beautypg.com

Traffic filtering with dhcp snooping – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1428

background image

DHCP Snooping Introduction and Configuration

Software Reference for x310 Series Switches

55.6

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Traffic Filtering with DHCP Snooping

DHCP filtering prevents IP addresses from being falsified or ‘spoofed’. This guarantees that
users cannot avoid detection by spoofing IP addresses that are not actually allocated to
them. With DHCP filtering, the switch permits packets to enter over a specific port if their
source IP address is currently allocated to a client connected to that port.

Support on this

switch

On this switch, Access Control Lists (ACLs) based on DHCP snooping can be used with
access groups to filter IP packets. For instance, IP traffic on untrusted ports can be limited
to packets matching valid DHCP lease information stored in the DHCP snooping database.
Quality of Service (QoS) configuration can also be applied to these ACLs.

The DHCP snooping feature is enabled or disabled per VLAN, and several of the related
configuration settings are applied per port. If there are multiple VLANs on a port, all the
VLANs will be subject to the same per-port settings.

Operation

Table 55-1 on page 55.7

shows the filtering that is applied by DHCP snooping on a

switch with the following DHCP filtering configuration for untrusted ports:

DHCP snooping is enabled on all VLANs (

service dhcp-snooping command on page

56.24

,

ip dhcp snooping command on page 56.9

)

ARP security (

arp security command on page 56.2

) is enabled on all VLANs

MAC address verification is enabled on the switch (

ip dhcp snooping verify mac-

address command on page 56.21

; enabled by default), and all DHCP clients are

directly connected to the switch.

Access Control Lists allow IP packets that match the source IP address and MAC
address of a valid lease entry in the DHCP snooping database, and deny other IP
packets (access-list commands in

Chapter 34, IPv4 Hardware Access Control List

(ACL) Commands

).

DHCP requests containing DHCP Relay Agent Option 82 info are not allowed (

ip dhcp

snooping agent-option allow-untrusted command on page 56.11

this is disabled

by default).

Log messages and SNMP notifications are enabled for DHCP snooping and ARP
security violations (

ip dhcp snooping violation command on page 56.22

,

arp

security violation command on page 56.3

,

snmp-server enable trap command on

page 68.16

).