Allied Telesis AT-8600 Series How To Use Manual
  1. Manuals
  2. Brands
  3. Allied Telesis Manuals
  4. Switch
  5. AT-8600 Series
  6. How to use manual
Allied Telesis AT-8600 Series How To Use Manual

Allied Telesis AT-8600 Series How To Use Manual

Alliedware os dhcp snooping, option 82, and filtering on alliedware os
Hide thumbs Also See for AT-8600 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Network Manual
TM
AlliedWare
OS
Use DHCP Snooping, Option 82, and Filtering on
How To |
AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i

Series Switches

Introduction

It has increasingly become a legal requirement for service providers to identify which of their
customers were using a specific IP address at a specific time. This means that service
providers must be able to:
Know which customer was allocated an IP address at any time.
Guarantee that customers cannot avoid detection by spoofing an IP address that was not
actually allocated to them.
These security features provide a traceable history in the event of an official query. Three
components are used to provide this traceable history:
DHCP snooping
DHCP Option 82
DHCP filtering
With DHCP snooping an administrator can control port-to-IP connectivity by:
permitting port access to specified IP addresses only
permitting port access to DHCP issued IP addresses only
dictating the number of IP clients on any given port
passing location information about an IP client to the DHCP server
permitting only known IP clients to ARP
This document explains each feature and provides the minimum configuration to enable
them. There are also two configuration examples that make advanced use of the features.
C613-16086-00 REV B
www.alliedtelesis.com

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the AT-8600 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Allied Telesis AT-8600 Series

Summary of Contents for Allied Telesis AT-8600 Series

  • Page 1: Series Switches

    AlliedWare Use DHCP Snooping, Option 82, and Filtering on How To | AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i Series Switches Introduction It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to: Know which customer was allocated an IP address at any time.

  • Page 2: Table Of Contents

    The information provided in this document applies to the following switches, running AlliedWare version 2.7.6 and above: AT-8800 series AT-8600 series AT-8700XL series Rapier and Rapier i series Page 2 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches...

  • Page 3: Related How To Notes

    The following How To Notes also use DHCP snooping in their solutions: How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches How To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks How To Notes are available from the library at howto.aspx.

  • Page 4: The Database

    The database The switch watches the DHCP packets that it is passing back-and-forth. It also maintains a database that lists the DHCP leases it knows are being held by devices downstream of its ports. Each lease in the database holds the following information: the MAC address of the client device the IP address that was allocated to that client time until expiry...
  • Page 5 List of terms: MAC Address: The MAC address of the snooped DHCP client. IP Address: The IP address that has been allocated to the snooped DHCP client. Expires: The time, in seconds, until the DHCP client entry will expire. VLAN: The VLAN to which the snooped DHCP client is connected. Port: The port to which the snooped DHCP client is connected.

  • Page 6: Trusted And Non-Trusted Ports

    Trusted and non-trusted ports The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping: Trusted ports connect to a trusted entity in the network, and are under the complete control of the network manager. Non-trusted ports connect an untrusted entity to the trusted network. Non-trusted ports can connect to non-trusted ports.

  • Page 7: Completely Removing The Dhcp Snooping Database

    Completely removing the DHCP snooping database To completely remove the database, it is necessary to delete the file nvs:bindings.dsn. Manager > delete fi=nvs:bindings.dsn nvs:bindings.dsn successfully deleted 1 file deleted. Info (1056003): Operation successful. Manager > enable dhcpsnooping DHCPSN_DB: Reloading static entries... Info (1137057): DHCPSNOOPING has been enabled.

  • Page 8: Dhcp Option 82

    DHCP Option 82 DHCP Option 82 DHCP Relay Agent Information Option 82 is an extension to the Dynamic Host Configuration Protocol (DHCP), and is defined in RFC 3046 and RFC 3993. DHCP Option 82 can be used to send information about DHCP clients to the authenticating DHCP server.

  • Page 9: Protocol Details

    Protocol details In the DHCP packet, the Option 82 segment is organized as a single DHCP option containing one or more sub-options that convey information known by the relay agent. The format of the option is shown below: Code +------+------+------+------+------+------+---+------+ +------+------+------+------+------+------+---+------+ The sub-options within the DHCP option are constructed as follows: SubOpt...

  • Page 10: Configuring Option 82

    Analysis The following table provides an analysis of the strings in the above DHCP Request packet extract: Text Colour Green Blue The Agent circuit ID string 00 30 00 05 translates as: 30 = vlan48 05 = switch port 5 Configuring Option 82 Different commands are used to turn on Option 82 depending on whether the switch is performing DHCP snooping or DHCP relay.

  • Page 11: Dhcp Filtering

    DHCP filtering The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them. DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on.

