SMC Networks SMC8150L2 DHCP Snooping Configuration

DHCP Snooping

3-187

3

the packet will only be forwarded if the client’s hardware address stored in the

DHCP packet is the same as the source MAC address in the Ethernet header.

• If the DHCP packet is not a recognizable type, it is dropped.

• If a DHCP packet from a client passes the filtering criteria above, it will only be

forwarded to trusted ports in the same VLAN.

• If a DHCP packet is from server is received on a trusted port, it will be forwarded

to both trusted and untrusted ports in the same VLAN.

If the DHCP snooping is globally disabled, all dynamic bindings are removed from

the binding table.

Additional considerations when the switch itself is a DHCP client – The port(s)

through which the switch submits a client request to the DHCP server must be

configured as trusted. Note that the switch will not add a dynamic entry for itself to

the binding table when it receives an ACK message from a DHCP server. Also,

when the switch sends out DHCP client packets for itself, no filtering takes place.

However, when the switch receives any messages from a DHCP server, any packets

received from untrusted ports are dropped.

DHCP Snooping Configuration

Command Attributes

•DHCP Snooping Status – Enables or disables DHCP snooping globally.

•DHCP Snooping MAC-Address Verification – Enables or disables MAC address

verification. DHCP packets will be dropped if the source MAC address in the

Ethernet header of the packet is not same as the client’s hardware address in the

DHCP packet.

Web – Click DHCP Snooping, Configuration.

Figure 3-114 DHCP Snooping Configuration

CLI – This example first enables DHCP Snooping, and then enables DHCP

Snooping MAC-Address Verification.

