs. The following
task congures IPSG on a single port on mulple VLANs.
NOTE
IPSG snooping can be congured on a maximum of 511 VLANs.
1. Enter global conguraon mode.
device# configure terminal
2. Congure the port-based VLANs.
device(config)# vlan 100 to 150
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 95
3. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-100-150)# tagged ethernet 1/1/12
4. Enable IPSG on the tagged port for mulple VLANs.
device(config-mvlan-100-150)# source-guard enable ethernet 1/1/12
The following example congures IPSG on a range of ports on mulple VLANs.
device# configure terminal
device(config)# vlan 100 to 150
device(config-mvlan-100-150)# tagged ethernet 1/1/23 to 1/1/24
device(config-mvlan-100-150)# source-guard enable ethernet 1/1/23 to 1/1/24
The following example congures IPSG on a single port on mulple VLANs.
device# configure terminal
device(config)# vlan 151 to 200
device(config-mvlan-151-200)# tagged ethernet 1/1/23
device(config-mvlan-151-200)# source-guard enable ethernet 1/1/23
The following example congures IPSG on all ports on mulple VLANs.
device# configure terminal
device(config)# vlan 151 to 200
device(config-mvlan-151-200)# tagged ethernet 1/1/23 to 1/1/24
device(config-mvlan-151-200)# source-guard enable
Binding IP Source Guard ACLs to Ports
You can bind IPv4 ACLs meant for IP Source Guard (IPSG) ports (SG ACL) to a port or VLAN. IP Source Guard ACLs can then be congured to allow
TCP trac and all UDP trac. The following task binds IPSG ACL sg-acl1 to port 1/1/2.
1. Enter global conguraon mode.
device# configure terminal
2. Congure an Ethernet Interface.
device(config)# interface ethernet 1/1/2
3. Enable IPSG on the port.
device(config-if-e1000/1/1/2)# source-guard enable
4. Bind the IPSG ACL to the port.
device(config-if-e1000/1/1/2)# ip sg-access-group sg-acl1 in
The following example binds IPSG ACL sg-acl1 to port 1/1/2.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# source-guard enable
device(config-if-e1000/1/1/2)# ip sg-access-group sg-acl1 in
The following example unbinds the ACL.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# no ip sg-access-group sg-acl1 in
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
96 Part Number: 53-1005654-01
The following example binds an IPSG ACL for a VLAN interface.
device# configure terminal
device(config)# vlan 11
device(config-vlan-11)# source-guard enable
device(config-vlan-11)# ip sg-access-group sg-acl1 in
The following example denes IP Source Guard ACL sg123 to allow all TCP trac and all UDP trac.
device# configure terminal
device(config)# ip sg-access-list sg123
device(config-sg-sg123)# permit tcp any any
device(config-sg-sg123)# permit udp any any
device(config-sg-sg123)# exit
device(config)#
The following example denes IP Source Guard ACL sg456 to allow TCP trac desned for any port number from 100 through 200.
device# configure terminal
device(config)# ip sg-access-list sg456
device(config-sg-sg123)# permit tcp any range 100 200
device(config-sg-sg123)# exit
device(config)#
The following example binds IP Source Guard ACL sg-acl1 to port 1/1/2.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# source-guard enable
device(config-if-e1000/1/1/2)# ip sg-access-group sg-acl1
The following example unbinds the ACL.
device# configure terminal
device(config)# interface ethernet 1/1/2
device(config-if-e1000/1/1/2)# no ip sg-access-group sg-acl1
Displaying Learned IP Addresses
To display the learned IP addresses for IP Source Guard ports, use the show ip source-guard ethernet command.
device# show ip source-guard ethernet 1/1/48
Total IP Source Guard entries on port 1/1/48: 33
No Interface Type Flter-mode IP-address Vlan Static
-- --------- ---- ---------- ---------- ---- -------
1 1/1/48 ip active 15.15.15.127 1 Yes
2 1/1/48 ip active 15.15.15.9 1 No
3 1/1/48 ip active 15.15.15.10 1 No
4 1/1/48 ip active 15.15.15.11 1 No
5 1/1/48 ip active 15.15.15.12 1 No
6 1/1/48 ip active 15.15.15.13 1 No
7 1/1/48 ip active 15.15.15.14 1 No
8 1/1/48 ip active 15.15.15.15 1 No
9 1/1/48 ip active 15.15.15.16 1 No
10 1/1/48 ip active 15.15.15.17 1 No
NOTE
All stac entries in the IP source guard table will be populated as "Yes".
DHCPv4
IP Source Guard
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 97
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
98 Part Number: 53-1005654-01
DHCPv6
DHCPv6 overview..................................................................................................................................................................... 99
DHCP relay agent for IPv6.........................................................................................................................................................99
DHCPv6 Snooping................................................................................................................................................................... 105
DHCPv6 Server....................................................................................................................................................................... 111
DHCPv6 overview
The Dynamic Host Conguraon Protocol for IPv6 (DHCP) enables DHCP servers to pass conguraon parameters such as IPv6 network addresses to
IPv6 nodes.
The DHCPv6 protocol oers the capability of automac allocaon of reusable network addresses and addional conguraon exibility.
On FastIron devices, you can congure DHCPv6 snooping, the DHCPv6 relay agent, DHCPv6 relay include opons, the DHCPv6 Relay Agent Prex
Delegaon Nocaon, and DHCPv6 Servers.
DHCP relay agent for IPv6
A client locates a DHCPv6 server using a reserved, link-scoped mulcast address. Direct communicaon between the client and server requires that
they are aached by the same link. In some situaons where ease-of-management, economy, and scalability are concerns, you can allow a DHCPv6
client to send a message to a DHCPv6 server using a DHCPv6 relay agent.
A DHCPv6 relay agent, which may reside on the client link, but is transparent to the client, relays messages between the client and the server.
Mulple DHCPv6 relay agents can exist between the client and server. DHCPv6 relay agents can also receive relay-forward messages from other
relay agents; these messages are forwarded to the DHCPv6 server specied as the desnaon.
When the relay agent receives a message, it creates a new relay-forward message, inserts the original DHCPv6 message, and sends the relay-
forward message as the DHCPv6 server.
Conguring a DHCPv6 relay agent
You can enable the DHCPv6 relay agent funcon and specify the relay desnaon (the DHCP server) address on an interface.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/2/3
3. Specify the relay desnaon (the DHCP server) address on the interface.
device(config-if-e10000-1/2/3)# ipv6 dhcp-relay destination 2001::2
The IPv6 address is the desnaon address to which client messages are forwarded and which enables DHCPv6 relay service on the
interface. You can congure up to 16 relay desnaon addresses on an interface.
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 99
4. Specify the outgoing interface parameter.
device(config-if-e10000-1/2/3)# ipv6 dhcp-relay destination fe80::224:38ff:febb:e3c0 outgoing-
interface ethernet 1/2/5
Use the outgoing-interface parameter when the desnaon relay address is a link-local or mulcast address. Specify the interface type as
ethernet, tunnel interface, or VE. Specify the port-num as the port number.
The following example enables the DHCPv6 relay agent funcon and species the relay desnaon address (i.e. the DHCP server) on an interface.
device(config)# interface ethernet 1/2/3
device(config-if-e10000-1/2/3)# ipv6 dhcp-relay destination 2001::2
device(config-if-e10000-1/2/3)# ipv6 dhcp-relay destination fe80::224:38ff:febb:e3c0 outgoing-interface
ethernet 1/2/5
DHCPv6 relay agent include opons
You can congure the DHCPv6 relay agent to include the client's remote ID, interface ID, or client link layer address as ideners in the relay forward
DHCPv6 messages.
In some network environments, it is useful for the relay agent to add informaon to the DHCPv6 message before relaying it. The informaon that
the relay agent carries can also be used by the DHCP server to make decisions about the addresses, delegated prexes, and conguraon
parameters that the client should receive. The DHCPv6 relay-forward message contains relay agent parameters that idenfy the client-facing
interface on which the reply messages can be forwarded. You can use either one or all of the parameters as client ideners.
The following opons can be included in the relay-forward messages:
Interface-ID opon (18)
Remote-ID opon (37)
Client link layer (MAC) address opon (79)
The relay agent may send the interface-ID opon (18) to idenfy the interface on which a client message was received. If the relay agent cannot use
the address in the link-address eld to idenfy the interface through which the response to the client will be relayed, the relay agent must include
an interface-ID opon in the relay-forward message. If the relay agent receives a relay-reply message with an interface-ID opon, the relay agent
relays the message to the client through the interface idened by the opon. The server must also copy the interface-ID opon from the relay-
forward message into the relay-reply message the server sends to the relay agent in response to the relay-forward message.
The remote-ID opon (37) may be added by the DHCP relay agent that terminates switched or permanent circuits and uses a mechanism to idenfy
the remote host end of the circuit. The remote ID must be unique. A DHCPv6 relay agent can be congured to include a remote-ID opon in the
relay-forward DHCPv6 messages.
The client link layer (MAC) address opon (79) can be used along with other ideners to associate DHCPv4 and DHCPv6 messages from a dual-
stack client, and is useful in environments where operators using an exisng DHCPv4 system with the client link layer address as the customer
idener need to correlate DHCPv6 assignments using the same idener.
NOTE
If you enable the client link layer (MAC) opon and save the conguraon, and then downgrade to a version of the soware that does
not support this feature, an error message displays. You must remove any conguraon related to this opon before the downgrade and
add the conguraon aer the upgrade to prevent this error.
DHCPv6
DHCP relay agent for IPv6
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
100 Part Number: 53-1005654-01
Specifying the IPv6 DHCP relay include opons
You can specify either one or all of the IPv6 DHCP relay include opons in the relay-forward message.
The opons include the interface-ID, remote-ID, or link layer opon. Perform the following steps to include the DHCPv6 relay opons.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/1
3. Enter the ipv6 dhcp-relay include-opons command followed by the required opons: interface-ID, remote-ID or link-layer-opon.
The following example shows specifying the link layer opon.
device(config-if-e1000-1/1/1)# ipv6 dhcp-relay include-options link-layer-option
DHCPv6 Relay Agent Prex Delegaon Nocaon
DHCPv6 Relay Agent Prex Delegaon Nocaon allows a DHCPv6 server to dynamically delegate IPv6 prexes to a DHCPv6 client using the
DHCPv6 Prex Delegaon (PD) opon. DHCPv6 prex delegaon enables an Internet Service Provider (ISP) to automate the process of assigning
prexes to a customer premises equipment (CPE) network. The CPE then assigns IPv6 subnets from the delegated IPv6 prex to its downstream
customer interfaces.
FIGURE 18 DHCPv6 Relay Agent Prex Delegaon Nocaon
DHCPv6
DHCP relay agent for IPv6
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 101
A route is added to the IPv6 route table on the provider edge router (PE) for the delegated prex to be delegated to requesng routers. The DHCP
server chooses a prex for delegaon and responds with it to the CPEx. to the external network, and to enable the correct forwarding of the IPv6
packets for the delegated IPv6 prex. Adding the delegated prex to the IPv6 route table ensures that the unicast Reverse Path Forwarding (uRPF)
works correctly.
Because the PE is also a DHCPv6 relay agent (it relays DHCPv6 messages between the CPE and the DHCP server), it examines all DHCPv6 messages
relayed between the CPE and the DHCP server and gathers informaon about a delegated prex and then manages the adversement of this
delegated prex to the external network.
DHCPv6 Relay Agent Prex Delegaon Nocaon limitaons
The following limitaons apply to DHCPv6 Relay Agent Prex Delegaon Nocaon.
The PD nocaon fails when the DHCPv6 messages between a DHCPv6 server and a DHCPv6 client containing the PD opon are not
relayed by way of the DHCPv6 relay agent.
If the delegated prex is released or renewed by the client at the me when the DHCPv6 relay agent is down or reboong, then this
release or renewal of the delegated prex will not be detected by the relay agent. In such a condion, there could be stale stac routes in
the roung table. You must clear the stale routes.
If there is no sucient disk space on a ash disk, then the system may not store all the delegated prexes in the IPv6 route table.
The DHCPv6 PD ash operaon depends on the NTP clock synchronizaon. During system bootup, if the NTP is congured, the ash
operaon (dhcp6_delegated_prexes_data ash le read/write) is delayed unl the NTP is synchronized. The NTP synchronizaon is
needed for the correct updang of the prex age. If the NTP is not congured, then the DHCP prex delegaon will sll read the ash, but
the prex age may not be correct.
Upgrade and downgrade consideraons
When a router is upgraded to the version of soware that supports this feature DHCPv6 Relay Agent Prex Delegaon Nocaon, the
saved informaon about delegated prexes will be examined and if the delegated prex lifeme is not expired, then the prex will be
added to the IPv6 stac route table.
When a router is downgraded to the version of soware that does not support DHCPv6 Relay Agent Prex Delegaon Nocaon, the
saved informaon about delegated prexes is retained and it cannot be used.
Conguring DHCPv6 Relay Agent Prex Delegaon Nocaon
You can set the number of delegated prexes that can be learned at the global level. By default, DHCPv6 Relay Agent Prex Delegaon Nocaon
is enabled when the DHCPv6 relay agent is enabled on an interface.
You can disable the DHCPv6 Relay Agent Prex Delegaon Nocaon at the system or the interface level by seng the IPv6 DHCP relay maximum
delegated prexes to 0 at the system or interface level as required.
Make sure that there is enough free space in the ash memory to save informaon about delegated prexes in ash on both the Acve and Standby
management processor.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
DHCPv6
DHCP relay agent for IPv6
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
102 Part Number: 53-1005654-01
2. Set the maximum number of prexes that can be learned at the global level.
device(config)# ipv6 dhcp-relay maximum-delegated-prefixes 500
You can limit the maximum number of prexes that can be learned at the global level. The range is from 0 through 512. The default value
is 500. The DHCPv6 prex delegaon default for ICX 7750 and ICX 7850 devices is 50.
The following example sets the maximum number of prexes that can be learned at the global level to 500.
device# configure terminal
device(config)# ipv6 dhcp-relay maximum-delegated-prefixes 500
Enabling DHCPv6 Relay Agent Prex Delegaon Nocaon on an interface
The number of delegated prexes that can be learned can be limited at the interface level.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/1
3. Set the number of delegated prexes that can be learned.
device(config-if-eth 1/1/1)# ipv6 dhcp-relay maximum-delegated-prefixes 100
You can limit the maximum number of prexes that can be delegated. The range is from 0 through 512. The default value is 100. The sum
of all the delegated prexes that can be learned at the interface level is limited by the system max.