  • Page 12: Arp Security

    ARP security It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP packets received on non-trusted ports are only permitted if they originate from an IP address that has been allocated by DHCP. To enable DHCP snooping ARP security: enable dhcpsnooping arpsecurity DHCP snooping filter show command...
  • Page 13 Note: On Allied Telesis switches, IGMP snooping and MLD snooping are enabled by default, which occupy 2 filter entries. To dedicate 119 entries to DHCP snooping, IGMP and MLD snooping would need to be disabled with disable igmpsnooping and disable mldsnooping.

  • Page 14: Configuration Examples

    Configuration examples This section contains the following examples: "Configuring the switch for DHCP snooping, filtering and Option 82, when it is acting as a layer 2 switch" on page 14 "Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent"...
  • Page 15 Add the tagged uplink ports to the VLAN: add vlan="48" port=24 frame=tagged uplink Add the untagged ports for the customers: add vlan="48" port=1-23 This is a layer 2 solution. The IP protocol does not need to be configured. Enable DHCP snooping and Option 82 support: enable dhcpsnooping enable dhcpsnooping option82 It is also possible to enable DHCP snooping ARP security.
  • Page 16 Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database.

  • Page 17: Configuring The Switch For Dhcp Snooping, Filtering, And Option 82, When It Is Acting As A Layer 3 Bootp Relay Agent

    Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent In a layer 3 routing environment, the switch takes on a role of BOOTP Relay Agent, with support for DHCP Option 82. The relay agent inserts the information mentioned above when forwarding client-originated DHCP packets to a DHCP server.
  • Page 18 Configure the switch’s IP enable ip add ip int=vlan48 ip=10.11.67.254 mask=255.255.255.0 add ip int=vlan50 ip=10.50.1.254 mask=255.255.255.0 add ip rou=0.0.0.0 mask=0.0.0.0 int=vlan50 next=10.50.1.1 For layer 3 support, enable the BOOTP Relay: enable bootp relay add bootp relay=10.50.1.100 Here the DHCP server is set to 10.50.1.100. Enable DHCP snooping and Option 82 support: enable dhcpsnooping enable dhcpsnooping option82...
  • Page 19 Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database.

  • Page 20: Troubleshooting

    Troubleshooting Use the command enable dhcpsnooping debug=all to get the most verbose level of debugging available. In the following sections, all debugging comes from that command. Let’s look at how you can use debugging to investigate some common problem scenarios. No trusted ports configured In the following output, you can see that a DHCP request has arrived at the switch on port 1.

  • Page 21: The Dhcp Client Continually Sends Requests Instead Of A Discover

    The DHCP client continually sends requests instead of a discover This happens when the client is renewing its lease or, for whatever reason, believes that should be issued a specific address. If the client does not receive either an ACK or NACK (from a DHCP server) then the client will continue to request the address.

  • Page 22: Switch Is Dropping Arps

    Increasing the port’s maximum leases will permit multiple clients per port. Manager > set dhcpsnooping port=3 maxleases=2 Info (1137260): DHCP Snooping port(s) 3 updated successfully. Switch is dropping ARPs If you have DHCP snooping in ARP security mode, then unknown clients on untrusted ports will not be able to ARP.
  • Page 23 You cannot work around dropped ARPs from the DHCP server by statically binding the DHCP server’s IP and MAC address to a port, instead of setting it as trusted. The switch will not send the DHCP server the DHCP request. The switch will not flood the DHCP request to any ports other than trusted ones.

  • Page 24: Displaying Log Entries

    Displaying log entries The show log command is also very useful: Manager > sh log Date/Time ------------------------------------------------------------------------ 02 21:42:55 3 DHCP DHCPS ADD 02 21:43:20 4 DHCP DHCPS FAIL 02 21:43:20 4 CH 02 21:43:56 3 DHCP DHCPS ADD Page 24 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches S Mod Type SType Message...

  • Page 25: Appendix 1: Isc Dhcp Server

    Appendix 1: ISC DHCP server One DHCP server that has been tested against DHCP snooping is ISC DHCP. This is free software with an option of a support contract. At the time of writing this document, ISC DHCP did not support the logging of RFC3993 sub-option 6. For convenience, here is a sample configuration (dhcpd.conf) for ISC DHCP.
  • Page 26 Singapor e 534182 T: +65 6383 3832 Allied Telesis is a trademark or registered trademark of Allied Telesis, Inc. in the United States and other countries. T: +1 800 424 4284 F: +1 425 481 3895 F: +41 91 69769.11...

This manual is also suitable for:

At-8700xlAt-8800Rapier seriesRapier i series

Table of Contents

Save PDF