Console(config)#ip dhcp snooping 4-231

Console(config)#ip dhcp snooping verify mac-address 4-235

Console(config)#

Contents

Main Page Page Page Contents Page Page Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page 1-1 Chapter 1: Introduction Key Features Table 1-1 Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 Page 1-6 System Defaults System Defaults 1-7 Table 1-2 System Defaults (Continued) Page 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) 2-7 Trap Receivers 2-8 Configuring Access for SNMP Version 3 Clients Saving Configuration Settings Managing System Files 2-9 Managing System Files Page 3-1 Chapter 3: Configuring the Switch Using the Web Interface 3-2 Navigating the Web Browser Interface Home Page 3-3 Configuration Options Panel Display 3-4 Main Menu 3-5 3-6 3-7 3-8 3-9 3-10 Basic Configuration Displaying System Information 3-11 Displaying Switch Hardware/Software Versions 3-12 Web Click System, Switch Information. Figure 3-4 Switch Information CLI Use the following command to display version information. 3-13 Displaying Bridge Extension Capabilities 3-14 Setting the Switchs IP Address Page 3-16 Using DHCP/BOOTP 3-17 Enabling Jumbo Frames Managing Firmware 3-18 Downloading System Software from a Server 3-19 Saving or Restoring Configuration Settings 3-20 Downloading Configuration Settings from a Server 3-21 Console Port Settings 3-22 3-23 Telnet Settings 3-24 3-25 Configuring Event Logging Displaying Log Messages 3-26 System Log Configuration 3-27 Remote Log Configuration 3-28 Simple Mail Transfer Protocol 3-29 3-30 Renumbering the System Resetting the System 3-31 Setting the System Clock Configuring SNTP 3-32 Setting the Time Zone 3-33 Simple Network Management Protocol Setting Community Access Strings 3-34 Specifying Trap Managers and Trap Types 3-35 Enabling SNMP Agent Status 3-36 Configuring SNMPv3 Management Access Setting the Local Engine ID 3-37 Specifying a Remote Engine ID Configuring SNMPv3 Users 3-38 3-39 3-40 Configuring Remote SNMPv3 Users 3-41 Configuring SNMPv3 Groups 3-42 3-43 3-44 3-45 Setting SNMPv3 Views 3-46 User Authentication Configuring User Accounts 3-47 3-48 Configuring Local/Remote Logon Authentication 3-49 Page 3-51 CLI Specify all the required parameters to enable logon authentication. 3-52 Configuring HTTPS 3-53 Replacing the Default Secure-site Certificate 3-54 Configuring the Secure Shell 3-55 3-56 Configuring the SSH Server 3-57 Generating the Host Key Pair 3-58 3-59 Configuring Port Security 3-60 Configuring 802.1X Port Authentication 3-61 Displaying 802.1X Global Settings 3-62 Configuring 802.1X Global Settings 3-63 Configuring Port Settings for 802.1X Page 3-65 3-66 Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. 3-67 Access Control Lists Configuring Access Control Lists 3-68 Setting the ACL Name and Type 3-69 Configuring a Standard IP ACL Configuring an Extended IP ACL 3-70 3-71 3-72 Configuring a MAC ACL 3-73 Binding a Port to an Access Control List 3-74 Filtering IP Addresses for Management Access 3-75 3-76 Port Configuration Displaying Connection Status 3-77 3-78 Configuring Interface Connections 3-79 3-80 Creating Trunk Groups 3-81 Statically Configuring a Trunk } active links statically configured 3-82 Enabling LACP on Selected Ports } } Page 3-84 Configuring LACP Parameters 3-85 3-86 You can display statistics for LACP protocol messages. Displaying LACP Port Counters 3-87 CLI The following example displays LACP counters. 3-88 Displaying LACP Settings and Status for the Local Side 3-89 Figure 3-55 LACP - Port Internal Information 3-90 Displaying LACP Settings and Status for the Remote Side 3-91 Setting Broadcast Storm Thresholds 3-92 Figure 3-57 Port Broadcast Control 3-93 Configuring Port Mirroring 3-94 Configuring Rate Limits Rate Limit Configuration 3-95 Showing Port Statistics 3-96 3-97 Page Address Table Settings 3-99 Address Table Settings Setting Static Addresses 3-100 Displaying the Address Table Page 3-102 Changing the Aging Time Spanning Tree Algorithm Configuration 3-103 3-104 3-105 Displaying Global Settings 3-106 3-107 Configuring Global Settings 3-108 3-109 3-110 3-111 Displaying Interface Settings 3-112 3-113 3-114 Configuring Interface Settings 3-115 3-116 Configuring Multiple Spanning Trees Page 3-118 CLI This example sets STA attributes for port 1, , followed by settings for each port. Displaying Interface Settings for MSTP 3-111 Page 3-120 Configuring Interface Settings for MSTP Displaying Interface Settings on page 3-111 for additional information.) 