beautypg.com

Configuring filtering, Supporting multiple devices on a port – Allied Telesis x900-48 series User Manual

Page 12

background image

Page 12 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches

DHCP filtering > Configuring filtering

Configuring filtering

The switch can be configured to block all packets arriving from clients, unless their source
addresses are those known by the switch to have been allocated to the clients by DHCP.

Note:

The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping
process creates a filter which forces DHCP packets to the CPU before any other
filters can process the packet.

On the x900 switches, this is achieved by creating classifiers that have placeholder entries for
the source IP address and (optionally) the source MAC address parameter.

To create this type of classifier:

create classifier=1 ipsaddress=dhcpsnooping macsaddress=dhcpsnooping

<other-parameters>

These classifiers can be applied to hardware filters that will then allow through the
appropriate packets (and, a subsequent deny-all-else filter can ensure that packets with invalid
source addresses are discarded).

You can treat these classifiers like all other classifiers, and use them as part of any QoS or
filtering configuration.

How the switch uses these classifiers

These classifiers are attached to flow groups or filters, which are eventually written into
hardware tables. When the corresponding filters are written into the hardware tables, the
placeholder IP address DHCPsnooping is replaced by the IP address 0.0.0.0 and the
placeholder MAC address DHCPsnooping is replaced by the MAC address 00-00-00-00-
00-00.

As the DHCP snooping process detects DHCP leases being allocated to devices connected
to a port, the 0.0.0.0 and 00-00-00-00-00-00 IP and MAC addresses in the relevant filters
applied to that port are replaced by the actual IP address and MAC address of the device
receiving the DHCP lease.

Similarly, as the DHCP snooping notices a DHCP lease time out, it finds the filter’s entries
using the address of the expiring lease, and replaces them with the 0.0.0.0 and 00-00-00-00-
00-00 IP and MAC addresses again.

Supporting multiple devices on a port

If there are multiple devices downstream of a port on the switch, and all of those devices can
be allocated IP addresses by DHCP, then the ipsaddress=dhcpsnooping clause in the
above classifier should match any of the IP addresses allocated to a device connected to that
port.

This is achieved by replicating any filter or flowgroup that uses the classifier.

See also other documents in the category Allied Telesis Computer Accessories: