Traffic filtering with dhcp snooping – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1428

DHCP Snooping Introduction and Configuration
Software Reference for x310 Series Switches
55.6
AlliedWare Plus
TM
Operating System - Version 5.4.4C
C613-50046-01 REV A
Traffic Filtering with DHCP Snooping
DHCP filtering prevents IP addresses from being falsified or ‘spoofed’. This guarantees that
users cannot avoid detection by spoofing IP addresses that are not actually allocated to
them. With DHCP filtering, the switch permits packets to enter over a specific port if their
source IP address is currently allocated to a client connected to that port.
Support on this
switch
On this switch, Access Control Lists (ACLs) based on DHCP snooping can be used with
access groups to filter IP packets. For instance, IP traffic on untrusted ports can be limited
to packets matching valid DHCP lease information stored in the DHCP snooping database.
Quality of Service (QoS) configuration can also be applied to these ACLs.
The DHCP snooping feature is enabled or disabled per VLAN, and several of the related
configuration settings are applied per port. If there are multiple VLANs on a port, all the
VLANs will be subject to the same per-port settings.
Operation
shows the filtering that is applied by DHCP snooping on a
switch with the following DHCP filtering configuration for untrusted ports:
■
DHCP snooping is enabled on all VLANs (
service dhcp-snooping command on page
ip dhcp snooping command on page 56.9
■
ARP security (
arp security command on page 56.2
) is enabled on all VLANs
■
MAC address verification is enabled on the switch (
; enabled by default), and all DHCP clients are
directly connected to the switch.
■
Access Control Lists allow IP packets that match the source IP address and MAC
address of a valid lease entry in the DHCP snooping database, and deny other IP
packets (access-list commands in
Chapter 34, IPv4 Hardware Access Control List
■
DHCP requests containing DHCP Relay Agent Option 82 info are not allowed (
snooping agent-option allow-untrusted command on page 56.11
this is disabled
by default).
■
Log messages and SNMP notifications are enabled for DHCP snooping and ARP
security violations (
ip dhcp snooping violation command on page 56.22
security violation command on page 56.3
snmp-server enable trap command on
).