3-121 3-122 VLAN Configuration IEEE 802.1Q VLANs 3-123 Assigning Ports to VLANs 3-124 3-125 Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) 3-126 Displaying Basic VLAN Information Displaying Current VLANs 3-127 3-128 Creating VLANs 3-129 Adding Static Members to VLANs (VLAN Index) 3-130 3-131 Adding Static Members to VLANs (Port Index) 3-132 Configuring VLAN Behavior for Interfaces 3-133 Configuring IEEE 802.1Q Tunneling 3-134 3-135 3-136 3-137 Enabling QinQ Tunneling on the Switch 3-138 Adding an Interface to a QinQ Tunnel Page 3-140 3-141 Configuring Private VLANs Enabling Private VLANs 3-142 Configuring Uplink and Downlink Ports Protocol VLANs Protocol VLAN Group Configuration Page 3-144 Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces 3-145 Mapping CoS Values to Egress Queues 3-146 3-147 Enabling CoS Selecting the Queue Mode 3-148 Setting the Service Weight for Traffic Classes 3-149 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-150 Mapping IP Precedence 3-151 3-152 Mapping DSCP Priority 3-153 Mapping IP Port Priority 3-154 Quality of Service 3-155 Configuring Quality of Service Parameters Configuring a Class Map 3-156 Page 3-158 Creating QoS Policies 3-159 3-160 3-161 Attaching a Policy Map to Ingress Queues 3-162 Multicast Filtering Layer 2 IGMP (Snooping and Query) 3-163 Configuring IGMP Snooping and Query Parameters 3-164 Enabling IGMP Immediate Leave 3-165 Displaying Interfaces Attached to a Multicast Router 3-166 Specifying Static Interfaces for a Multicast Router 3-167 Displaying Port Members of Multicast Services 3-168 Assigning Ports to Multicast Services 3-169 IGMP Filtering and Throttling 3-170 Enabling IGMP Filtering and Throttling 3-171 Configuring IGMP Filtering and Throttling for Interfaces 3-172 Configuring IGMP Filter Profiles 3-173 3-174 Multicast VLAN Registration 3-175 Configuring Global MVR Settings 3-176 Displaying MVR Interface Status Page 3-178 Displaying Port Members of Multicast Groups 3-179 Configuring MVR Interface Status 3-180 Assigning Static Multicast Groups to Interfaces 3-181 Configuring Domain Name Service Configuring General DNS Service Parameters 3-182 3-183 Configuring Static DNS Host to Address Entries 3-184 3-185 Displaying the DNS Cache 3-186 DHCP Snooping DHCP Snooping 3-187 DHCP Snooping Configuration 3-188 DHCP Snooping VLAN Configuration DHCP Snooping Information Option Configuration DHCP Snooping 3-189 DHCP Snooping Port Configuration 3-190 DHCP Snooping Binding Information IP Source Guard 3-191 IP Source Guard IP Source Guard Port Configuration 3-192 Static IP Source Guard Binding Configuration IP Source Guard 3-193 Dynamic IP Source Guard Binding Information 3-194 Switch Clustering Switch Clustering 3-195 Cluster Configuration 3-196 Cluster Member Configuration Switch Clustering 3-197 Cluster Member Information 3-198 Cluster Candidate Information 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection 4-2 Telnet Connection 4-3 Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands The command show interfaces ? will display the following information: 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes 4-6 Exec Commands 4-7 Configuration Commands 4-8 Command Line Processing Command Groups 4-9 Command Groups 4-10 Line Commands 4-11 line login 4-12 password 4-13 timeout login response exec-timeout 4-14 password-thresh 4-15 silent-time databits 4-16 parity 4-17 speed stopbits 4-18 disconnect show line 4-19 General Commands enable 4-20 disable 4-21 configure show history 4-22 reload end 4-23 exit quit 4-24 System Management Commands Device Designation Commands prompt 4-25 hostname User Access Commands username 4-26 enable password 4-27 IP Filter Commands management 4-28 show management 4-29 Web Server Commands ip http port 4-30 ip http server ip http secure-server 4-31 ip http secure-port 4-32 Telnet Server Commands ip telnet port 4-33 ip telnet server Secure Shell