Allied Telesis Rapier i Series manual Dhcp snooping, Related How To Notes, Minimum configuration

Page 3

DHCP snooping

Related How To Notes

The following How To Note describes DHCP snooping on AT-9900, x900-48 and AT-8948 series switches:

zHow To Use DHCP Snooping, Option 82, and Filtering on AT-9900 and x900-48 Series Switches

The following How To Notes also use DHCP snooping in their solutions:

zHow To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs

zHow To Create A Secure Network With Allied Telesis Managed Layer 3 Switches

zHow To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks

How To Notes are available from the library at www.alliedtelesis.com/resources/literature/ howto.aspx.

DHCP snooping

DHCP snooping forces all DHCP packets to be sent up to the switch CPU before forwarding. The switch CPU then keeps a database of the IP addresses that are currently allocated to downstream clients and the switch ports that the relevant clients are attached to.

Note: The switch CPU does not store a history log. The DHCP server does this.

DHCP snooping performs two main tasks:

zKeeping a record of which IP addresses are currently allocated to hosts downstream of the ports on the switch.

zDeciding which packets are candidates for having Option 82 information inserted, and actively filtering out packets that are deemed to be invalid DHCP packets (according to criteria described below).

Note: Option 82 must be enabled separately.

Minimum configuration

The following output shows the minimum configuration required to use DHCP snooping and provide filtered connectivity. With this configuration a client will be able to receive a DHCP address, and access the IP network. If the client manually changes its IP, it will not be permitted access to the IP network. The administrator will also be able to see the current valid entries in the DHCP snooping database.

#DHCP Snooping configuration enable dhcpsnooping

set dhcpsnooping port=24 trusted=yes

Page 3 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Page 2 Page 4
Image 3
Page 2 Page 4
Contents Introduction AlliedWareTM OSThis document contains the following contents Related How To Notes Minimum configurationDhcp snooping Verifying the status of snooped users Database survival across rebootsDatabase Dhcp snooping database time-outARP Security List of termsTrusted and non-trusted ports Enabling Dhcp snoopingStatic binding So the database is empty Completely removing the Dhcp snooping databaseDhcp Option Protocol details Example PacketDhcp Message Type = Dhcp Request Analysis Configuring OptionDhcp filtering Configuring filteringResource considerations To enable Dhcp snooping ARP securityDhcp snooping filter show command ARP securityIf ARP security is enabled, add Or if ARP security is enabled, isExample on a Rapier Configure a private Vlan for customers Configuration examplesDefine the Dhcp snooping trusted ports Enable Dhcp snooping and Option 82 supportAdd the tagged uplink ports to the Vlan Add the untagged ports for the customersCreate a set of QoS classifiers Define the upstream QoS flow groupsCreate a traffic class for all upstream flow groups Add ports to the VLANs Configure two VLANs for layer 3 access to the Dhcp serverDefine the Dhcp snooping trusted port For layer 3 support, enable the Bootp RelayCreate a set of QoS classifiers DHCPSNProcess 0b4333cc TaggedNone UntaggedNone TroubleshootingNo trusted ports configured DHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From portMaximum number of leases is exceeded Dhcp client continually sends requests instead of a discoverSwitch is dropping ARPs Manager set dhcpsnooping port=3 maxleases=2Dhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Trusted ports Dhcpsnarp 02680e6c ARP to be forwarded, sender validatedDisplaying log entries Show log command is also very usefulAppendix 1 ISC Dhcp server C613-16086-00 REV B
Top Page Image Contents