Allied Telesis Rapier i Series, AT-8600 Series manual ARP security, Resource considerations

DHCP filtering

ARP security

It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP packets received on non-trusted ports are only permitted if they originate from an IP address that has been allocated by DHCP.

XTo enable DHCP snooping ARP security:

enable dhcpsnooping arpsecurity

DHCP snooping filter show command

To see what addresses have been inserted into filters using DHCP snooping classifiers, use the command show dhcpsnooping filter:

Manager > show dhcpsnooping filter

DHCPSnooping ACL ( 150 entries )

ClassID FlowID Port EntryID IP Address/Port/Mac

----------------------------------------------------------------------

List of terms:

The FlowID refers to the associated QoS FlowGroup.

The EntryID refers to the associated entry in the DHCP snooping database.

The ClassID refers to the dynamically created classifier entry.

Resource considerations

Because of the potential for classifier replication, you need to be cautious about running out of classifier resource. Some resource calculations are provided below.

When configuring DHCP classifiers it is possible to run out of classifier resource, especially when using QoS and hardware filter classifiers as well.

When DHCP snooping is enabled on an AT-8600, AT-8800, AT-8700XL, Rapier or Rapier i series switch, it will reserve only one blocking rule for each port (unlike on AT-9900 and x900 series switches). Each block of eight ports, starting from ports 1 to 8, share 127 available entries in the filter resource. Eight entries are immediately used by blocking rules and so the actual number of available leases is 119 over eight ports.

Because 119 entries must be shared between eight ports, the average maximum number of leases per port is 14. However, port 1 could be given a maximum of 100 leases, port 2 given

Page 12 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches