Allied Telesis Layer 3 Switches Setting up Dhcp snooping, Using static binding for rigid control

Page 16

Identifying the user

For more information about setting up DHCP snooping, see How To Use DHCP Snooping, Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP Snooping, Option 82 and Filtering on x900 Series Switches. These How To Notes are available from www.alliedtelesis.com/resources/literature/howto.aspx.

Setting up DHCP snooping

This section describes a minimal configuration for DHCP snooping. With this configuration, the switch snoops DHCP packets to build a database of allowed IP addresses, only sends DHCP messages to the port with the official DHCP server, and limits the number of clients attached to each port.

Configuration 1. Enable DHCP snooping.

2.Identify the port that your DHCP server is attached to, and configure this as a trusted port for DHCP snooping. The switch only sends DHCP discover and request packets to trusted ports. If a malicious user attaches a DHCP server to an untrusted port, that server will never receive DHCP requests. This prevents DHCP server spoofing.

3.Set the number of leases permitted on each port.

4.For AT-8948, x900-48, and AT-9900 switches, add classifiers and a quality of service (QoS) configuration to permit and filter addresses.

Example To limit each port on a 24-port switch to 1 lease, when the DHCP server is on port 24:

enable dhcpsnooping

set dhcpsnooping port=24 trusted=yes

set dhcpsnooping port=1-23 maxlease=1

On AT-8948, x900-48 and AT-9900 switches, also add the following commands:

create classifier=50 macsaddr=dhcpsnooping prot=ip ipsaddr=dhcpsnooping

create classifier=51 protocol=ip create qos policy=1

create qos trafficclass=1

create qos flow=50 action=forward create qos flow=51 action=discard add qos policy=1 trafficclass=1 set qos port=1-23 policy=1

add qos trafficclass=1 flow=50 add qos trafficclass=1 flow=51 add qos flow=50 classifier=50 add qos flow=51 classifier=51

Using static binding for rigid control

If there is no DHCP server, or if there is a host with a static IP address, then you can bind the IP address to the port to which it is attached.

Example To specify that the host with MAC address 00-00-00-00-00-12 can legitimately use the IP address 172.16.0.12 on port 12, use the following command in addition to the configuration given in “Setting up DHCP snooping”, above.

add dhcpsnooping binding=00-00-00-00-00-12 ip=172.16.0.12 interface=vlan1 port=12

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

16

Image 16
Contents Contents IntroductionEdge switch Access Router Protecting the network Securing the deviceProtecting against packet flooding Bandwidth limiting Using QoS policy-based storm protection Configuration To use storm protectionReboot after turning on enhanced mode Rest of the QoS configuration is as normal, soConfiguration on one or more ports Protecting against rapid MAC movementControlling multicast traffic Igmp snoopingIgmp filtering Configuration For each portIgmp throttling Configuration Using Secure Shell SSHManaging the device securely Using SNMPv3 Using SSL for secure web accessConfiguration 1. Enable Snmp Managing the device securely Whitelisting telnet hosts Building a whitelist through layer 3 filtersBuilding a whitelist through QoS IP spoofing and tracking Identifying the userTrouble with ARP Rejecting Gratuitous ARP Garp Dhcp snoopingSetting up Dhcp snooping Using static binding for rigid controlUsing Dhcp snooping to track clients Using 802.1x port authenticationUsing ARP security Using private VLANs Protecting the userUsing local proxy ARP and MAC-forced forwarding To remove ports from the VlanLocal proxy ARP Configuration of access router Example Add ip int=vlan104 ip=address-in-192.168.4.0-subnet MAC-Forced Forwarding Macff Using IPsec to make VPNs SwitchesAccess EdgeProtecting against worms Blocking worms through classifier-based filtersBlocking worms through QoS actions Edge switch Edge switch 1 is directly connected to the access routerEdge switch Add ip int=vlan500 ip=172.16.5.103 mask=255.255.255.0 Access Router C613-16103-00 REV a