Dhcp Snooping Overview, 142 | ZyXEL Communications MES-2110 specification

Chapter 19 IP Source Guard

19.1.1 DHCP Snooping Overview

Use DHCP snooping to filter unauthorized DHCP frames on the network and to build the binding table dynamically. This can prevent clients from getting IP addresses from unauthorized DHCP servers.

19.1.1.1 Trusted vs. Untrusted Ports

Every port is either a trusted port or an untrusted port for DHCP snooping. This setting is independent of the trusted/untrusted setting for ARP inspection. You can also specify the maximum number for DHCP frames that each port (trusted or untrusted) can receive each second.

Trusted ports are connected to DHCP servers or other switches. The MES-2110 discards DHCP frames from trusted ports only if the rate at which DHCP frames arrive is too high. The MES-2110 learns dynamic bindings from trusted ports.

Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed.

Untrusted ports are connected to subscribers. The MES-2110 discards DHCP frames from untrusted ports in the following situations:

•The frame is a DHCP server frame (for example, OFFER, ACK, or NACK).

•The source MAC address and source IP address in the frame do not match any of the current bindings.

•The frame is a RELEASE or DECLINE frame, and the source MAC address and source port do not match any of the current bindings.

•The rate at which DHCP frames arrive is too high.

19.1.1.2DHCP Snooping Static Binding Table

The MES-2110 stores the binding table in volatile memory. If the MES-2110 restarts, it loads static bindings from permanent memory but loses the dynamic bindings, in which case the devices in the network have to send DHCP requests again. As a result, it is recommended you configure the DHCP snooping database.

19.1.1.3 Configuring DHCP Snooping

Follow these steps to configure DHCP snooping on the MES-2110.

1Enable DHCP snooping on the MES-2110.

2Configure trusted and untrusted ports, and specify the maximum number of DHCP frames that each port can receive per second.