Commands 4-34 4-35 ip ssh server 4-36 ip ssh timeout 4-37 ip ssh authentication-retries ip ssh server-key size 4-38 delete public-key ip ssh crypto host-key generate 4-39 ip ssh crypto zeroize ip ssh save host-key 4-40 show ip ssh show ssh 4-41 show public-key 4-42 4-43 Event Logging Commands logging on 4-44 logging history 4-45 logging host logging facility 4-46 logging trap clear logging 4-47 show logging 4-48 show log 4-49 SMTP Alert Commands logging sendmail host 4-50 logging sendmail level 4-51 logging sendmail source-email logging sendmail destination-email 4-52 logging sendmail show logging sendmail 4-53 Time Commands sntp client 4-54 sntp server 4-55 sntp poll show sntp 4-56 clock timezone calendar set 4-57 show calendar System Status Commands show startup-config 4-58 4-59 show running-config 4-60 Example Related Commands show startup-config (4-57) 4-61 show system show users 4-62 show version 4-63 Frame Size Commands jumbo frame 4-64 Flash/File Commands copy 4-65 4-66 The following example shows how to copy the running configuration to a startup file. The following example shows how to download a configuration file: 4-67 delete 4-68 dir 4-69 whichboot boot system 4-70 Authentication Commands Authentication Sequence 4-71 authentication login Page 4-73 RADIUS Client 4-74 radius-server host radius-server port 4-75 radius-server key radius-server retransmit 4-76 radius-server timeout show radius-server 4-77 TACACS+ Client tacacs-server host tacacs-server port 4-78 tacacs-server key show tacacs-server 4-79 Port Security Commands port security 4-80 4-81 802.1X Port Authentication dot1x system-auth-control 4-82 dot1x default dot1x max-req dot1x port-control 4-83 dot1x operation-mode 4-84 dot1x re-authenticate dot1x re-authentication dot1x timeout quiet-period 4-85 dot1x timeout re-authperiod dot1x timeout tx-period 4-86 show dot1x 4-87 4-88 4-89 Access Control List Commands 4-90 IP ACLs access-list ip 4-91 permit, deny (Standard ACL) permit, deny (Extended ACL) 4-92 4-93 show ip access-list ip access-group 4-94 show ip access-group 4-95 MAC ACLs access-list mac 4-96 permit, deny (MAC ACL) 4-97 show mac access-list 4-98 mac access-group show mac access-group 4-99 ACL Information show access-list show access-group 4-100 SNMP Commands 4-101 snmp-server show snmp 4-102 snmp-server community 4-103 snmp-server contact snmp-server location 4-104 snmp-server host 4-105 4-106 snmp-server enable traps 4-107 snmp-server engine-id 4-108 show snmp engine-id 4-109 snmp-server view 4-110 show snmp view snmp-server group 4-111 4-112 show snmp group Example 4-113 snmp-server user 4-114 4-115 show snmp user This command shows information on SNMP users. Command Mode Example Table 4-41 show snmp user - display description 4-116 Interface Commands interface 4-117 description speed-duplex 4-118 negotiation 4-119 capabilities 4-120 flowcontrol 4-121 shutdown 4-122 switchport broadcast packet-rate clear counters 4-123 show interfaces status 4-124 show interfaces counters 4-125 show interfaces switchport 4-126 Example This example shows the configuration setting for port 24. Table 4-43 Interfaces Switchport Statistics Mirror Port Commands 4-127 Mirror Port Commands port monitor 4-128 show port monitor Rate Limit Commands 4-129 Rate Limit Commands rate-limit 4-130 Link Aggregation Commands 4-131 channel-group 4-132 lacp 4-133 lacp system-priority 4-134 lacp admin-key (Ethernet Interface) 4-135 lacp admin-key (Port Channel) 4-136 lacp port-priority show lacp 4-137 Default Setting Port Channel: all Command Mode Table 4-47 show lacp counters - display description 4-138 Table 4-48 show lacp internal - display description 4-139 Table 4-49 show lacp neighbors - display description Table 4-50 show lacp sysid - display description 4-140 Address Table Commands mac-address-table static Address Table Commands 4-141 clear mac-address-table dynamic show mac-address-table 4-142 mac-address-table aging-time Page 4-144 Spanning Tree Commands 4-145 spanning-tree spanning-tree mode 4-146 spanning-tree forward-time 4-147 spanning-tree hello-time 4-148 spanning-tree max-age spanning-tree priority 4-149 spanning-tree pathcost method 4-150 spanning-tree transmission-limit spanning-tree