Huawei S3700-28TP-PWR-SI 02354133 User Manual
Product codes
02354133
At the access layer, the enterprise-side has the following requirements:
l
In order that the enterprise-side uses the AR to perform secure filtering, policy scheduling,
and accounting for the traffic, the ARs need to perform Layer 3 forwarding for the traffic
of different user hosts in different networks. The ARs, however, cannot forward packets
through Layer 2 switching.
and accounting for the traffic, the ARs need to perform Layer 3 forwarding for the traffic
of different user hosts in different networks. The ARs, however, cannot forward packets
through Layer 2 switching.
l
The efficiency of address assignment needs to be improved to save IPv4 addresses. The
effectiveness of address assignment needs to be improved if an address is assigned from a
large address pool rather than a small and independent network segment to the host.
effectiveness of address assignment needs to be improved if an address is assigned from a
large address pool rather than a small and independent network segment to the host.
To implement user isolation at the access layer and meet the preceding requirements of the
enterprise-side, the MAC-Forced Forwarding (MFF) protocol is introduced.
enterprise-side, the MAC-Forced Forwarding (MFF) protocol is introduced.
MFF is a security protocol that isolates the user hosts accessing the same device. When MFF is
running, its security program applies to any shared access media, bringing no extra problems to
these networks.
running, its security program applies to any shared access media, bringing no extra problems to
these networks.
In addition to Layer 2 isolation, the AN that runs MFF discards any upstream broadcast packets
except for DHCP packets and ARP request packets. The AN discards DHCP response packets
received through the subscriber line and limits the rate of DHCP broadcast packets.
except for DHCP packets and ARP request packets. The AN discards DHCP response packets
received through the subscriber line and limits the rate of DHCP broadcast packets.
The AN that runs MFF must track the IPv4 addresses allocated to the subscriber line. This is to
discard the upstream traffic with the fake IPv4 source addresses.
discard the upstream traffic with the fake IPv4 source addresses.
4.8 DHCP
DHCP Client and DHCP Server
DHCP adopts the client/server mode, that is, the DHCP client sends request messages to the
DHCP server. Then, the DHCP server returns the reply messages according to the address pool
policy.
DHCP server. Then, the DHCP server returns the reply messages according to the address pool
policy.
The DHCP server assigns an IP address to the client by using an address pool. When the client
sends a DHCP request to the server, the DHCP server selects a proper address pool, finds an
idle IP address from the pool, and delivers the IP address along with other related parameters,
such as the gateway address, the DNS address and the address lease, to the client.
sends a DHCP request to the server, the DHCP server selects a proper address pool, finds an
idle IP address from the pool, and delivers the IP address along with other related parameters,
such as the gateway address, the DNS address and the address lease, to the client.
To dynamically allocate IP addresses to clients, you need to first configure the address pool
range on the DHCP server. Currently, an address pool can be configured with only one address
range and the address range is determined by the mask length.
range on the DHCP server. Currently, an address pool can be configured with only one address
range and the address range is determined by the mask length.
DHCP Snooping
The S3700 can be deployed between the DHCP server and the DHCP client and it monitors the
DHCP messages between the DHCP server and the DHCP client. The S3700 creates the IP
+MAC+PORT+VLAN binding table according to the monitoring result to filter out invalid
packets.
DHCP messages between the DHCP server and the DHCP client. The S3700 creates the IP
+MAC+PORT+VLAN binding table according to the monitoring result to filter out invalid
packets.
The S3700 also supports Option 82.
l
After receiving a Request message from the DHCP client, the S3700 appends the Option
82 field to the Request message. The DHCP server enforces the IP address allocation policy
according to the Option 82 field.
82 field to the Request message. The DHCP server enforces the IP address allocation policy
according to the Option 82 field.
S3700HI Ethernet Switches
Product Description
Product Description
4 Service Features
Issue 05 (2012-10-20)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29