The following example sets the number of delegated prexes that can be learned to 100.
device# configure terminal
device(config)# interface ethernet 1/1/1
device(config-if-eth 1/1/1)# ipv6 dhcp-relay maximum-delegated-prefixes 100
Assigning the administrave distance to DHCPv6 stac routes
You can assign the administrave distance to DHCPv6 stac routes installed in the IPv6 route table for the delegated prexes on the interface. This
value must be set so that it does not replace the same IPv6 stac route congured by the user.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Enter interface conguraon mode.
device(config)# interface ethernet 1/1/1
3. Set the administrave distance value.
device(config-if-eth-1/1/1)# ipv6 dhcp-relay distance 25
The value parameter is used to assign the administrave distance to DHCPv6 stac routes on the interface. The range is from 1 to 255. The
default value is 10. If the value is set to 255, then the delegated prexes for this interface will not be installed in the IPv6 stac route table.
DHCPv6
DHCP relay agent for IPv6
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 103
The following example sets the administrave distance to the DHCPv6 stac routes on the interface to 25.
device# configure terminal
device(config)# interface ethernet 1/1/1
device(config-if-eth-1/1/1)# ipv6 dhcp-relay distance 25
Displaying DHCPv6 relay agent and prex delegaon informaon
You can use various show commands to view informaon about DHCPv6 relay agent and prex delegaon informaon.
Use one of the following commands to view DHCPv6 relay agent and prex delegaon informaon. The commands do not need to be entered in the
specied order.
1. Enter the show ipv6 dhcp-relay opons command.
device# show ipv6 dhcp-relay options
DHCPv6 Relay Options Information:
Interface Interface-Id Remote-Id Option-79
e 1/1/1 No No No
The output of this command displays informaon about the relay opons available to the prexed delegates for a specic interface.
2. Enter the show ipv6 dhcp-relay command.
device(config)# show ipv6 dhcp-relay
Current DHCPv6 relay agent state: Enabled
DHCPv6 enabled interface(s): e 1/2/3
DHCPv6 Relay Agent Statistics:
Total DHCPv6 Packets, Received:0, Transmitted:0
Received DHCPv6 Packets: RELEASE:0,RELAY_FORWARD:0,RELAY_REPLY:0
OtherServertoClient:0,OtherClinettoServer:0
The output of this command displays the DHCPv6 relay agent informaon congured on the device.
3. Enter the show ipv6 dhcp-relay interface command.
device(config)# show ipv6 dhcp-relay interface ethernet 1/1/1
DHCPv6 Relay Information for interface e 1/1/1:
Destinations:
Destination OutgoingInterface
2001::2 NA
Options:
Interface-Id: No Remote-Id:No Option-79:No
Prefix Delegation Information:
Current:0 Maximum:100 AdminDistance:10
The output of this command displays DHCPv6 relay informaon for a specic interface.
4. Enter the show ipv6 dhcp-relay desnaons command.
device# show ipv6 dhcp-relay destinations
DHCPv6 Relay Destinations:
Interface e 1/2/3:
Destination OutgoingInterface
2001::2 NA
fe80::224:38ff:febb:e3c0 e 1/2/5
The output of this command displays informaon about the delegated prexes' congured desnaons for a specic interface.
DHCPv6
DHCP relay agent for IPv6
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
104 Part Number: 53-1005654-01
5. Enter the show ipv6 dhcp-relay prex-delegaon-informaon command.
device# show ipv6 dhcp-relay prefix-delegation-information
DHCPv6 Relay Prefix Delegation Notification Information:
Interface Current Maximum AdminDistance
ve 100 20 20000 10
ve 101 4000 20000 10
ve 102 0 20000 10
ve 103 0 20000 10
ve 104 0 20000 10
ve 105 0 20000 10
The output of this command displays addional informaon about the DHCPv6 prex delegaon.
6. Enter the show ipv6 dhcp-relay delegated-prexes command.
device# show ipv6 dhcp-relay delegated-prefixes interface ethernet 1/1/45
Prefix Client Interface ExpireTime
fc00:2000:6:7:1::/96 fe80::210:94ff:fe00:e 1/1/45 29d23h53m0s
The output of this command displays informaon about the delegated prexes.
Clearing the DHCPv6 delegated prexes and packet counters
Use the clear commands to clear the DHCPv6 delegated prexes and packet counters.
1. Clear the DHCPv6 delegated prexes using the clear command at the privileged EXEC level.
device# clear ipv6 dhcp-relay delegated-prefixes vrf VRF1
This command clears the DHCPv6 delegated prexes for VRF1. If you do not provide the VRF name, the informaon for the default VRF is
cleared. You can also use the all or interface keywords. Oponally, you can also clear a specic DHCPv6 delegated prex.
2. Clear all the DHCPv6 packet counters using the clear command at the privileged EXEC level.
device# clear ipv6 dhcp-relay statistics
DHCPv6 Snooping
In an IPv6 domain, a node can obtain an IPv6 address using the following mechanisms:
IPv6 address auto-conguraon using router adversements
The DHCPv6 protocol
In a typical man-in-the-middle (MITM) aack, the aacker can snoop or spoof the trac acng as a rogue DHCPv6 server. To prevent such aacks,
DHCPv6 snooping helps to secure the IPv6 address conguraon in the network.
DHCPv6 snooping enables the RUCKUS device to lter untrusted DHCPv6 packets in a subnet on an IPv6 network. DHCPv6 snooping can ward o
MiM aacks, such as a malicious user posing as a DHCPv6 server sending false DHCPv6 server reply packets with the intenon of misdirecng other
users. DHCPv6 snooping can also stop unauthorized DHCPv6 servers and prevent errors due to user misconguraon of DHCPv6 servers.
How DHCPv6 Snooping Works
When enabled on a VLAN, DHCPv6 snooping stands between untrusted ports (those connected to host ports) and trusted ports (those connected to
DHCPv6 servers). A VLAN with DHCPv6 snooping enabled forwards DHCPv6 request packets from clients and discards DHCPv6 server reply packets
on untrusted ports. The VLAN forwards DHCPv6 server reply packets on trusted ports to DHCPv6 clients, as shown in the following gures.
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 105
FIGURE 19 DHCPv6 Snooping at Work on an Untrusted Port
FIGURE 20 DHCPv6 Snooping at Work on a Trusted Port
NOTE
Trusted client ports can lead to DHCPv6 starvaon and spoong aacks. When DHCPv6 snooping is enabled, DHCPv6 request packets
received on trusted ports are dropped.
DHCPv6 Binding Database
On trusted ports, DHCPv6 server reply packets are forwarded to DHCPv6 clients. The RUCKUS ICX device removes the entry when the valid lifeme,
the me period during which an address is allowed to remain available and usable on a port, expires.
Conguraon Notes and Feature Limitaons for DHCPv6 Snooping
The following conguraon consideraons apply to DHCPv6 snooping:
DHCPv6 snooping must be enabled on both client and server VLANs.
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
106 Part Number: 53-1005654-01
For default VLAN ID changes, DHCPv6 snooping must be re-applied on the new default VLAN. DHCPv6 snooping is not automacally
congured on the new default VLAN. Therefore, when DHCPv6 Snooping is congured for the default VLAN (for example, VLAN 1), if the
default VLAN is changed from VLAN 1 to VLAN 4000, the DHCPv6 Snooping conguraons remain congured on the old default VLAN 1.
The DHCPv6 Snooping conguraons are not automacally congured on the new default VLAN 4000. In previous releases, DHCPv6
Snooping conguraons were automacally removed from the old default VLAN and automacally moved to the new default VLAN.
When a client moves from one port to another port in the same VLAN, the old snoop entry for the client MAC address is automacally
updated. This occurs even when the client acquires a new IPv6 address. In previous releases, two snoop entries were maintained with
both the old IPv6 address and the new IPv6 address.
Duplicate IPv6 entries across VLANs are allowed in the DHCPv6 snooping table. When a client moves from one VLAN to another and
acquires the same address, two snooping entries are maintained for the same MAC address and IP address.
Layer 2 MAC movement is supported.
DHCPv6 snooping cannot be enabled for a VLAN that is a member of a VLAN group.
When DHCPv6 snooping is enabled, replies are prevented from going out on DHCPv6 snooping trusted ports.
When conguring DHCPv6 snooping on a range of VLANs, no VLAN in the range can be a member of a VLAN group or any reserved VLAN.
Otherwise, the conguraon fails on the enre range.
If required, disable the learning of DHCPv6 clients on ports at the interface conguraon level.
DHCPv6 snooping entries learnt on a member port of VLAN are deleted, with the excepon of exible authencaon enabled ports, if the
port is removed from the membership of that VLAN.
DHCPv6 Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCPv6 Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
When DHCPv6 Snooping is enabled, client and server packets are not allowed on same port.
DHCP snooping can be congured on a maximum of 511 VLANs.
When conguring DHCPv6 snooping on a range of VLANs or mul-VLAN, there cannot not be any VLAN in the range that is a member of a
VLAN group or any reserved VLAN. Otherwise, conguraons fail on the enre range.
ACLs are supported on member ports of a VLAN on which DHCPv6 snooping is enabled. Refer to Client IP-to-MAC address mappings on
page 78 for more informaon. In previous releases, these were mutually exclusive.
Conguring DHCPv6 Snooping
DHCPv6 snooping must be enabled on VLANs, aer which the trust seng of ports connected to a DHCPv6 server must be changed to trusted.
DHCPv6 packets for a VLAN with DHCPv6 snooping enabled are inspected.
NOTE
DHCPv6 snooping is disabled by default and the trust seng of ports is untrusted by default. DHCPv6 snooping must be enabled on the
client and the DHCPv6 server VLANs.
NOTE
DHCPv6 Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCPv6 Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
1. Enter global conguraon mode by using the congure terminal command.
device# configure terminal
2. Enable DHCPv6 snooping on a VLAN.
device(config)# ipv6 dhcp6 snooping vlan 2
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 107
3. Change the trust seng of the ports that are connected to the DHCPv6 server to trusted at the interface conguraon level.
device(config)# interface ethernet 1/1/1
device(config-if-e10000-1/1/1)# dhcp6 snooping trust
Port 1/1/1 is connected to a DHCPv6 server. The commands access the CLI to the interface conguraon level of port 1/1/1 and set the
trust seng of port 1/1/1 to trusted.
4. If required, disable the learning of DHCPv6 clients on ports at the interface conguraon level. Disabling the learning of DHCPv6 clients
can be congured on a range of ports as well.
device(config-if-e10000-1/1/1)# dhcp6 snooping client-learning disable
5. Clear the DHCPv6 binding database. You can remove all entries in the database or for a specic IP address only.
The rst command removes all entries from the DHCPv6 binding database and the second removes entries for a specic IP address.
device# clear ipv6 dhcp6 snooping
device# clear ipv6 dhcp6 snooping 2001::2
The following example congures VLAN 10, and enables DHCPv6 snooping for the congured VLANs.
device(config)# vlan 10
device(config-vlan-10)# untagged ethernet 1/1/1 to 1/1/3
device(config-vlan-10)# exit
device(config)# ipv6 dhcp6 snooping vlan 10
On VLAN 10, client ports 1/1/2 and 1/1/3 are untrusted. By default, all client ports are untrusted. Only DHCPv6 client SOLICIT and REQUEST packets
received on ports 1/1/2 and 1/1/3 are forwarded.
The following example sets the DHCPv6 server port as trusted.
device(config)# interface ethernet 1/1/1
device(config-if-e10000-1/1/1)# dhcp6 snooping trust
device(config-if-e10000-1/1/1)# exit
Port 1/1/1 is connected to a DHCPv6 server. The DHCPv6 server ADVERTISE and REPLY packets received on port 1/1/1 are forwarded.
Conguring DHCPv6 Snooping on Mulple VLANs
DHCPv6 snooping can be enabled on mulple VLANs using one command. The following task congures mulple VLANs and enables DHCPv6
snooping on most of the congured VLANs using a single command.
NOTE
DHCPv6 snooping can be congured on a maximum number of 511 VLANs at one me.
NOTE
DHCPv6 Snooping can be congured for a VLAN or VLANS even before the VLAN or VLANS are created. VLANs and DHCPv6 Snooping
conguraons on the VLANS are not automacally deleted when the VLAN is deleted.
NOTE
When conguring DHCPv6 snooping on a range of VLANs or mul-VLAN, there cannot not be any VLAN in the range that is a member of a
VLAN group or any reserved VLAN. Otherwise, conguraons fail on the enre range.
1. Enter global conguraon mode.
device# configure terminal
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
108 Part Number: 53-1005654-01
2. Congure the port-based VLANs.
device(config)# vlan 100 to 150
3. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-100-150)# tagged ethernet 1/1/12
4. Use the exit command to return to global conguraon mode.
device(config-mvlan-100-150)# exit
5. Congure more port-based VLANs.
device(config)# vlan 151 to 200
6. Add port Ethernet 1/1/12 as a tagged port.
device(config-mvlan-151-200)# tagged ethernet 1/1/12
7. Use the exit command to return to global conguraon mode.
device(config-mvlan-151-200)# exit
8. Use the ipv6 dhcp6 snooping command with the to keyword, specifying a VLAN range, to enable DHCPv6 snooping on mulple VLANs.
device(config)# ipv6 dhcp6 snooping vlan 100 to 150 160 170 to 200
9. Change the trust seng of the ports that are connected to the DHCP server to trusted at the interface conguraon level.
a) To enable trust on a port, enter interface conguraon mode.
device(config)# interface ethernet 1/1/12
b) Enable trust on the port.
device(config-if-e10000-1/1/12)# dhcp6 snooping trust
The following example congures VLANs 100 through 200, and enables DHCPv6 snooping on VLANs 100 through 150, VLAN 160, and VLANs 170
through 200.
device# configure terminal
device(config)# vlan 100 to 150
device(config-mvlan-100-150)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# vlan 151 to 200
device(config-mvlan-151-200)# tagged ethernet 1/1/12
device(config-mvlan-100-150)# exit
device(config)# ipv6 dhcp6 snooping vlan 100 to 150 160 170 to 200
device(config)# interface ethernet 1/1/12
device(config-if-e10000-1/1/12)# dhcp6 snooping trust
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 109
Conguring DHCPv6 Snooping for Mul-VRF
DHCPv6 snooping supports Mul-VRF. You can deploy mulple Virtual Roung and Forwarding instances (VRFs) on a RUCKUS Ethernet switch. Each
VLAN with a Virtual Ethernet (VE) interface is assigned to a VRF.
You can enable DHCPv6 snooping on individual VLANs and assign any interface as the DHCPv6 trust interface. If an interface is a tagged port in this
VLAN, you can turn on the trust port per VRF, so that trac intended for other VRF VLANs is not trusted.
1. Enter global conguraon mode by issuing the congure terminal command.
device# configure terminal
2. Congure DHCPv6 snooping on a specic VLAN.
device(config)# ipv6 dhcp6 snooping vlan 2
3. Set the port as a trusted port.
device(config)# interface ethernet 1/1/4
device(config-if-e10000-1/1/4)# dhcp6 snooping trust vrf red
The trust port seng for DHCPv6 snooping can be specied per VRF.
