Allied Telesis Rapier i Series manual Trusted and non-trusted ports, Enabling Dhcp snooping

Page 6

DHCP snooping

Trusted and non-trusted ports

The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping:

zTrusted ports connect to a trusted entity in the network, and are under the complete control of the network manager.

zNon-trusted ports connect an untrusted entity to the trusted network.

zNon-trusted ports can connect to non-trusted ports.

In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers.

DHCP snooping will make forwarding decisions based on the trust status of ports:

zBOOTP packets that contain Option 82 information received on untrusted ports will be dropped

zIf Option 82 is enabled, the switch will insert Option 82 information into BOOTP REQUEST packets received from an untrusted port.

zBOOTP REQUEST packets that contain Option 82 information received on trusted ports will not have the Option 82 information updated with information for the receive port. It will be kept.

zBOOTP REPLY packets (from servers) should come from a trusted source.

zThe switch will remove Option 82 information from BOOTP REPLY packets destined to an untrusted port.

zBOOTP REPLY packets received on non-trusted ports will be dropped.

Enabling DHCP snooping

DHCP snooping is enabled globally by the command enable dhcpsnooping. All ports are untrusted by default. For DHCP snooping to do anything useful, at least one port must be trusted.

Static binding

If there is a device with a statically set IP attached to a port in the DHCP snooping port range, then, with filtering enabled it is necessary to statically bind it to the port. This will ensure the device's IP connectivity to the rest of the network.

If a device with the IP 172.16.1.202 and MAC address 00-00-00-00-00-cais attached to VLAN 1 on port 2 then a static binding is configured by adding the following command to the basic DHCP configuration (see "Minimum configuration" on page 3):

add dhcpsnooping binding=00-00-00-00-00-CA interface=vlan1 ip=172.16.1.202 port=2

Adding a static binding uses a lease on the port. If the maximum leases on the port is 1 (the default), the static binding means that no device on the port can acquire an address by DHCP.

Page 6 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Page 5 Page 7
Image 6
Page 5 Page 7
Contents AlliedWareTM OS IntroductionThis document contains the following contents Related How To Notes Minimum configurationDhcp snooping Dhcp snooping database time-out Database survival across rebootsDatabase Verifying the status of snooped usersList of terms ARP SecurityTrusted and non-trusted ports Enabling Dhcp snoopingStatic binding Completely removing the Dhcp snooping database So the database is emptyDhcp Option Protocol details Example PacketDhcp Message Type = Dhcp Request Configuring Option AnalysisConfiguring filtering Dhcp filteringARP security To enable Dhcp snooping ARP securityDhcp snooping filter show command Resource considerationsIf ARP security is enabled, add Or if ARP security is enabled, isExample on a Rapier Configuration examples Configure a private Vlan for customersAdd the untagged ports for the customers Enable Dhcp snooping and Option 82 supportAdd the tagged uplink ports to the Vlan Define the Dhcp snooping trusted portsCreate a set of QoS classifiers Define the upstream QoS flow groupsCreate a traffic class for all upstream flow groups Configure two VLANs for layer 3 access to the Dhcp server Add ports to the VLANsFor layer 3 support, enable the Bootp Relay Define the Dhcp snooping trusted portCreate a set of QoS classifiers DHCPSNProcess 0b4333cc Dhcp Snooping pkt for Vlan From port TroubleshootingNo trusted ports configured DHCPSNProcess 0b4333cc TaggedNone UntaggedNoneDhcp client continually sends requests instead of a discover Maximum number of leases is exceededSwitch is dropping ARPs Manager set dhcpsnooping port=3 maxleases=2Dhcpsnarp 01a6f5ec ARP to be forwarded, sender validated Dhcpsnarp 02680e6c ARP to be forwarded, sender validated Trusted portsShow log command is also very useful Displaying log entriesAppendix 1 ISC Dhcp server C613-16086-00 REV B
Top Page Image Contents