How it Works
Allied Telesis
Loading...
AT-8600
User Manual
26 pgs227.08 Kb0
User Manual
232 pgs2.56 Mb0
User Manual
4 pgs130.1 Kb0
User Manual
38 pgs1.3 Mb0
Table of contents
Loading...

Allied Telesis AT-8600, AT-8700XL, Rapier i User Manual

AlliedWareTM OS
How To |
Use DHCP Snooping, Option 82, and Filtering on AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i Series Switches

Introduction

It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to:
z Know which customer was allocated an IP address at any time.
z Guarantee that customers cannot avoid detection by spoofing an IP address that was not
actually allocated to them.
These security features provide a traceable history in the event of an official query. Three components are used to provide this traceable history:
z DHCP snooping
z DHCP Option 82
z DHCP filtering
With DHCP snooping an administrator can control port-to-IP connectivity by:
z permitting port access to specified IP addresses only
z permitting port access to DHCP issued IP addresses only
z dictating the number of IP clients on any given port
z passing location information about an IP client to the DHCP server
z permitting only known IP clients to ARP
This document explains each feature and provides the minimum configuration to enable them. There are also two configuration examples that make advanced use of the features.
C613-16086-00 REV B
www.alliedtelesis.com
Introduction
This document contains the following contents:
Introduction .............................................................................................................................................. 1
Which products and software version does this information apply to? .............................. 2
Related How To Notes ................................................................................................................... 3
DHCP snooping ....................................................................................................................................... 3
Minimum configuration ................................................................................................................... 3
The database ..................................................................................................................................... 4
Trusted and non-trusted ports ..................................................................................................... 6
Enabling DHCP snooping ............................................................................................................... 6
Static binding ..................................................................................................................................... 6
Completely removing the DHCP snooping database .............................................................. 7
DHCP Option 82 .................................................................................................................................... 8
Protocol details ................................................................................................................................. 9
Configuring Option 82 .................................................................................................................. 10
DHCP filtering ........................................................................................................................................ 11
Configuring filtering ....................................................................................................................... 11
ARP security .................................................................................................................................... 12
Resource considerations .............................................................................................................. 12
Configuration examples ....................................................................................................................... 14
Configuring the switch for DHCP snooping, filtering and Option 82, when it is
acting as a layer 2 switch ....................................................................................................... 14
Configuring the switch for DHCP snooping, filtering, and Option 82, when it is
acting as a layer 3 BOOTP Relay Agent ............................................................................ 17
Troubleshooting ..................................................................................................................................... 20
No trusted ports configured ....................................................................................................... 20
The DHCP client continually sends requests instead of a discover ................................... 21
Switch is dropping ARPs ............................................................................................................... 22
Displaying log entries .................................................................................................................... 24
1
Appendix
: ISC DHCP server .......................................................................................................... 25

Which products and software version does this information apply to?

The information provided in this document applies to the following switches, running AlliedWare version 2.7.6 and above:
z AT-8800 series
z AT-8600 series
z AT-8700XL series
z Rapier and Rapier i series
Page 2 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

DHCP snooping

Related How To Notes

The following How To Note describes DHCP snooping on AT-9900, x900-48 and AT-8948 series switches:
z How To Use DHCP Snooping, Option 82, and Filtering on AT-9900 and x900-48 Series Switches
The following How To Notes also use DHCP snooping in their solutions:
z How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs
z How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches
z How To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks
How To Notes are available from the library at www.alliedtelesis.com/resources/literature/
howto.aspx.
DHCP snooping
DHCP snooping forces all DHCP packets to be sent up to the switch CPU before forwarding. The switch CPU then keeps a database of the IP addresses that are currently allocated to downstream clients and the switch ports that the relevant clients are attached to.
Note: The switch CPU does not store a history log. The DHCP server does this.
DHCP snooping performs two main tasks:
z Keeping a record of which IP addresses are currently allocated to hosts downstream of
the ports on the switch.
z Deciding which packets are candidates for having Option 82 information inserted, and
actively filtering out packets that are deemed to be invalid DHCP packets (according to criteria described below).
Note: Option 82 must be enabled separately.