142

MES-2110 User’s Guide

Image 142

ZyXEL Communications MES-2110 manual Dhcp Snooping Overview, 142

Contents

MES-2110 Page About This Users Guide Intended Audience Customer Support Document Conventions Syntax Conventions Firewall MES-2110 Computer ServerDslam Telephone Router Safety Warnings Safety Warnings MES-2110 User’s Guide Contents Overview Contents Overview MES-2110 User’s Guide Table of Contents Chapter System Details 10.1 Igmp 137 Chapter Command Line Interface 179 Index 229 Table of Contents MES-2110 User’s Guide Overview IntroductionBackbone Application Bridging Example Backbone Application High Performance Switching Example Ieee 802.1Q Vlan Application Examples Shared Server Using Vlan Example Metro Ethernet Ways to Manage the MES-2110 Metro Ethernet Good Habits for Managing the MES-2110 Installation Scenarios Hardware Installation and ConnectionDesktop Installation Procedure Rack-mounted Installation Requirements Mounting the MES-2110 on a Rack Attaching the Mounting Brackets to the MES-2110 Attaching the Mounting Brackets Mounting the MES-2110 on a Rack Mounting the MES-2110 on a Rack Hardware Overview Front Panel Front Panel Connections Console PortGigabit Ethernet Ports Label Description Default Ethernet Negotiation Settings Mini-GBIC Slots Transceiver Installation Power Connections Overview Removing the Fiber Optic Cables AC Power Connection DC Power Connection LED Descriptions Powering on the MES-2110LEDs LED Color Statu Description Green Blinking Mbps Ethernet network Tutorials Igmp Snooping Radius Configuration Set Igmp Query Mode to Auto Tutorials Tutorials MVR Tutorial Values MVR ConfigurationSetting Value Based802.1q before proceeding Open the Configuration Igmp Menu MVR screen Tutorials For Pri-Overide, select Enable Vlan ID Priority Untrusted ARP Inspection Set Action to Enable and Dhcp Snooping Vlan Mode to All-VLAN Outgoing Traffic Bandwidth Frame Tagging Frame Tagging Example To configure frame tagging Tutorials MES-2110 User’s Guide System Login Web ConfiguratorIntroduction Web Configurator Login Web Configurator Main Screen Main Screen System Details Configuration Mgmt Config System Restart Menu Navigation Panel Sub-links Overview Snmp Web Configurator Screen Sub-links DetailsSystem Details Configuration Mgmt Config Restart Menu Sntp Link Description Navigation Panel LinksDhcp ARP Set Up the Administrative Password Saving Your ConfigurationMade on the MES-2110 and restart the MES-2110 Resetting the MES-2110 Switch LockoutReload the Configuration File Resetting the MES-2110 Via the Console Port System Details System Information Screen Board Information Screen IP address from a Dhcp server if Dhcp client is enabled Dhcp Configuration ScreenAddress, subnet mask and a default gateway IP address Undo Click this to restore your last saved settings Apply System Details Dhcp Config Apply Configuration Port Configuration Screen Truncated in some Web Configurator screens Auto Port Status Screen Duplex This indicates the port’s duplex mode Half or FullDisabled Manage the MES-2110 via that port Rmon Status Screen This shows whether auto-negotiation is On or Off RX+TX Configuration Rmon Status Switch in Loop State Loop Detection Loop Detection Screen Loop detection Probe Frame Enabled, the MES-2110 sends probe frames from this port to Snmp traps when it shuts down a port via the loop detectionFeature Down this port Loop Detection MES-2110 User’s Guide Jumbo Frame Jumbo Frame Configuration ScreenFrame Size Jumbo Frame MES-2110 User’s Guide Ieee 802.1x Authentication 802.1x Ieee 802.1x Authentication Process Guest Vlan 10.2 802.1x Global Configuration Screen Server UDP 10.3 802.1x Radius Server Configuration ScreenMES-2110. The key is not sent over the network Port Number 1812 Server 10.4 802.1x Port Configuration Screen Before configuring it on each port Reauthenticat Guest Vlan 10.5 802.1x Radius Server Configuration Screen Clients for port access Supported Radius Attributes Technical ReferenceRadius and TACACS+ Radius vs. TACACS+ Attributes Used for Authentication Attributes Used for Authenticating Privilege Access Radius Attributes Exec Events via Console Attribute Start INTERIM-UPDATE StopAttributes Used for Accounting Radius Attributes Exec Events via Telnet/SSH Attributes Used for Accounting Ieee 802.1x Events Radius Attributes-Exec Events via 802.1x MES-2110 User’s Guide STP Path Costs BridgeSTP Terminology Link Recommended Allowed Speed Value Range How STP Works Path 16Mbps 40 to Cost 100Mbps 10 to 1Gbps 10Gbps STP Port States Bridge Configuration ScreenSTP Port States Port Description State You select Rstp 802.1W in the Ring Protocol field Rstp System Configuration ScreenAre done configuring Tunnel port receives Bridge Protocol Data Units Bpdu Root Bridge Information Same priority, the switch with the lowest MAC address willDetermines Hello Time, Max Age and Forwarding Delay List box Selected from among the MES-2110 ports attached to Allowed range is 4 to 30 secondsAs a general rule Network. The allowed range is 6 to 40 seconds 255 and the default value is Spanning Tree Port ConfigurationCost 1~65535 Enter the port’s path cost P2P User Priority Introduction to Ieee 802.1Q Tagged VLANsTpid CFI Vlan ID Vlan Term Description Parameter Forwarding Tagged and Untagged FramesIeee 802.1Q Vlan Terminology Vlan Port-Based Vlan Screen Vlan Type ScreenVlan Type