4. Congure the DHCPv6 relay agent on the VE interface if the client and server are not in the same VLAN.
device(config-vif-23)# ipv6 dhcp-relay destination 2001:100::2
5. To clear a DHCPv6 binding database of a specic Mul-VRF, enter the following command.
device(config)# clear ipv6 dhcp6 snooping vrf vrf2
6. To clear a specic DHCPv6 binding belonging to a specic IPv6 address and VRF, enter the following command.
device# clear ipv6 dhcp6 snooping 2001::2 vrf vrf2
7. To clear default VRF DHCPv6 snooping entries, enter the following command.
device# clear ipv6 dhcp6 snooping vrf default
Displaying DHCPv6 Snooping Informaon
You can use various show commands to view informaon about DHCPv6 snooping.
Use one of the following commands to view DHCPv6 snooping informaon. The commands do not need to be entered in the specied order.
1. Enter the show ipv6 dhcp6 snooping command to display informaon about the DHCPv6 snooping status and ports.
device# show ipv6 dhcp6 snooping
IP dhcpv6 snooping enabled on 2 VLAN(s):
VLAN(s): 1 11
2. Enter the show ipv6 dhcp6 snooping info command to display informaon about the DHCPv6 snooping binding database..
device> show ipv6 dhcp6 snooping info
Dhcp snooping Info
Total Learnt Entries 1
Learnt DHCPv6 Snoop Entries
IPv6 Address Mac Address Valid-Time Preferred-Time Port/Lag Vlan VRF
2001::5 00c5.0600.0001 2753 2753 1/2/4 1 default-vrf
DHCPv6
DHCPv6 Snooping
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
110 Part Number: 53-1005654-01
DHCPv6 Server
The Dynamic Host Conguraon Protocol version 6 (DHCPv6) is a network protocol for conguring IPv6 hosts with IP addresses, IP prexes, and
other conguraon data required to operate in an IPv6 network. All FastIron devices can be congured to funcon as DHCPv6 servers.
DHCPv6 Server is the IPv6 equivalent of the Dynamic Host Conguraon Protocol (DHCP) for IPv4 that is documented in the DHCP Server chapter. In
the same manner as DHCP for IPv4, a DHCPv6 server allocates temporary or permanent network IPv6 addresses to clients. When a client requests
the use of an address for a me interval, the DHCPv6 server guarantees not to reallocate that address within the requested me, and tries to return
the same network address each me the client makes a request. When the client is done with the address, the address is released back to the
server. Clients may also receive a permanent assignment. In short, the DHCPv6 server assigns IPv6 addresses to all clients and it keeps track of the
bindings. DHCPv6 Server also allows for greater control of address distribuon within a subnet.
DHCPv6 is supported on the following RUCKUS ICX plaorms for both Layer 2 and Layer 3 soware images:
RUCKUS ICX 7150
RUCKUS ICX 7250
RUCKUS ICX 7450
RUCKUS ICX 7550
RUCKUS ICX 7650
RUCKUS ICX 7750
RUCKUS ICX 7850
NOTE
For the DHCPv6 server to be enabled, you must upgrade to FI 08.0.90 using the Unied FastIron Image (UFI). Refer to the Soware
Upgrade and Downgrade chapter in the RUCKUS FastIron Soware Upgrade Guide for more informaon.
Conguraon Consideraons for DHCPv6 Servers
The following conguraon consideraons apply to DHCPv6 servers.
The DHCPv6 server is supported in the Layer 2 and Layer 3 soware images.
For the DHCPv6 server to be enabled, you must upgrade to FI 08.0.90 using the Unied FastIron Image (UFI). Refer to the Soware
Upgrade and Downgrade chapter in the RUCKUS FastIron Soware Upgrade Guide for more informaon.
The DHCPv6 server is not supported for non-default VRFs.
The ICX DHCPv6 server does not assign IPv6 addresses via DHCPv6 relay.
IPv6 unicast roung must be enabled for Layer 3 soware images.
For stateless DHCPv6 servers, IPv6 addresses are assigned to the clients through auto-conguraon. The DHCPv6 server is used only to
assign informaon such as domain-names, mulple DNS servers other supported DHCPv6 opons. One ICX interface should be congured
with an IPV6 address that falls in the subnet range congured for the DHCPv6 server.
Neighbor discovery protocol (NDP) should be congured for stateless DHCPv6 servers.
A FastIron device congured as a DHCPv6 server can support up to 500 DHCP clients.
Up to 100 DHCPv6 subnets can be congured for the DHCPv6 server with a Layer 3 soware image only.
When the rapid commit opon is congured on the server, only Solicit and Reply packets are sent between the client and the server
instead of Solicit, Adverse, Request and Reply. For the rapid commit mode to work, the client should also have the rapid commit opon
enabled.
Whenever a conguraon change is made with respect to the DHCPv6 server, the conguraon change is wrien to the dhcpd.conf le in
the Linux within 30 seconds. When this occurs, the dhcpd process restarts.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 111
For a full list of commands supported for DHCPv6 Servers, refer to the What's New secon in the RUCKUS FastIron Command Reference
Conguring the Stateless DHCPv6 Server on Layer 3 Soware Images
Perform the following steps to congure a stateless DHCPv6 server on a Layer 3 soware image.
Consider the following when conguring the stateless DHCPv6 server on Layer 3 soware images:
For stateless DHCPv6 servers, up to 100 DHCPv6 subnets can be congured with a Layer 3 soware image only.
In SLAAC (Stateless Address Auto-conguraon), the client does not require the DHCPv6 server to get the IPv6 address. It receives the
prex, prex-length, and the Default Gateway from the RA and the address is auto-congured.
The DHCPv6 client can only get other informaon, such as DNS and domain-name, from the DHCPv6 server.
The conguraon of the nd other-cong-ag, using the ipv6 nd other-cong-ag command, is required for the stateless DHCPv6 server to
receive DNS and domain name conguraon. When the ipv6 nd other-cong-ag command is used, the O ag is set to 1.
When the client sends an Informaon-Request to the server, the server replies with informaon such as domain-name and DNS server.
Since the IPv6 address is not assigned by the DHCPv6 server, the lease entry is not seen on the server.
1. Enter global conguraon mode by issuing the congure terminal command.
router# configure terminal
2. Enter the ipv6 unicast-roung command to enable the forwarding of IPv6 trac.
router(config)# ipv6 unicast-routing
3. Enter the ipv6 dhcp6-server enable command to enable the DHCPv6 server.
router(config)# ipv6 dhcp6-server enable
4. (Oponal) Enter the domain-name command, entering a domain name, to congure the domain name server (DNS) domain name.
router(config-dhcp6)# domain-name example.com
5. (Oponal) Enter the dns-server command, specifying an IPv6 address, to specify the IPv6 address of the DNS server.
router(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
6. Enter the renewal-me command, specifying an interval, to set the me interval aer which the client transions to the renewing state
upon receipt of an IPv6 address.
router(config-dhcp6)# renewal-time 50
If the renewal me is not congured, half of the valued of the congured preferred lifeme is considered as the renewal me.