mst-configuration 4-151 mst vlan mst priority 4-152 name 4-153 revision max-hops 4-154 spanning-tree spanning-disabled spanning-tree cost 4-155 spanning-tree port-priority 4-156 spanning-tree edge-port spanning-tree portfast 4-157 spanning-tree link-type 4-158 spanning-tree mst cost 4-159 spanning-tree mst port-priority 4-160 spanning-tree protocol-migration show spanning-tree 4-161 4-162 show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode 4-163 VLAN Commands GVRP and Bridge Extension Commands 4-164 bridge-ext gvrp show bridge-ext 4-165 switchport gvrp show gvrp configuration 4-166 garp timer show garp timer 4-167 Editing VLAN Groups vlan database 4-168 vlan 4-169 Configuring VLAN Interfaces interface vlan 4-170 switchport mode 4-171 switchport acceptable-frame-types switchport ingress-filtering 4-172 switchport native vlan 4-173 switchport allowed vlan 4-174 switchport forbidden vlan 4-175 Displaying VLAN Information show vlan 4-176 Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control 4-177 switchport dot1q-tunnel mode 4-178 switchport dot1q-tunnel tpid Related Commands show dot1q-tunnel 4-179 Configuring Private VLANs pvlan 4-180 show pvlan 4-181 Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) 4-182 protocol-vlan protocol-group (Configuring Interfaces) 4-183 show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group 4-184 Priority Commands Priority Commands (Layer 2) 4-185 queue mode switchport priority default 4-186 queue bandwidth 4-187 queue cos-map 4-188 show queue mode show queue bandwidth 4-189 show queue cos-map Priority Commands (Layer 3 and 4) map ip dscp (Global Configuration) 4-190 map ip dscp (Interface Configuration) 4-191 show map ip dscp 4-192 Quality of Service Commands 4-193 4-194 class-map match 4-195 policy-map 4-196 class 4-197 set 4-198 police 4-199 service-policy show class-map 4-200 show policy-map show policy-map interface Example 4-201 Multicast Filtering Commands IGMP Snooping Commands 4-202 ip igmp snooping ip igmp snooping vlan static 4-203 ip igmp snooping version ip igmp snooping leave-proxy 4-204 ip igmp snooping immediate-leave show ip igmp snooping 4-205 show mac-address-table multicast 4-206 IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count 4-207 ip igmp snooping query-interval 4-208 ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time 4-209 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-210 show ip igmp snooping mrouter 4-211 IGMP Filtering and Throttling Commands ip igmp filter (Global Configuration) 4-212 ip igmp profile permit, deny 4-213 range ip igmp filter (Interface Configuration) 4-214 ip igmp max-groups 4-215 ip igmp max-groups action show ip igmp filter 4-216 show ip igmp profile show ip igmp throttle interface 4-217 Multicast VLAN Registration Commands 4-218 mvr (Global Configuration) 4-219 mvr (Interface Configuration) 4-220 4-221 show mvr 4-222 The following displays information about the interfaces attached to the MVR VLAN: Table 4-74 show mvr interface - display description Table 4-75 show mvr members - display description IP Interface Commands IP Interface Commands ip address 4-224 ip default-gateway IP Interface Commands 4-225 ip dhcp restart show ip interface 4-226 show ip redirects ping IP Source Guard Commands 4-227 IP Source Guard Commands ip source-guard 4-228 IP Source Guard Commands 4-229 ip source-guard binding 4-230 show ip source-guard show ip source-guard binding 4-231 DHCP Snooping Commands ip dhcp snooping 4-232 4-233 ip dhcp snooping vlan 4-234 ip dhcp snooping trust 4-235 ip dhcp snooping verify mac-address ip dhcp snooping information option 4-236 ip dhcp snooping information policy 4-237 show ip dhcp snooping show ip dhcp snooping binding Switch Cluster Commands 4-238 cluster 4-239 cluster commander cluster ip-pool 4-240 cluster member rcommand 4-241 show cluster show cluster members 4-242 show cluster candidates A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Problems Accessing the Management Interface Troubleshooting B-2 B Using System Logs Glossary Page Page Page Page Page Index Index-1 Numerics A B Index-2 F G H I Index-3 P Q R S Index-4 T U V W Page 20 Mason Irvine, CA 92618 Phn: 949-679-8000 www.smc.com SMC8126L2 SMC8150L2