Use this to set the MES-2110 to Port-Based or Tag 100 Port-Based Vlan ConfigurationThen you cannot access the web configurator from a computer Connected to this port Vlan Stacking Example Tag-Based Vlan ScreensVlan Stacking 101 Vlan Stacking Port Roles 102 Vlan Tag Format Vlan Tag Format103 Type Priority Single and Double Tagged 802.11Q Frame Format Frame Format104 802.1Q Frame 105 Vlan Stacking Configuration ScreenSP Tpid 106 Spvid 107 Tag-Based Port Information ScreenPvid 108 Tag-Based Port Configuration ScreenEnter the Vlan ID from 1-4094 that you want to configure Select whether you want to Add or Modify a Vlan ID Management Vlan Screen 109 110 Unless your current access belongs to the new VlanManagement Vlan This is the current management Vlan Bandwidth Control Bandwidth Control Setup111 112 Broadcast Storm Control Broadcast Storm Control Setup113 114 Storm Control ConfigurationStorm Control Status Port Mirroring Port Mirroring Setup115 116 Volatile memory when you are done configuringSelect the monitor port number from the list Dynamic Link Aggregation Link Aggregation117 Static Trunking Example Link Aggregation ID Local SwitchLink Aggregation ID Peer Switch Link Aggregation ID Link Aggregation Setting 119 120 Link Aggregation Control ProtocolLacp 121 Lacp Link StatusMAC 122 Igmp Snooping IP Multicast Addresses123 Igmp Snooping and VLANs Igmp Configuration124 125 Igmp Vlan Igmp Vlan Query Mode 126 MVR Overview Igmp Status127 MVR Modes Types of MVR PortsHow MVR Works 128 General MVR Configuration 129 130 Disable to turn this feature offSelect Dynamic to send Igmp reports to all MVR source ports MVR Group Configuration 131 Drop-down list box Group Configuration132 MVR Group Status MVR Configuration Example 133 134 MVR Group Configuration Example 135 136 137 Dhcp Relay ConfigurationDhcp Relay Agent Information Relay Agent Information Bytes This is the Vlan that the port belongs to Dhcp Relay Configuration138 To a Dhcp server 139 Option82 Information 140 IP Source Guard 141 Dhcp Snooping Overview 142 Dhcp Snooping Configuration 143 144 Dhcp requests will not succeed Dhcp Binding Table Mode VLANs or specific VLANs to Dhcp servers Dhcp Snooping145 146 Ddhhmm ARP Inspection Screen Configuring ARP Inspection147 148 Addresses permanently 149 150 MAC 151 MAC Table Status Screen 152 Lock MAC Address Learning Screen Undo Click this to load your last saved settings ApplyMES-2110 or static manually configured 153 Port This is the port number Lock MAC Filter Configuration Screen154 To activate MAC address learning on the port 155 156 MAC Limit Configuration ScreenAddresses may access port 2 at any one time. a sixth device Aged out. MAC address aging out time can be set in the MAC QoS QoS Base Configuration Screen157 Configuring the Base Configuration Screen 158 159 802.1p Priority Table 160 161 Tag Priority TableIP Dscp Priority Table Number This is the Ieee 802.1p priority level Priority Configuration QoS Menu IP Dscp Priority 162 Priority Override Configuration Screen 163 164 Serial Port Configuration Screen Mgmt Config and System Restart Menu165 Snmp Configuration Screens 166 Snmp Communities Screen Snmp CommandsCommand Description IP Trap Manager Screen 168 Sntp ScreenTraps to 169 Alarms and Logs 170 171 Syslog User Password User Configuration ScreenCharacters using characters found on a standard keyboard 172 173 Cable Test ScreenPHY RX/TX 174 Host DoS ProtectionTest 175 Port Abnormal Traffic Detection ScreenFields below Upgrading the Firmware 176 Managing the Configuration File 177 Restarting the System 178 Console Port Management Command Line InterfaceSetting Default Value Logging Saving Changes Using Shortcuts and Getting HelpCommand / Keys Description 180 Basic Commands Command ModesExit Command Logging Out Basic Commands 182 Privileged Commands Privileged Command Mode183 184 185 Make while using the MES-2110Command line interface Permanently save any changes you 186 Configuration ModeConfiguration Mode Commands Ancillary Trigger Description 187 188 189 190 191 Address over Telnet 192 Igmp Snooping Example 193 Radius Configuration Example 194 This command to work MVR ModeMVR-Configuration Mode Commands 195 MVR Command Example 196 Vlan Mode Commands Vlan Mode197 Vlan ID Priority Example Interface Mode198 Interface Mode Commands 199 200 201 Bytes 1522 bytes + 4 bytes for 202Port, the port must allow frames Second tag to pass through it Outgoing Traffic Bandwidth Limit Example Sets the service provider Vlan ID of the current PortsUntrusted ARP Inspection Example 203 Frame Tagging Examples 204 205 206 Power, Hardware Connections, and LEDs Troubleshooting207 MES-2110 Access and Login 208 209 Advanced Suggestions 210 Pop-up Windows, JavaScript and Java Permissions MES-2110 Configuration and Console 211 My changes in the Web Configurator keep getting overwritten 212 213 214 Specification Description Product SpecificationsHardware Specifications 215 Feature Description Firmware Specifications216 217 Standards Supported 218Standard Description Removing a Fuse Installing a Fuse219 220 Common Services 221 222 Commonly Used ServicesName Protocol Ports Description 223 224 Certifications Copyright225 226 FCC Warning CE Mark Warning ZyXEL Limited Warranty 227 228 Index 229 230 231 MVR 127 configurationPassword 58 path cost 89, 93 port authentication TACACS+ Weighted round robin scheduling 232