Allied Telesis AT-8600 Series, Rapier i Series manual AlliedWareTM OS, Introduction

Page 1

AlliedWareTM OS

How To Use DHCP Snooping, Option 82, and Filtering on AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i Series Switches

Introduction

It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to:

zKnow which customer was allocated an IP address at any time.

zGuarantee that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them.

These security features provide a traceable history in the event of an official query. Three components are used to provide this traceable history:

zDHCP snooping

zDHCP Option 82

zDHCP filtering

With DHCP snooping an administrator can control port-to-IP connectivity by:

zpermitting port access to specified IP addresses only

zpermitting port access to DHCP issued IP addresses only

zdictating the number of IP clients on any given port

zpassing location information about an IP client to the DHCP server

zpermitting only known IP clients to ARP

This document explains each feature and provides the minimum configuration to enable them. There are also two configuration examples that make advanced use of the features.

C613-16086-00 REV B

www.alliedtelesis.com

Image 1

Contents Introduction AlliedWareTM OSThis document contains the following contents Minimum configuration Related How To NotesDhcp snooping Database Database survival across rebootsDhcp snooping database time-out Verifying the status of snooped usersARP Security List of termsEnabling Dhcp snooping Trusted and non-trusted portsStatic binding So the database is empty Completely removing the Dhcp snooping databaseDhcp Option Example Packet Protocol detailsDhcp Message Type = Dhcp Request Analysis Configuring OptionDhcp filtering Configuring filteringDhcp snooping filter show command To enable Dhcp snooping ARP securityARP security Resource considerationsOr if ARP security is enabled, is If ARP security is enabled, addExample on a Rapier Configure a private Vlan for customers Configuration examplesAdd the tagged uplink ports to the Vlan Enable Dhcp snooping and Option 82 supportAdd the untagged ports for the customers Define the Dhcp snooping trusted portsDefine the upstream QoS flow groups Create a set of QoS classifiersCreate a traffic class for all upstream flow groups Add ports to the VLANs Configure two VLANs for layer 3 access to the Dhcp serverDefine the Dhcp snooping trusted port For layer 3 support, enable the Bootp RelayCreate a set of QoS classifiers No trusted ports configured TroubleshootingDHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From port DHCPSNProcess 0b4333cc TaggedNone UntaggedNoneMaximum number of leases is exceeded Dhcp client continually sends requests instead of a discoverManager set dhcpsnooping port=3 maxleases=2 Switch is dropping ARPsDhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Trusted ports Dhcpsnarp 02680e6c ARP to be forwarded, sender validatedDisplaying log entries Show log command is also very usefulAppendix 1 ISC Dhcp server C613-16086-00 REV B