How it Works
Allied Telesis
Loading...
x900-48
User Manual
21 pgs395.7 Kb0
User Manual
22 pgs131.33 Kb0
User Manual
38 pgs252.25 Kb0
Table of contents
Loading...

Allied Telesis x900-48 User Manual

AlliedWareTM OS
How To |
Use DHCP Snooping, Option 82, and Filtering on AT-9900 and x900-48 Series Switches

Introduction

It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to:
z Know which customer was allocated an IP address at any time.
z Guarantee that customers cannot avoid detection by spoofing an IP address that was not
actually allocated to them.
These security features provide a traceable history in the event of an official query. Three components are used to provide this traceable history:
z DHCP snooping
z DHCP Option 82
z DHCP filtering

What information will you find in this document?

This document describes DHCP snooping, DHCP Option 82 and DHCP filtering, and takes you through step-by-step configuration examples.
With DHCP snooping, an administrator can control port-to-IP connectivity by:
z permitting port access to specified IP addresses only
z permitting port access to DHCP issued IP addresses only
z dictating the number of IP clients on any given port
z passing location information about an IP client to the DHCP server
C613-16082-00 REV B
z permitting only known IP clients to ARP
www.alliedtelesis.com
Introduction > What information will you find in this document?
This document explains each feature and provides the minimum configuration to enable them. There are also two configuration examples that make advanced use of the features.
This document contains the following contents:
Introduction .............................................................................................................................................. 1
What information will you find in this document? ................................................................... 1
Which products and software version does this information apply to? .............................. 3
Related How To Notes ................................................................................................................... 3
DHCP snooping ....................................................................................................................................... 3
Minimum configuration ................................................................................................................... 4
The database ..................................................................................................................................... 5
Trusted and non-trusted ports ..................................................................................................... 7
Enabling DHCP snooping ............................................................................................................... 7
Static binding ..................................................................................................................................... 7
Completely removing the DHCP snooping database .............................................................. 8
DHCP Option 82 .................................................................................................................................... 9
Protocol details ................................................................................................................................. 9
Configuring Option 82 .................................................................................................................. 10
DHCP filtering ........................................................................................................................................ 11
Configuring filtering ....................................................................................................................... 12
Supporting multiple devices on a port ...................................................................................... 12
ARP security .................................................................................................................................... 13
Resource considerations .............................................................................................................. 14
Configuration examples ....................................................................................................................... 15
Configuring the switch for DHCP snooping, filtering, and Option 82, when it is
acting as a layer 2 switch ....................................................................................................... 15
Configuring the switch for DHCP snooping, filtering and Option 82, when it is
acting as a layer 3 BOOTP Relay Agent ............................................................................ 19
Troubleshooting ..................................................................................................................................... 23
No trusted ports configured ....................................................................................................... 23
The DHCP client continually sends requests instead of a discover ................................... 24
Maximum number of leases is exceeded .................................................................................. 24
Switch is dropping ARPs ............................................................................................................... 26
The DHCP ACK is dropped by the switch .............................................................................. 28
Cannot create a binding entry .................................................................................................... 34
Entries with client lease but no listeners .................................................................................. 36
Appendix
Page 2 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
1
: ISC DHCP server .......................................................................................................... 37
DHCP snooping > Which products and software version does this information apply to?

Which products and software version does this information apply to?

The information provided in this document applies to the following switches, running AlliedWare version 2.7.6 and above:
z AT-9900 series
z x900-48 series
z AT- 89 48

Related How To Notes

The following How To Note describes DHCP snooping on AT-8600, AT-8800, AT-8700XL, Rapier, and Rapier i series switches:
z How To Use DHCP Snooping, Option 82, and Filtering on AT-8800, AT-8600, AT-8700XL, Rapier,
and Rapier i Series Switches
The following How To Notes also use DHCP snooping in their solutions:
z How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs
z How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches
z How To Use DHCP Snooping and ARP Security to Block ARP Poisoning Attacks
How To Notes are available from the library at www.alliedtelesis.com/resources/literature/
howto.aspx.

