Support User Manuals

Allied Telesis Layer 3 Switches Switch User Manual

Open as PDF

of 31

Identifying the user

Create A Secure Network With Allied Telesis Managed Layer 3 Switches 16

For more information about setting up DHCP snooping, see How To Use DHCP Snooping,

Option 82 and Filtering on Rapier, AT-8800 and AT-8600 Series Switches or How To Use DHCP

Snooping, Option 82 and Filtering on x900 Series Switches. These How To Notes are available

from www.alliedtelesis.com/resources/literature/howto.aspx.

Setting up DHCP snooping

This section describes a minimal configuration for DHCP snooping. With this configuration,

the switch snoops DHCP packets to build a database of allowed IP addresses, only sends

DHCP messages to the port with the official DHCP server, and limits the number of clients

attached to each port.

Configuration

1. Enable DHCP snooping.

2. Identify the port that your DHCP server is attached to, and configure this as a trusted port

for DHCP snooping. The switch only sends DHCP discover and request packets to trusted

ports. If a malicious user attaches a DHCP server to an untrusted port, that server will

never receive DHCP requests. This prevents DHCP server spoofing.

3. Set the number of leases permitted on each port.

4. For AT-8948, x900-48, and AT-9900 switches, add classifiers and a quality of service (QoS)

configuration to permit and filter addresses.

Example

To limit each port on a 24-port switch to

1

lease, when the DHCP server is on port 24:

enable dhcpsnooping

set dhcpsnooping port=24 trusted=yes

set dhcpsnooping port=1-23 maxlease=1

On AT-8948, x900-48 and AT-9900 switches, also add the following commands:

create classifier=50 macsaddr=dhcpsnooping prot=ip

ipsaddr=dhcpsnooping

create classifier=51 protocol=ip

create qos policy=1

create qos trafficclass=1

create qos flow=50 action=forward

create qos flow=51 action=discard

add qos policy=1 trafficclass=1

set qos port=1-23 policy=1

add qos trafficclass=1 flow=50

add qos trafficclass=1 flow=51

add qos flow=50 classifier=50

add qos flow=51 classifier=51

Using static binding for rigid control

If there is no DHCP server, or if there is a host with a static IP address, then you can bind the

IP address to the port to which it is attached.

Example

To specify that the host with MAC address 00-00-00-00-00-

1

2 can legitimately use the IP

address

1

72.

1

6.0.

1

2 on port

1

2, use the following command in addition to the configuration

given in “Setting up DHCP snooping”, above.

add dhcpsnooping binding=00-00-00-00-00-12 ip=172.16.0.12

interface=vlan1 port=12

previous next