Allied Telesis Rapier i Series, AT-8600 Series manual ARP security, Resource considerations

Page 12

DHCP filtering

ARP security

It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP packets received on non-trusted ports are only permitted if they originate from an IP address that has been allocated by DHCP.

XTo enable DHCP snooping ARP security:

enable dhcpsnooping arpsecurity

DHCP snooping filter show command

To see what addresses have been inserted into filters using DHCP snooping classifiers, use the command show dhcpsnooping filter:

Manager > show dhcpsnooping filter

DHCPSnooping ACL ( 150 entries )

ClassID FlowID Port EntryID IP Address/Port/Mac

----------------------------------------------------------------------

60161

0

16

3

10.11.67.50/16/00-03-47-6b-a5-7a

61161

0

16

3

10.11.67.50/16/00-03-47-6b-a5-7a

62161

0

16

3

10.11.67.50/16/00-03-47-6b-a5-7a

...

 

 

 

 

List of terms:

The FlowID refers to the associated QoS FlowGroup.

The EntryID refers to the associated entry in the DHCP snooping database.

The ClassID refers to the dynamically created classifier entry.

Resource considerations

Because of the potential for classifier replication, you need to be cautious about running out of classifier resource. Some resource calculations are provided below.

When configuring DHCP classifiers it is possible to run out of classifier resource, especially when using QoS and hardware filter classifiers as well.

When DHCP snooping is enabled on an AT-8600, AT-8800, AT-8700XL, Rapier or Rapier i series switch, it will reserve only one blocking rule for each port (unlike on AT-9900 and x900 series switches). Each block of eight ports, starting from ports 1 to 8, share 127 available entries in the filter resource. Eight entries are immediately used by blocking rules and so the actual number of available leases is 119 over eight ports.

Because 119 entries must be shared between eight ports, the average maximum number of leases per port is 14. However, port 1 could be given a maximum of 100 leases, port 2 given

Page 12 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Page 11 Page 13
Image 12
Page 11 Page 13
Contents AlliedWareTM OS IntroductionThis document contains the following contents Related How To Notes Minimum configurationDhcp snooping Database survival across reboots DatabaseDhcp snooping database time-out Verifying the status of snooped usersList of terms ARP SecurityTrusted and non-trusted ports Enabling Dhcp snoopingStatic binding Completely removing the Dhcp snooping database So the database is emptyDhcp Option Protocol details Example PacketDhcp Message Type = Dhcp Request Configuring Option AnalysisConfiguring filtering Dhcp filteringTo enable Dhcp snooping ARP security Dhcp snooping filter show commandARP security Resource considerationsIf ARP security is enabled, add Or if ARP security is enabled, isExample on a Rapier Configuration examples Configure a private Vlan for customersEnable Dhcp snooping and Option 82 support Add the tagged uplink ports to the VlanAdd the untagged ports for the customers Define the Dhcp snooping trusted portsCreate a set of QoS classifiers Define the upstream QoS flow groupsCreate a traffic class for all upstream flow groups Configure two VLANs for layer 3 access to the Dhcp server Add ports to the VLANsFor layer 3 support, enable the Bootp Relay Define the Dhcp snooping trusted portCreate a set of QoS classifiers Troubleshooting No trusted ports configuredDHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From port DHCPSNProcess 0b4333cc TaggedNone UntaggedNoneDhcp client continually sends requests instead of a discover Maximum number of leases is exceededSwitch is dropping ARPs Manager set dhcpsnooping port=3 maxleases=2Dhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Dhcpsnarp 02680e6c ARP to be forwarded, sender validated Trusted portsShow log command is also very useful Displaying log entriesAppendix 1 ISC Dhcp server C613-16086-00 REV B
Top Page Image Contents