7. Enter the subnet command, specifying an IPv6 prex, to congure a subnet for the DHCPv6 server and enter DHCPv6 subnet conguraon
mode.
router(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
8. Enter the range6 command, specifying IPv6 addresses, to assign IPv6 addresses in the specied range.
router(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
112 Part Number: 53-1005654-01
9. Enter the exit command unl you return to global conguraon mode.
router(config-dhcpv6-subnet)# exit
router(config-dhcp6)# exit
router(config)#
10. Enter the vlan command and enter a VLAN ID to create a VLAN.
router(config)# vlan 100
11. Enter the untagged command and specify a port to add an untagged Ethernet port to the port-based VLAN and specify the port
connected to the client into one VLAN.
router(config-vlan-100)# untagged ethernet 1/1/2
12. Enter the router-interface command, specifying an interface, to aach a router interface to the VLAN.
router(config-vlan-100)# router-interface ve 100
13. Enter the exit command to return to global conguraon mode.
router(config-vlan-100)# exit
14. Enter the interface ve command specifying the congured VLAN.
router(config)# interface ve 100
15. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address on the server interface in the range of the
congured subnet6.
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
16. Enter the ipv6 nd other-cong-ag command to enable the hosts to use autoconguraon to get non-IPv6-address informaon.
router(config-vif-100)# ipv6 nd other-config-flag
The following example enables IPv6 unicast roung, congures a stateless DHCPv6 server on a Layer 3 soware image and congures an IPv6
address on the server interface in the range of the congured subnet6. The ipv6 nd other-cong-ag command is used to set the 0 ag to 1.
router# configure terminal
router(config)# ipv6 unicast-routing
router(config)# ipv6 dhcp6-server enable
router(config-dhcp6)# domain-name example.com
router(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
router(config-dhcp6)# renewal-time 50
router(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
router(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
router(config-dhcpv6-subnet)# exit
router(config-dhcp6)# exit
router(config)# vlan 100
router(config-vlan-100)# untagged ethernet 1/1/2
router(config-vlan-100)# router-interface ve 100
router(config-vlan-100)# exit
router(config)# interface ve 100
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
router(config-vif-100)# ipv6 nd other-config-flag
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 113
Conguring the Stateful DHCPv6 Server on Layer 3 Soware Images
Perform the following steps to congure a stateful DHCPv6 server on a Layer 3 soware image.
Consider the following when conguring the stateful DHCPv6 server on Layer 3 soware images:
For stateful DHCPv6 servers, up to 100 DHCPv6 subnets can be congured with a Layer 3 soware image only.
For stateful DHCPv6 Servers, the client requires the DHCPv6 server to get the IPv6 address and other informaon such as DNS and
domain-name.
The conguraon of the nd managed address conguraon ag, using the ipv6 nd managed-cong-ag command is required for stateful
DHCPv6 servers. When the ipv6 nd managed-cong-ag command is used, the M ag is set to 1.
The IPv6 address is assigned by the DHCPv6 server, and the lease entry can be viewed on the server in the output of the show ipv6 dhcp6-
server lease command.
1. Enter global conguraon mode by issuing the congure terminal command.
router# configure terminal
2. Enter the ipv6 unicast-roung command to enable the forwarding of IPv6 trac.
router(config)# ipv6 unicast-routing
3. Enter the ipv6 dhcp6-server enable command to enable the DHCPv6 server.
router(config)# ipv6 dhcp6-server enable
4. Enter the domain-name command, entering a domain name, to congure the domain name server (DNS) domain name.
router(config-dhcp6)# domain-name example.com
5. Enter the dns-server command, specifying an IPv6 address, to specify the IPv6 address of the DNS server.
router(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
6. Enter the renewal-me command, specifying an interval, to set the me interval aer which the client transions to the renewing state
upon receipt of an IPv6 address.
router(config-dhcp6)# renewal-time 50
If the renewal me is not congured, half of the valued of the congured preferred lifeme is considered as the renewal me.
7. Enter the subnet6 command, specifying an IPv6 prex, to congure a subnet for the DHCPv6 server and enter DHCPv6 subnet
conguraon mode.
router(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
8. Enter the range6 command, specifying IPv6 addresses, to assign IPv6 addresses in the specied range.
router(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
9. Enter the exit command unl you return to global conguraon mode.
router(config-dhcpv6-subnet)# exit
router(config-dhcp6)# exit
router(config)#
10. Enter the vlan command and enter a VLAN ID to create a VLAN.
router(config)# vlan 100
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
114 Part Number: 53-1005654-01
11. Enter the untagged command and specify a port to add an untagged Ethernet port to the port-based VLAN and specify the port
connected to the client into one VLAN.
router(config-vlan-100)# untagged ethernet 1/1/2
12. Enter the router-interface command, specifying an interface, to aach a router interface to the VLAN.
router(config-vlan-100)# router-interface ve 100
13. Enter the exit command to return to global conguraon mode.
router(config-vlan-100)# exit
14. Enter the interface ve command specifying the congured VLAN.
router(config)# interface ve 100
15. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address on the server interface in the range of the
congured subnet6.
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
16. Enter the ipv6 nd managed-cong-ag command to enable the hosts to use autoconguraon to get non-IPv6-address informaon.
router(config-vif-100)# ipv6 nd managed-config-flag
The following example enables IPv6 unicast roung, congures a stateful DHCPv6 server on a Layer 3 soware image and congures an IPv6 address
on the server interface in the range of the congured subnet6. The ipv6 nd managed-cong-ag command is used to set the M ag to 1.
router# configure terminal
router(config)# ipv6 unicast-routing
router(config)# ipv6 dhcp6-server enable
router(config-dhcp6)# domain-name example.com
router(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
router(config-dhcp6)# renewal-time 50
router(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
router(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
router(config-dhcpv6-subnet)# exit
router(config-dhcp6)# exit
router(config)# vlan 100
router(config-vlan-100)# untagged ethernet 1/1/2
router(config-vlan-100)# router-interface ve 100
router(config-vlan-100)# exit
router(config)# interface ve 100
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
router(config-vif-100)# ipv6 nd managed-config-flag
Conguring the Stateless DHCPv6 Server on Layer 2 Soware Images
Perform the following steps to congure a stateless DHCPv6 server on a Layer 2 soware image.
NOTE
For the DHCPv6 server soluon to work on ICX Layer 2 soware image, an IPv6 RA provider in the Layer 2 network is required.
Consider the following when conguring the stateless DHCPv6 server on Layer 2 soware images:
For stateless DHCPv6 servers, one DHCPv6 subnet can be congured on the management VLAN.
In SLAAC (Stateless Address Auto-conguraon), the client does not require the DHCPv6 server to get the IPv6 address. It receives the
prex, prex-length, and the Default Gateway from the RA and the address is auto-congured.
The DHCPv6 client can only get other informaon, such as DNS and domain-name, from the DHCPv6 server.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 115
The conguraon of the nd other-cong-ag, using the ipv6 nd other-cong-ag command, is required for the stateless DHCPv6 server to
receive DNS and domain name conguraon. When the ipv6 nd other-cong-ag command is used, the O ag is set to 1. Refer to the
Conguring an IPv6 address on the Router Interface on page 117 secon for more informaon.
When the client sends an Informaon-Request to the server, the server replies with informaon such as domain-name and DNS server.
Since the IPv6 address is not assigned by the DHCPv6 server, the lease entry is not seen on the server.
The gure below shows an ICX DHCPv6 server working in a Layer 2 session.
FIGURE 21 Layer 2 DHCPv6 Server Session
1. Enter global conguraon mode by issuing the congure terminal command.
switch# configure terminal
2. Enter the ipv6 dhcp6-server enable command to enable the DHCPv6 server.
switch(config)# ipv6 dhcp6-server enable
3. Enter the domain-name command, entering a domain name, to congure the domain name server (DNS) domain name.
switch(config-dhcp6)# domain-name example.com
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
116 Part Number: 53-1005654-01
4. Enter the dns-server command, specifying an IPv6 address, to specify the IPv6 address of the DNS server.
switch(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
5. Enter the renewal-me command, specifying an interval, to set the me interval aer which the client transions to the renewing state
upon receipt of an IPv6 address.
switch(config-dhcp6)# renewal-time 50
If the renewal me is not congured, half of the valued of the congured preferred lifeme is considered as the renewal me.
