beautypg.com

Arp security, Resource considerations – Allied Telesis Rapier i Series User Manual

Page 12

background image

Page 12 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

DHCP filtering

ARP security

It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP
packets received on non-trusted ports are only permitted if they originate from an IP address
that has been allocated by DHCP.

enable dhcpsnooping arpsecurity

DHCP snooping filter show command

To see what addresses have been inserted into filters using DHCP snooping classifiers, use
the command show dhcpsnooping filter:

List of terms:

The FlowID refers to the associated QoS FlowGroup.

The EntryID refers to the associated entry in the DHCP snooping database.

The ClassID refers to the dynamically created classifier entry.

Resource considerations

Because of the potential for classifier replication, you need to be cautious about running out
of classifier resource. Some resource calculations are provided below.

When configuring DHCP classifiers it is possible to run out of classifier resource, especially
when using QoS and hardware filter classifiers as well.

When DHCP snooping is enabled on an AT-8600, AT-8800, AT-8700XL, Rapier or Rapier i
series switch, it will reserve only one blocking rule for each port (unlike on AT-9900 and
x900 series switches). Each block of eight ports, starting from ports 1 to 8, share 127
available entries in the filter resource. Eight entries are immediately used by blocking rules
and so the actual number of available leases is 119 over eight ports.

Because 119 entries must be shared between eight ports, the average maximum number of
leases per port is 14. However, port 1 could be given a maximum of 100 leases, port 2 given

X

To enable DHCP snooping ARP security:

Manager > show dhcpsnooping filter

DHCPSnooping ACL ( 150 entries )

ClassID FlowID Port EntryID IP Address/Port/Mac

----------------------------------------------------------------------

60161 0 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

61161 0 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

62161 0 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

...

See also other documents in the category Allied Telesis Computer Accessories: