Reasons why the PC that has obtained an IP address from the DHCP server cannot access the Internet on S series switch

2

For S series switches (exclude S1700 switches), in normal situations, a PC can access the Internet after obtaining an IP address through DHCP. However, if the IP address is assigned by a bogus DHCP server, the PC cannot access the Internet with the incorrect IP address. If this problem occurs, you are advised to configure DHCP snooping on the Layer 2 access device or first DHCP relay agent from the device, to ensure that PCs can obtain correct IP addresses.
- When you configure DHCP snooping on a Layer 2 access device, steps 1, 2, and 3 are mandatory and must be performed in sequence.
- When you configure DHCP snooping on a DHCP relay agent, only steps 1 and 2 are required.
1. Enable DHCP snooping globally.
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
2. Configure the interfaces connected to DHCP clients. Perform the configuration on all interfaces connected to DHCP clients. GE0/0/1 is used as an example.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] quit
3. Perform the configuration on interfaces connected to the DHCP server. GE0/0/2 is used as an example.
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted
[HUAWEI-GigabitEthernet0/0/2] quit

Other related questions:
Reasons why users cannot obtain IP addresses after DHCP Snooping is configured on S series switch
After DHCP snooping is enabled, all interfaces on S series switches are untrusted by default. DHCP Discover packets, however, must be forwarded from a trusted interface on the switch. Therefore, you must configure the interface connected to the DHCP server as a trusted interface to ensure that users connected to the switch can obtain IP addresses.

Clients cannot obtain IP addresses through DHCP after the DHCP relay agent is upgraded
This problem may occur on a fixed switch in the following scenario: - The switch was upgraded from V100R002/V100R003 to V100R005/V100R006. - The switch functions as a DHCP relay agent and is configured with the dhcp relay information enable command. - An authentication mechanism is enabled before the DHCP server allocates an IP address to a client. The authentication server authenticates the client based on the option 82 field. After the dhcp relay information enable command is configured on the switch, the interface name that the switch encapsulates in the DHCP option 82 field varies according to the system software version: - For V100R003 and earlier versions, a VLANIF interface name is encapsulated. - For V100R005 and later versions, a physical interface name is encapsulated. As different interface names may be encapsulated in the option 82 field before and after the upgrade, the authentication server may fail to authenticate the user based on the option 82 field. If this problem occurs, modify the user authentication configuration on the authentication server after the upgrade. To be specific, change the content of the option 82 field on the authentication server to the physical interface name, or change the user authentication policy by disabling DHCP option 82 field-based authentication.

Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches
Intranet users can only obtain IP addresses through DHCP for Internet access on S series switches excluding the S1700. The configuration procedure is as follows: 1. Configure a switch as the DHCP server. For details 2. Configure DHCP snooping. See the following DHCP snooping configuration. [HUAWEI] dhcp snooping enable [HUAWEI] interface GigabitEthernet2/0/0 //Enable the Layer 3 interface that is automatically assigned an IP address. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping trusted //Configure the interface as the trusted interface. [HUAWEI-GigabitEthernet2/0/0] dhcp snooping enable //Enable DHCP snooping. [HUAWEI-GigabitEthernet2/0/0] ip source check user-bind enable //To prevent IP packets of unauthorized users from entering the external network through the switch, you can enable the IP packet check function on an interface or in a VLAN. After the IP packet check function is enabled, only the IP packets matching entries in the binding table are forwarded. After DHCP snooping is enabled, a dynamic binding table is generated. [HUAWEI-GigabitEthernet2/0/0] arp anti-attack check user-bind enable //After ARP packet check is enabled, the switch checks all the ARP packets passing through an interface or a VLAN against the binding table. Only the ARP packets matching the binding table are forwarded. [HUAWEI-GigabitEthernet2/0/0] quit [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //If users want to configure static IP addresses for Internet access, a static binding table must be configured.

On an S series switch enabled with DHCP snooping, the reason why the user cannot obtain the IP address after changing the terminal's location
On an S series switch enabled with DHCP snooping, a binding table is generated on the switch after a user obtains an IP address. If the user is switched to another interface of the device without releasing the IP address, the user cannot obtain the IP address or access the network. The corresponding binding table has been generated. The user attempts to apply for the same IP address with the same MAC address on a different interface. In this case, the switch does not know whether the user has switched to another interface or an unauthorized user attempts to access the network; therefore, the switch does not modify the binding table. As a result, the user fails to obtain the IP address and access the network. To solve this problem, you can delete the binding table from the switch.

Failure to obtain IP addresses from DHCP server
For S series switches (except S1700 switches), a client may fail to obtain an IP address from the DHCP server due to the following: - Incorrect configuration - No available IP address in the address pool - STP enabled on the upper-layer access device of diskless workstations For the fault locating and troubleshooting procedure, see the section "A Client Fails to Obtain an IP Address from a DHCP Server" in Configuration Guide �?IP Service.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top