6. Enter the subnet6 command, specifying an IPv6 prex, to congure a subnet for the DHCPv6 server and enter DHCPv6 subnet
conguraon mode.
switch(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
7. Enter the range6 command toto assign IPv6 addresses in the specied range.
switch(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
8. Enter the exit command unl you return to global conguraon mode.
switch(config-dhcpv6-subnet)# exit
switch(config-dhcp6)# exit
switch(config)#
9. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address in the range of the congured subnet6.
switch(config)# ipv6 address 8fef:400:efdd:301::3/64
The following example congure a stateless DHCPv6 server on a Layer 2 soware image and congures an IPv6 address in the range of the
congured subnet6.
switch# configure terminal
switch(config)# ipv6 dhcp6-server enable
switch(config-dhcp6)# domain-name example.com
switch(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
switch(config-dhcp6)# renewal-time 50
switch(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
switch(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
switch(config-dhcpv6-subnet)# exit
switch(config-dhcp6)# exit
switch(config)# ipv6 address 8fef:400:efdd:301::3/64
Follow the steps in the Conguring an IPv6 address on the Router Interface on page 117 secon to congure an IPv6 address on the router
interface.
Conguring an IPv6 address on the Router Interface
Perform the following steps to enable the forwarding of IPv6 trac and congure an IPv6 address on the router interface.
Complete the steps outlined in the Conguring the Stateless DHCPv6 Server on Layer 2 Soware Images on page 115 secon before compleng this
task.
NOTE
The conguraon of the nd other-cong-ag, using the ipv6 nd other-cong-ag command, is required for the stateless DHCPv6 server to
receive DNS and domain name conguraon. When the ipv6 nd other-cong-ag command is used, the O ag is set to 1.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 117
NOTE
The router-interface can be an ICX router or a router from another vendor, for example, Cisco Systems.
1. On the ICX router, enter global conguraon mode by issuing the congure terminal command.
router# configure terminal
2. Enter the ipv6 unicast-roung command to enable the forwarding of IPv6 trac.
router(config)# ipv6 unicast-routing
3. Enter the interface command and specify the port connected to the client.
router(config)# interface ve 100
4. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address on the router interface of the ICX router.
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
5. Enter the ipv6 nd nd other-cong-ag command to enable the hosts to use autoconguraon to get non-IPv6-address informaon.
router(config-vif-100)# ipv6 nd nd other-config-flag
The following example enables the forwarding of IPv6 trac and congures an IPv6 address. The ipv6 nd other-cong-ag command is used to set
the 0 ag to 1.
router# configure terminal
router(config)# ipv6 unicast-routing
router(config)# interface ve 100
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
router(config-vif-100)# ipv6 nd nd other-config-flag
Conguring the Stateful DHCPv6 Server on Layer 2 Soware Images
Perform the following steps to congure a stateful DHCPv6 server on a Layer 2 soware image.
Consider the following when conguring the stateful DHCPv6 server on Layer 3 soware images:
For stateful DHCPv6 servers, one DHCPv6 subnet can be congured on the management VLAN.
For stateful DHCPv6 Servers, the client requires the DHCPv6 server to get the IPv6 address and other informaon such as DNS and
domain-name.
The conguraon of the nd managed address conguraon ag, using the ipv6 nd managed-cong-ag command is required for stateful
DHCPv6 servers. When the ipv6 nd managed-cong-ag command is used, the M ag is set to 1.
The IPv6 address is assigned by the DHCPv6 server, and the lease entry can be viewed on the server in the output of the show ipv6 dhcp6-
server lease command. Refer to the Conguring an IPv6 address for the Router Interface on page 119 secon for more informaon.
1. Enter global conguraon mode by issuing the congure terminal command.
switch# configure terminal
2. Enter the ipv6 dhcp6-server enable command to enable the DHCPv6 server.
switch(config)# ipv6 dhcp6-server enable
3. Enter the domain-name command, entering a domain name, to congure the domain name server (DNS) domain name.
switch(config-dhcp6)# domain-name example.com
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
118 Part Number: 53-1005654-01
4. Enter the dns-server command, specifying an IPv6 address, to specify the IPv6 address of the DNS server.
switch(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
5. Enter the renewal-me command, specifying an interval, to set the me interval aer which the client transions to the renewing state
upon receipt of an IPv6 address.
switch(config-dhcp6)# renewal-time 50
If the renewal me is not congured, half of the valued of the congured preferred lifeme is considered as the renewal me.
6. Enter the subnet6 command, specifying an IPv6 prex, to congure a subnet for the DHCPv6 server and enter DHCPv6 subnet
conguraon mode.
switch(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
7. Enter the range6 command to assign IPv6 addresses in the specied range.
switch(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
8. Enter the exit command unl you return to global conguraon mode.
switch(config-dhcpv6-subnet)# exit
switch(config-dhcp6)# exit
switch(config)#
9. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address in the range of the congured subnet6.
switch(config)# ipv6 address 8fef:400:efdd:301::3/64
The following example congure a stateful DHCPv6 server on a Layer 2 soware image and congures an IPv6 address in the range of the
congured subnet6.
switch# configure terminal
switch(config)# ipv6 dhcp6-server enable
switch(config-dhcp6)# domain-name example.com
switch(config-dhcp6)# dns-server 8fef:400:efdd:301::10 8fef:400:efdd:301::20
switch(config-dhcp6)# renewal-time 50
switch(config-dhcp6)# subnet6 8fef:400:efdd:301::/64
switch(config-dhcpv6-subnet)# range6 8fef:400:efdd:301::100 8fef:400:efdd:301::200
switch(config-dhcpv6-subnet)# exit
switch(config-dhcp6)# exit
switch(config)# ipv6 address 8fef:400:efdd:301::3/64
Follow the steps in the Conguring an IPv6 address for the Router Interface on page 119 secon to congure an IPv6 address on the router
interface.
Conguring an IPv6 address for the Router Interface
Perform the following steps to enable the forwarding of IPv6 trac and congure an IPv6 address on the router interface.
Complete the steps outlined in the Conguring the Stateful DHCPv6 Server on Layer 2 Soware Images on page 118 secon before compleng this
task.
NOTE
The conguraon of the nd managed address conguraon ag, using the ipv6 nd managed-cong-ag command is required for stateful
DHCPv6 servers. When the ipv6 nd managed-cong-ag command is used, the M ag is set to 1.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 119
NOTE
The router-interface can be an ICX router or a router from another vendor, for example, Cisco Systems.
1. On the ICX router, enter global conguraon mode by issuing the congure terminal command.
router# configure terminal
2. Enter the ipv6 unicast-roung command to enable the forwarding of IPv6 trac.
router(config)# ipv6 unicast-routing
3. Enter the interface command and specify the port connected to the client.
router(config)# interface ve 100
4. Enter the ipv6 address command, specifying an IPv6 address, to congure an IPv6 address on the router interface of the ICX router.
