Allied Telesis AT-8700XL Series, Rapier i Series manual Dhcp filtering, Configuring filtering

Page 11

DHCP filtering

DHCP filtering

The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them.

DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on.

The dynamic classifiers are attached to filters, which are applied to a port. Only those packets with a source IP address that matches one of the IP addresses allocated to the devices connected to that port are allowed through.

Client B

DHCP Server

Access Device

Non-trusted Ports

Trusted Ports

Client A

Configuring filtering

The switch can be configured to block all packets arriving from clients, unless their source addresses are those known by the switch to have been allocated to the clients by DHCP.

Note: The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping process creates a filter which forces DHCP packets to the CPU before any other filters can process the packet.

XTo configure how many times the filters or flowgroups will be replicated:

set dhcpsnooping port=<port-list> maxlease=<number>

When DHCP snooping is enabled, one blocking filter rule is set up on each port. Then, a permit rule for each client is set up in the switch’s hardware filtering table after a DHCP exchange is successfully completed. These dynamic filtering rules are added for each unique DHCP client until there are maxlease number of entries on that port, or the switch has run out of filter resources.

Page 11 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Image 11
Contents Introduction AlliedWareTM OSThis document contains the following contents Dhcp snooping Related How To NotesMinimum configuration Verifying the status of snooped users Database survival across rebootsDatabase Dhcp snooping database time-outARP Security List of termsStatic binding Trusted and non-trusted portsEnabling Dhcp snooping So the database is empty Completely removing the Dhcp snooping databaseDhcp Option Dhcp Message Type = Dhcp Request Protocol detailsExample Packet Analysis Configuring OptionDhcp filtering Configuring filteringResource considerations To enable Dhcp snooping ARP securityDhcp snooping filter show command ARP securityExample on a Rapier If ARP security is enabled, addOr if ARP security is enabled, is Configure a private Vlan for customers Configuration examplesDefine the Dhcp snooping trusted ports Enable Dhcp snooping and Option 82 supportAdd the tagged uplink ports to the Vlan Add the untagged ports for the customersCreate a traffic class for all upstream flow groups Create a set of QoS classifiersDefine the upstream QoS flow groups Add ports to the VLANs Configure two VLANs for layer 3 access to the Dhcp serverDefine the Dhcp snooping trusted port For layer 3 support, enable the Bootp RelayCreate a set of QoS classifiers DHCPSNProcess 0b4333cc TaggedNone UntaggedNone TroubleshootingNo trusted ports configured DHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From portMaximum number of leases is exceeded Dhcp client continually sends requests instead of a discoverDhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Switch is dropping ARPsManager set dhcpsnooping port=3 maxleases=2 Trusted ports Dhcpsnarp 02680e6c ARP to be forwarded, sender validatedDisplaying log entries Show log command is also very usefulAppendix 1 ISC Dhcp server C613-16086-00 REV B