Allied Telesis AT-8600 Series manual Example on a Rapier, If ARP security is enabled, add

Page 13

DHCP filtering

a maximum of 13 leases and ports 3 to 8 given 1 lease each. After that, no port could have its leases increased because the filter resource is completely used up.

Note: On Allied Telesis switches, IGMP snooping and MLD snooping are enabled by default, which occupy 2 filter entries. To dedicate 119 entries to DHCP snooping, IGMP and MLD snooping would need to be disabled with disable igmpsnooping and disable mldsnooping. Disabling these services is not desirable if multicasting is used in the network.

If other hardware filters are used, they will eat into the filter resource and so your maximum leases (and also your QoS classifiers) would be reduced.

Example on a Rapier 24i

XIf leases are 2 on ports 1 and 2 but 5 on ports 3 to 8, then the number of filter resources used is:

(2 entries * 2 ports) + (5 entries * 6 ports) = 34 entries

XIf ARP security is enabled, add 1:

(2 entries * 2 ports) + (5 entries * 6 ports) + 1 = 35 entries

XSo, the number of available filter resources left for other hardware filters, QoS classifiers or more leases is:

(119 maximum entries) – (34 used) = 85 entries

Xor if ARP security is enabled, is:

(119 maximum entries) – (35 used) = 84 entries

Page 13 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Page 12 Page 14
Image 13
Page 12 Page 14
Contents Introduction AlliedWareTM OSThis document contains the following contents Minimum configuration Related How To NotesDhcp snooping Database Database survival across rebootsDhcp snooping database time-out Verifying the status of snooped usersARP Security List of termsEnabling Dhcp snooping Trusted and non-trusted portsStatic binding So the database is empty Completely removing the Dhcp snooping databaseDhcp Option Example Packet Protocol detailsDhcp Message Type = Dhcp Request Analysis Configuring OptionDhcp filtering Configuring filteringDhcp snooping filter show command To enable Dhcp snooping ARP securityARP security Resource considerationsOr if ARP security is enabled, is If ARP security is enabled, addExample on a Rapier Configure a private Vlan for customers Configuration examplesAdd the tagged uplink ports to the Vlan Enable Dhcp snooping and Option 82 supportAdd the untagged ports for the customers Define the Dhcp snooping trusted portsDefine the upstream QoS flow groups Create a set of QoS classifiersCreate a traffic class for all upstream flow groups Add ports to the VLANs Configure two VLANs for layer 3 access to the Dhcp serverDefine the Dhcp snooping trusted port For layer 3 support, enable the Bootp RelayCreate a set of QoS classifiers No trusted ports configured TroubleshootingDHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From port DHCPSNProcess 0b4333cc TaggedNone UntaggedNoneMaximum number of leases is exceeded Dhcp client continually sends requests instead of a discoverManager set dhcpsnooping port=3 maxleases=2 Switch is dropping ARPsDhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Trusted ports Dhcpsnarp 02680e6c ARP to be forwarded, sender validatedDisplaying log entries Show log command is also very usefulAppendix 1 ISC Dhcp server C613-16086-00 REV B
Top Page Image Contents