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
5. Enter the ipv6 nd managed-cong-ag command to set the managed address conguraon ag.
router(config-vif-100)# ipv6 nd managed-config-flag
The following example enables the forwarding of IPv6 trac and congures an IPv6 address. The ipv6 nd managed-cong-ag command is used to
set the M ag to 1.
router# configure terminal
router(config)# ipv6 unicast-routing
router(config)# interface ve 100
router(config-vif-100)# ipv6 address 8fef:400:efdd:301::3/64
router(config-vif-100)# ipv6 nd managed-config-flag
Displaying DHCPv6 Server Informaon
Various show commands can display stascal informaon about DHCPv6 Servers.
Use one or more of the following commands to verify DHCPv6 Server informaon. Using these commands is oponal, and the variaons of the
command can be entered in any order.
1. Enter the show ipv6 dhcp6-server command with the global keyword to display global informaon for the DHCPv6 server.
device> show ipv6 dhcp6-server global
IPV6 DHCP6 SERVER GLOBAL CONFIGURATION SUMMARY:
Preferred lifetime: 111
Valid lifetime: 222
Renewal time(t1%): 0
Rebind time(t1%): 0
Refresh time(t1%): 0
Enable Rapid Commit: No
Domain Name:
2. Enter the show ipv6 dhcp6-server command with the lease keyword to display informaon about the DHCPv6 server lease entries.
device> show ipv6 dhcp6-server lease
IA-NA: Client IP addr: 3ffe:501:ffff:100:dc87:7c42:d4fb:ba7e
Preffered-lifetime: 121
Binding State: active
Valid lifetime : 200
Expires at : 2018/10/09 17:42:42
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
120 Part Number: 53-1005654-01
3. Enter the show ipv6 dhcp6-server command with the subnet6 keyword to display informaon about all the subnets congured on a
device. The rst subnet, “3efd:320:ddee:202::/64”, has range6 congured as a range of ipv6 addresses. The second subnet, “3e:501::
100::/64”, has range6 congured as a prex.
device> show ipv6 dhcp6-server subnet6
******IPV6 DHCP6 SERVER SUBNETS CONFIGURATION SUMMARY *********
---------------------------------------------------
Subnet6 : 3efd:320:ddee:202::/64
Subnet Name :
Preferred lifetime : 0
Valid lifetime : 0
Domain Name :
Range6 prefix : ::/0
Range6: 3efd:320:ddee:202::5
: 3efd:320:ddee:202::15
DNS Servers:
---------------------------------------------------
Subnet6 : 3ffe:501:ffff:100::/64
Subnet Name :
Preferred lifetime : 0
Valid lifetime : 0
Domain Name :
Range6 prefix : 3ffe:501:ffff:100::/64
DNS Servers:
4. Enter the show ipv6 dhcp6-server command with the subnet6 keyword, and specify an IPv6 prex address to display informaon about a
specic subnet congured on a device.
device> show ipv6 dhcp6-server subnet6 3ffe:501:ffff:100::/64
******IPV6 DHCP6 SERVER SUBNETS CONFIGURATION SUMMARY *********
---------------------------------------------------
Subnet6 : 3ffe:501:ffff:100::/64
Subnet Name : testname
Preferred lifetime : 40
Valid lifetime : 100
Domain Name : www.test.com
Range6 prefix : 3ffe:501:ffff:100::/64
Prefix6 : ::/0
DNS Servers:
Vericaon of DHCPv6 Server Status
Various commands can be used for the purpose of verifying the DHCPv6 server status.
Use one or more of the following commands to verify DHCPv6 Server status. Using these commands is oponal, and the variaons of the command
can be entered in any order.
1. Enter the hmon client status command with the all-clients keyword to display details on the operaonal status of Health Monitor clients.
device# hmon client status all-clients
Check the status of the DHCP client in the output. The status shows Up if the server is up and running. If the status is Faulty, this might
indicate some missing conguraon or a port being down. The status is displayed as Faulty when the server is sll not Up aer a series of
retries. Fixing the conguraon or port down issue will bring the server Up again.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 121
2. Enter the hmon client stascs command with the all-clients keyword to display client stascs.
device# hmon client statistics all-clients
Check the status of the DHCP client in the output.
3. Enter the show ip os-interface command with the port-info stascs keyword to display the tap interfaces that are created for the
interfaces and the stascs on the tap interface.
device# show ip os-interface port-info statistics
Check the status of the DHCP client in the output.
Vericaon in Linux Mode
1. Telnet to the remote IP reach Linux mode. Use the ps-aef and grep dhcpd to check if the dhcpd process is running.
2. Verify the conguraon in the dhcpd.conf le in the /etc path in Linux.
3. Verify the dhcpd6.leases le in the /etc path and in the /fast_iron path for the lease le in the ash.
Prex Delegaon
Prex delegaon allows a DHCPv6 server assign prexes chosen from a global pool to DHCPv6 clients. The DHCPv6 client can then congure an IPv6
address on its LAN interface using the received prex. It then sends router adversements that include the prex, allowing other devices to use
auto-conguraon to congure their own IPv6 addresses.
The PD device will be connected to the DHCPv6 server. The DHCPv6 server should have prex6 congured. The PD device receives the prex from
the DHCPv6 server. The hosts connected to the PD device receives the IPv6 address in the prex received by the PD device.
The following example assigns a range of IPv6 prexes to a subnet.
device# configure terminal
device(config)# ipv6 dhcp6-server enable
device(config-dhcp6)# subnet6 3ffe:501:ffff:100::/64
device(config-dhcpv6-subnet)# prefix6 3ffe:501:ffff:100::/64 3ffe:501:ffff:103::/64
Prex Delegaon for ICX DHCPv6 Servers in Layer 3 Soware Images
Prex delegaon allows a DHCPv6 server to assign prexes selected from a global pool to DHCPv6 clients (requesng routers). The DHCPv6 client
can then congure an IPv6 address on its LAN interface using the received prex. The DHCPv6 client then sends router adversements that include
the prex, allowing other devices to use auto-conguraon to congure their own IPv6 addresses. The PD device (requesng routers) is connected
to the DHCPv6 server (ICX box). The DHCPv6 server must have prex6 congured. The PD device receives the prex from the DHCPv6 server. The
hosts connected to the PD device receive the IPv6 address in the prex received by the PD device.
The following illustraon shows delegated prex addressing congured for an ICX device.
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
122 Part Number: 53-1005654-01
FIGURE 22 Delegated Prex Addressing Using DHCPv6
The following example assigns a range of IPv6 prexes to a subnet. The prex6 command is used to congure the prex range for delegaon to sub-
routers.
device# configure terminal
device(config)# ipv6 dhcp6-server enable
device(config-dhcp6)# subnet6 2001:db8:0:1::/64
device (config-dhcp6-subnet)# range6 2001:db8:0:1::129 2001:db8:0:1::254
device(config-dhcpv6-subnet)# prefix6 2001:db8:0:100::/56 2001:db8:0:f00::/56
The following conguraon example shows a sample conguraon for an ICX device with the prex delegaon feature and DHCPv6 server enabled
on a Layer 3 soware image.
!
ipv6 dhcp6-server enable
subnet6 2001:db8:0:1::/64
prefix6 2001:db8:0:100::/56 2001:db8:0:f00::/56
range6 2001:db8:0:1::129 2001:db8:0:1::254
exit
!
ipv6 unicast-routing
!
interface ve 4080
ipv6 address 2001:db8:0:1::100/6
DHCPv6
DHCPv6 Server
RUCKUS FastIron DHCP Conguraon Guide, 08.0.95
Part Number: 53-1005654-01 123
©
2020 CommScope, Inc. All rights reserved.
350 West Java Dr., Sunnyvale, CA 94089 USA
hps://www.commscope.com