DHCP snooping

DHCP snooping forces all DHCP packets to be sent up to the switch CPU before forwarding. The switch CPU then keeps a database of the IP addresses that are currently allocated to downstream clients and the switch ports that the relevant clients are attached to.
Note: The switch CPU does not store a history log. The DHCP server does this.
DHCP snooping performs two main tasks:
z Keeping a record of which IP addresses are currently allocated to hosts downstream of
the ports on the switch.
z Deciding which packets are candidates for having Option 82 information inserted, and
actively filtering out packets that are deemed to be invalid DHCP packets (according to criteria described below).
Note: Option 82 must be enabled separately.
Page 3 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP snooping > Minimum configuration

Minimum configuration

On x900 and AT-9900 series switches, below is the minimum configuration required to use DHCP snooping and provide unfiltered connectivity. With this configuration a client will be able to receive a DHCP address, and access the IP network unfiltered. Also, the administrator will be able to see the current valid entries in the DHCP snooping database.
Note: With this configuration, a client could manually change its IP and MAC address and
be able to access the IP network unfiltered.
# DHCP Snooping configuration - Pre QoS enable dhcpsnooping set dhcpsnooping port=24 trusted=yes
# CLASSIFR configuration create classifier=50 macsaddr=dhcpsnooping protocol="ip" ipsaddr=dhcpsnooping
# QOS configuration
create qos policy=1 create qos trafficclass=1 create qos flow=50 action=FORWARD add qos policy=1 trafficclass=1 set qos port=1-23 policy=1 add qos trafficclass=1 flow=50 add qos flow=50 classifier=50
Page 4 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP snooping > The database

The database

The switch watches the DHCP packets that it is passing back-and-forth. It also maintains a database that lists the DHCP leases it knows are being held by devices downstream of its ports.
Each lease in the database holds the following information:
z the MAC address of the client device
z the IP address that was allocated to that client
z time until expiry
z VLAN to which the client is attached
z the port to which the client is attached
When inserting Option 82 information into the DHCP packets, the switch uses the information it has stored in the database for filtering and for filling in the fields.
DHCP snooping database time-out
The CPU will time-out database entries if the lease, also stored in the database, expires.
Database survival across reboots
The database is periodically saved as a .dsn file into non-volatile storage, therefore the database will survive a reboot.
DHCP snooping show commands
To verify the status of snooped users, use the command show dhcpsnooping database.
Manager > show dhcpsnooping database
DHCP Snooping Binding Database
------------------------------------------------------------------­Full Leases/Max Leases ... 1/52
Check Interval ........... 60 seconds
Database Listeners ....... CLASSIFR
Current valid entries MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­00-03-47-6b-a5-7a 10.11.67.50 56 48 16 3 Dynamic
----------------------------------------------------------------------------­Entries with client lease but no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with no client lease and no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
Page 5 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP snooping > The database
List of terms: MAC Address: The MAC address of the snooped DHCP client.
IP Address: The IP address that has been allocated to the snooped DHCP client.
Expires: The time, in seconds, until the DHCP client entry will expire.
VLAN: The VLAN to which the snooped DHCP client is connected.
Port: The port to which the snooped DHCP client is connected.
ID: The unique ID for the entry in the DHCP snooping database. This ID is dynamically allocated to all clients. (The same ID can be seen in show dhcpsnooping filter.)
Database Listeners: These are switch features (or modules) that have registered to listen to the Binding Database. Database listeners are informed when an entry is added or deleted from the database. In this case the Classifier module will be informed so the
dynamic classifiers can be updated.
Source: How the DHCP binding was entered into the database:
z User = static
z File = read from bindings. dsn (usually at boot time)
z Dynamic = it was snooped
To see port details, use the commands show dhcpsnooping port and show dhcpsnooping count.
Manager > show dhcpsnooping port=16
DHCP Snooping Port Information:
---------------------------------------------------------------------
Port ..................... 16
Trusted .................. No
Full Leases/Max Leases ... 1/1
Subscriber-ID ............
Manager > show dhcpsnooping count
DHCP Snooping Counters
--------------------------------------------------------------------­DHCP Snooping
InPackets .................... 1751
InBootpRequests ............... 908
InBootpReplies ................ 843
InDiscards ...................... 0
ARP Security
InPackets ....................... 0
InDiscards ...................... 0
NoLease ....................... 0
Invalid ....................... 0
---------------------------------------------------------------------
Page 6 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP snooping > Trusted and non-trusted ports

Trusted and non-trusted ports

The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping:
z Trusted ports connect to a trusted entity in the network, and are under the complete
control of the network manager.
z Non-trusted ports connect an untrusted entity to the trusted network.
z Non-trusted ports can connect to non-trusted ports.
In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers.
DHCP snooping will make forwarding decisions based on the trust status of ports:
z BOOTP packets that contain Option 82 information received on untrusted ports will be
dropped
z If Option 82 is enabled, the switch will insert Option 82 information into BOOTP
REQUEST packets received from an untrusted port.
z BOOTP REQUEST packets that contain Option 82 information received on trusted ports
will not have the Option 82 information updated with information for the receive port. It will be kept.
z BOOTP REPLY packets (from servers) should come from a trusted source.
z The switch will remove Option 82 information from BOOTP REPLY packets destined to
an untrusted port.
z BOOTP REPLY packets received on non-trusted ports will be dropped.

