Manuals / Allied Telesis / Computer Equipment / Switch

Allied Telesis AT-8600 Series, Rapier i Series manual Introduction, AlliedWareTM OS

Models: AT-8700XL Series AT-8600 Series Rapier i Series

1 26

Download 26 pages 29.76 Kb

Page 1

AlliedWareTM OS

AlliedWareTM OS

How To Use DHCP Snooping, Option 82, and Filtering on AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i Series Switches

Introduction

It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to:

zKnow which customer was allocated an IP address at any time.

zGuarantee that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them.

These security features provide a traceable history in the event of an official query. Three components are used to provide this traceable history:

zDHCP snooping

zDHCP Option 82

zDHCP filtering

With DHCP snooping an administrator can control port-to-IP connectivity by:

zpermitting port access to specified IP addresses only

zpermitting port access to DHCP issued IP addresses only

zdictating the number of IP clients on any given port

zpassing location information about an IP client to the DHCP server

zpermitting only known IP clients to ARP

This document explains each feature and provides the minimum configuration to enable them. There are also two configuration examples that make advanced use of the features.

C613-16086-00 REV B

www.alliedtelesis.com

Image 1

Allied Telesis AT-8600 Series, Rapier i Series, AT-8700XL Series manual Introduction, AlliedWareTM OS

Contents

AlliedWareTM OS Introductionz AT-8800 series z AT-8600 series z AT-8700XL series Which products and software version does this information apply to?z Rapier and Rapier i series Minimum configuration Related How To NotesDHCP snooping The database Database survival across rebootsDHCP snooping database time-out Verifying the status of snooped usersList of terms Enabling DHCP snooping Trusted and non-trusted portsStatic binding So the database is empty Completely removing the DHCP snooping databaseDHCP snooping DHCP Option DHCP OptionExample Packet Protocol detailsAnalysis Configuring OptionDHCP filtering Configuring filteringDHCP snooping filter show command X To enable DHCP snooping ARP securityARP security Resource considerationsX or if ARP security is enabled, is X If ARP security is enabled, addExample on a Rapier X Configure a private VLAN for customers Configuration examplesX Add the tagged uplink ports to the VLAN X Enable DHCP snooping and Option 82 supportX Add the untagged ports for the customers X Define the DHCP snooping trusted portsX Define the upstream QoS flow groups X Create a set of QoS classifiersX Create a traffic class for all upstream flow groups X Add ports to the VLANs X Configure two VLANs for layer 3 access to the DHCP servercreate vlan=Customers vid=48 create vlan=Network vid=50 add vlan=48 port=1-24 add vlan=50 port=25X Define the DHCP snooping trusted port X For layer 3 support, enable the BOOTP RelayX Enable DHCP snooping and Option 82 support X Configure the switch’s IPX Define the upstream QoS flow groups X Create a set of QoS classifiersX Create a traffic class for all upstream flow groups No trusted ports configured TroubleshootingMaximum number of leases is exceeded The DHCP client continually sends requests instead of a discoverDHCPSNProcess 0b47ee6c Error adding entry to DB DHCPSNDB Updating entryId 7. FlagsSwitch is dropping ARPs DHCPSNARP 02680e6c ARP to be forwarded, sender validated Troubleshootingtrusted ports UntaggedNoneThe show log command is also very useful Displaying log entriesTroubleshooting Appendix 1 ISC DHCP server Appendix 1 ISC DHCP serverif exists agent.circuit-id