Minimum configuration

The following output shows the minimum configuration required to use DHCP snooping and provide filtered connectivity. With this configuration a client will be able to receive a DHCP address, and access the IP network. If the client manually changes its IP, it will not be permitted access to the IP network. The administrator will also be able to see the current valid entries in the DHCP snooping database.
# DHCP Snooping configuration enable dhcpsnooping set dhcpsnooping port=24 trusted=yes
Page 3 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
DHCP snooping

The database

The switch watches the DHCP packets that it is passing back-and-forth. It also maintains a database that lists the DHCP leases it knows are being held by devices downstream of its ports.
Each lease in the database holds the following information:
z the MAC address of the client device
z the IP address that was allocated to that client
z time until expiry
z VLAN to which the client is attached
z the port to which the client is attached
When inserting Option 82 information into the DHCP packets, the switch uses the information it has stored in the database for filtering and for filling in the fields.
DHCP snooping database time-out
The CPU will time-out database entries if the lease, also stored in the database, expires.
Database survival across reboots
The database is periodically saved as a .dsn file into non-volatile storage. Therefore the database will survive a reboot.
Verifying the status of snooped users
To verify the status of snooped users, use the command show dhcpsnooping database.
Manager > show dhcpsnooping database
DHCP Snooping Binding Database
------------------------------------------------------------------­Full Leases/Max Leases ... 1/52
Check Interval ........... 60 seconds
Database Listeners ....... CLASSIFR
Current valid entries MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­00-03-47-6b-a5-7a 10.11.67.50 56 48 16 3 Dynamic
----------------------------------------------------------------------------­Entries with client lease but no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with no client lease and no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
Page 4 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
DHCP snooping
List of terms:
MAC Address: The MAC address of the snooped DHCP client.
IP Address: The IP address that has been allocated to the snooped DHCP client.
Expires: The time, in seconds, until the DHCP client entry will expire.
VLAN: The VLAN to which the snooped DHCP client is connected.
Port: The port to which the snooped DHCP client is connected.
ID: The unique ID for the entry in the DHCP snooping database. This ID is dynamically allocated to all clients. (The same ID can be seen in show dhcpsnooping filter.)
Database Listeners: These are switch features (or modules) that have registered to listen to the Binding Database. Database listeners are informed when an entry is added or deleted from the database. In this case the Classifier module will be informed so the
dynamic classifiers can be updated.
Source: How the DHCP binding was entered into the database:
z User = static
z File = read from bindings. dsn (usually at boot time)
z Dynamic = it was snooped
To see port details, use the commands show dhcpsnooping port and show dhcpsnooping count.
Manager > show dhcpsnooping port=16
DHCP Snooping Port Information:
---------------------------------------------------------------------
Port ..................... 16
Trusted .................. No
Full Leases/Max Leases ... 1/1
Subscriber-ID ............
Manager > show dhcpsnooping count
DHCP Snooping Counters
--------------------------------------------------------------------­DHCP Snooping
InPackets .................... 1751
InBootpRequests ............... 908
InBootpReplies ................ 843
InDiscards ...................... 0
ARP Security
InPackets ....................... 0
InDiscards ...................... 0
NoLease ....................... 0
Invalid ....................... 0
---------------------------------------------------------------------
Page 5 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
DHCP snooping

Trusted and non-trusted ports

The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping:
z Trusted ports connect to a trusted entity in the network, and are under the complete
control of the network manager.
z Non-trusted ports connect an untrusted entity to the trusted network.
z Non-trusted ports can connect to non-trusted ports.
In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers.
DHCP snooping will make forwarding decisions based on the trust status of ports:
z BOOTP packets that contain Option 82 information received on untrusted ports will be
dropped
z If Option 82 is enabled, the switch will insert Option 82 information into BOOTP
REQUEST packets received from an untrusted port.
z BOOTP REQUEST packets that contain Option 82 information received on trusted ports
will not have the Option 82 information updated with information for the receive port. It will be kept.
z BOOTP REPLY packets (from servers) should come from a trusted source.
z The switch will remove Option 82 information from BOOTP REPLY packets destined to
an untrusted port.
z BOOTP REPLY packets received on non-trusted ports will be dropped.