Enabling DHCP snooping

DHCP snooping is enabled globally by the command enable dhcpsnooping. All ports are untrusted by default. For DHCP snooping to do anything useful, at least one port must be trusted.

Static binding

If there is a device with a statically set IP attached to a port in the DHCP snooping port range, then, with filtering enabled it is necessary to statically bind it to the port. This will ensure the device's IP connectivity to the rest of the network.
If a device with the IP VLAN
1
on port 2 then a static binding is configured by adding the following command to the
1
72.16.1.202 and MAC address 00-00-00-00-00-ca is attached to
basic DHCP configuration (see "Minimum configuration" on page 4):
add dhcpsnooping binding=00-00-00-00-00-CA interface=vlan1 ip=172.16.1.202
port=2
Adding a static binding uses a lease on the port. If the maximum leases on the port is 1 (the default), the static binding means that no device on the port can acquire an address by DHCP.
Page 7 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP snooping > Completely removing the DHCP snooping database

Completely removing the DHCP snooping database

To completely remove the database, it is necessary to delete the file nvs:bindings.dsn.
Manager > delete fi=nvs:bindings.dsn nvs:bindings.dsn successfully deleted 1 file deleted.
Info (1056003): Operation successful.
Manager > enable dhcpsnooping DHCPSN_DB: Reloading static entries...
Info (1137057): DHCPSNOOPING has been enabled.
Manager > DHCPSN_DB: Reading entries from file... DHCPSN_DB: Full file name is: (nvs:bindings.dsn) DHCPSN_DB: File nvs:bindings.dsn not present on device, nothing to load.
So the database is empty:
Manager > show dhcpsnooping database
DHCP Snooping Binding Database
-----------------------------------------------------------------------------
Database Version ..... 1
Full Leases/Max Leases ... 0/151
Check Interval ........... 60 seconds
Database Listeners ....... CLASSIFR
Current valid entries MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with client lease but no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
----------------------------------------------------------------------------­Entries with no client lease and no listeners MAC Address IP Address Expires(s) VLAN Port ID Source
----------------------------------------------------------------------------­None...
-----------------------------------------------------------------------------
Page 8 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP Option 82 > Protocol details

DHCP Option 82

DHCP Relay Agent Information Option 82 is an extension to the Dynamic Host Configuration Protocol (DHCP), and is defined in RFC 3046 and RFC 3993.
DHCP Option 82 can be used to send information about DHCP clients to the authenticating DHCP server. DHCP Option 82 will identify the VLAN number, port number and, optionally a customer ID of a client, during any IP address allocation. When DHCP Option 82 is enabled on the switch, it inserts the above information into the DHCP packets as they pass through the switch on their way to the DHCP server. The DHCP server stores the IP allocation record.
DHCP Option 82 can work in either layer 2 forwarding or layer 3 routing modes. There are significant differences in operation and configuration of these two modes – the latter needing BOOTP Relay support. Some configuration examples and operation descriptions are provided in a later section of this document.
Although Option 82 is titled the DHCP Relay Agent Information Option, the device that inserts the Option 82 information into a DHCP packet does not have to be acting as DHCP relay. A layer 2 switch can insert the Option 82 information into the DHCP packets (if snooping is enabled). The Option 82 information needs to be inserted into the DHCP packets by a switch at the edge of the network, because only the edge switch knows the information that uniquely identifies the subscriber that the IP address was allocated to.
It is quite likely that the edge switch will be a layer 2 switch, rather than a DCHP-relaying layer 3 switch.

