Dhcp Filtering; Configuring Filtering - Allied Telesis AT-8600 Series How To Use Manual

DHCP filtering

The purpose of DHCP filtering is to prevent IP addresses from being falsified or 'spoofed'.
This guarantees that customers cannot avoid detection by spoofing an IP address that was
not actually allocated to them.
DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are
configured with DHCP snooping placeholders for the source IP address (and possibly source
MAC address), to match on.
The dynamic classifiers are attached to filters, which are applied to a port. Only those
packets with a source IP address that matches one of the IP addresses allocated to the
devices connected to that port are allowed through.

Configuring filtering

The switch can be configured to block all packets arriving from clients, unless their source
addresses are those known by the switch to have been allocated to the clients by DHCP.
Note:
set dhcpsnooping port=<port-list> maxlease=<number>
When DHCP snooping is enabled, one blocking filter rule is set up on each port. Then, a
permit rule for each client is set up in the switch's hardware filtering table after a DHCP
exchange is successfully completed. These dynamic filtering rules are added for each unique
DHCP client until there are maxlease number of entries on that port, or the switch has run
out of filter resources.
Page 11 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
Client B
Non-trusted Ports
Client A
The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping
process creates a filter which forces DHCP packets to the CPU before any other
filters can process the packet.
To configure how many times the filters or flowgroups will be replicated:
DHCP Server
Access Device
Trusted Ports
DHCP filtering