Enabling DHCP snooping

DHCP snooping is enabled globally by the command enable dhcpsnooping. All ports are untrusted by default. For DHCP snooping to do anything useful, at least one port must be trusted.

Static binding

If there is a device with a statically set IP attached to a port in the DHCP snooping port range, then, with filtering enabled it is necessary to statically bind it to the port. This will ensure the device's IP connectivity to the rest of the network.
1
If a device with the IP VLAN
1
on port 2 then a static binding is configured by adding the following command to the
72.16.1.202 and MAC address 00-00-00-00-00-ca is attached to
basic DHCP configuration (see "Minimum configuration" on page 3):
add dhcpsnooping binding=00-00-00-00-00-CA interface=vlan1 ip=172.16.1.202
port=2
Adding a static binding uses a lease on the port. If the maximum leases on the port is 1 (the default), the static binding means that no device on the port can acquire an address by DHCP.
Page 6 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Completely removing the DHCP snooping database

To completely remove the database, it is necessary to delete the file nvs:bindings.dsn.
Manager > delete fi=nvs:bindings.dsn nvs:bindings.dsn successfully deleted 1 file deleted.
Info (1056003): Operation successful.
Manager > enable dhcpsnooping DHCPSN_DB: Reloading static entries...
Info (1137057): DHCPSNOOPING has been enabled.
Manager > DHCPSN_DB: Reading entries from file... DHCPSN_DB: Full file name is: (nvs:bindings.dsn) DHCPSN_DB: File nvs:bindings.dsn not present on device, nothing to load.
DHCP snooping
So the database is empty:
Manager > show dhcpsnooping database
DHCP Snooping Binding Database
-----------------------------------------------------------------------------
Database Version ..... 1
Full Leases/Max Leases ... 0/151
Check Interval ........... 60 seconds
Database Listeners ....... CLASSIFR
Current valid entries MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with client lease but no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with no client lease and no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
-----------------------------------------------------------------------------
Page 7 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

DHCP Option 82

DHCP Option 82
DHCP Relay Agent Information Option 82 is an extension to the Dynamic Host Configuration Protocol (DHCP), and is defined in RFC 3046 and RFC 3993.
DHCP Option 82 can be used to send information about DHCP clients to the authenticating DHCP server. DHCP Option 82 will identify the VLAN number, port number and, optionally a customer ID of a client, during any IP address allocation. When DHCP Option 82 is enabled on the switch, it inserts the above information into the DHCP packets as they pass through the switch on their way to the DHCP server. The DHCP server stores the IP allocation record.
DHCP Option 82 can work in either layer 2 forwarding or layer 3 routing modes. There are significant differences in operation and configuration of these two modes – the latter needing BOOTP Relay support. Some configuration examples and operation descriptions are provided in a later section of this document.
Although Option 82 is titled the DHCP Relay Agent Information Option, the device that inserts the Option 82 information into a DHCP packet does not have to be acting as DHCP relay. A layer 2 switch can insert the Option 82 information into the DHCP packets (if snooping is enabled). The Option 82 information needs to be inserted into the DHCP packets by a switch at the edge of the network, because only the edge switch knows the information that uniquely identifies the subscriber that the IP address was allocated to.
It is quite likely that the edge switch will be a layer 2 switch, rather than a DCHP-relaying layer 3 switch.
Page 8 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
Loading...
+ 18 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use