Protocol details

In the DHCP packet, the Option 82 segment is organized as a single DHCP option containing one or more sub-options that convey information known by the relay agent. The format of the option is shown below:
Code Len Agent Information Field
+------+------+------+------+------+------+---+------+
| 82 | N | i1 | i2 | i3 | i4 | | iN |
+------+------+------+------+------+------+---+------+
The sub-options within the DHCP option are constructed as follows:
SubOpt Len Sub-option Value
+------+------+------+------+------+------+---+------+
| 1 | N | s1 | s2 | s3 | s4 | | sN |
+------+------+------+------+------+------+---+------+
SubOpt Len Sub-option Value
+------+------+------+------+------+------+---+------+
| 2 | N | i1 | i2 | i3 | i4 | | iN |
+------+------+------+------+------+------+---+------+
Page 9 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP Option 82 > Configuring Option 82
The following table shows a list of the sub-options that are used for identifying the subscriber that the IP address was allocated to:
Sub-option RFC Description
1
2 RFC 3046 Agent Remote ID sub-option – used for defining the MAC address of
6 RFC 3993 Subscriber-ID sub-option – optionally configured per port using set
RFC 3046 Agent Circuit ID sub-option – used for defining the switch port and
VLAN number of the port user(s).
the switch that added the Option 82 information.
dhcpsnooping port=x subscriberid=x – can define port customer name, or switch name.
Example Packet
The following shows an extract of a DHCP Request packet that includes Option 82 details:
DHCP Message Type = DHCP Request
Bootstrap Protocol Option 82 – Agent Information (Option)
0000: 52 20 01 06 00 04 00 30 00 05 02 08 00 06 00 00 R ..............
0010: CD 11 B2 52 06 0C 55 73 65 72 49 64 30 31 32 33 ...R..UserId0123 0020: 34 35 45
Analysis
The following table provides an analysis of the strings in the above DHCP Request packet extract:
Text Colour Analysis
Green This is the Agent Circuit ID
Blue This is the Agent
Red This is the subscriber ID sub-option
The Agent circuit ID string 00 30 00 05 translates as:
30 = vlan48
05 = switch port 5

Configuring Option 82

Different commands are used to turn on Option 82 depending on whether the switch is performing DHCP snooping or DHCP relay. For the DHCP snooping, the command is:
enable dhcpsnooping option82
The subscriber ID to be used on any given port can be set using the command:
set dhcpsnooping port=x subscriberid=”xxxx”
Page 10 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP filtering > Configuring Option 82
Client A
Client B
Non-trusted Ports
Trusted Ports
Access Device
DHCP Server
If the switch is acting as a DHCP relay and there is no requirement to also maintain a DHCP snooping database, then the DHCP relay process can be configured to insert option 82 information into the relayed packets:
enable bootp relay option82
The subscriber ID to be used on any given port can be configured with:
set bootp relay option82 subscriberid=”xxxx”
Note: The use of BOOTP relay without DHCP snooping will not be discussed any further
in this document.
Agent Circuit ID and Agent Remote ID are sub-options that are also sent as part of the Option 82 data but they are not configurable.

DHCP filtering

The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them.
DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on.
The dynamic classifiers are attached to filters, which are applied to a port. Only those packets with a source IP address that matches one of the IP addresses allocated to the devices connected to that port are allowed through.
Page 11 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
DHCP filtering > Configuring filtering

Configuring filtering

The switch can be configured to block all packets arriving from clients, unless their source addresses are those known by the switch to have been allocated to the clients by DHCP.
Note: The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping
process creates a filter which forces DHCP packets to the CPU before any other filters can process the packet.
On the x900 switches, this is achieved by creating classifiers that have placeholder entries for the source IP address and (optionally) the source MAC address parameter.
To create this type of classifier:
create classifier=1 ipsaddress=dhcpsnooping macsaddress=dhcpsnooping
<other-parameters>
These classifiers can be applied to hardware filters that will then allow through the appropriate packets (and, a subsequent deny-all-else filter can ensure that packets with invalid source addresses are discarded).
You can treat these classifiers like all other classifiers, and use them as part of any QoS or filtering configuration.
How the switch uses these classifiers
These classifiers are attached to flow groups or filters, which are eventually written into hardware tables. When the corresponding filters are written into the hardware tables, the placeholder IP address DHCPsnooping is replaced by the IP address 0.0.0.0 and the placeholder MAC address DHCPsnooping is replaced by the MAC address 00-00-00-00- 00-00.
As the DHCP snooping process detects DHCP leases being allocated to devices connected to a port, the 0.0.0.0 and 00-00-00-00-00-00 IP and MAC addresses in the relevant filters applied to that port are replaced by the actual IP address and MAC address of the device receiving the DHCP lease.
Similarly, as the DHCP snooping notices a DHCP lease time out, it finds the filter’s entries using the address of the expiring lease, and replaces them with the 0.0.0.0 and 00-00-00-00-
00-00 IP and MAC addresses again.

Supporting multiple devices on a port

If there are multiple devices downstream of a port on the switch, and all of those devices can be allocated IP addresses by DHCP, then the ipsaddress=dhcpsnooping clause in the above classifier should match any of the IP addresses allocated to a device connected to that port.
This is achieved by replicating any filter or flowgroup that uses the classifier.
Page 12 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches
Loading...
+ 26 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use