Summary of the content on the page No. 1
TM
AlliedWare OS
How To | Use DHCP Snooping, Option 82, and Filtering on
AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i
Series Switches
Introduction
It has increasingly become a legal requirement for service providers to identify which of their
customers were using a specific IP address at a specific time. This means that service
providers must be able to:
Know which customer was allocated an IP address at any time.
Guarantee that customers cannot avoid detection by spoofing an IP addre
Summary of the content on the page No. 2
Introduction This document contains the following contents: Introduction .............................................................................................................................................. 1 Which products and software version does this information apply to? .............................. 2 Related How To Notes ................................................................................................................... 3 DHCP snooping ............................
Summary of the content on the page No. 3
DHCP snooping Related How To Notes The following How To Note describes DHCP snooping on AT-9900, x900-48 and AT-8948 series switches: How To Use DHCP Snooping, Option 82, and Filtering on AT-9900 and x900-48 Series Switches The following How To Notes also use DHCP snooping in their solutions: How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches How To Use DHCP Snooping and ARP Secu
Summary of the content on the page No. 4
DHCP snooping The database The switch watches the DHCP packets that it is passing back-and-forth. It also maintains a database that lists the DHCP leases it knows are being held by devices downstream of its ports. Each lease in the database holds the following information: the MAC address of the client device the IP address that was allocated to that client time until expiry VLAN to which the client is attached the port to which the client is attached When inserting Option 82 information
Summary of the content on the page No. 5
DHCP snooping List of terms: MAC Address: The MAC address of the snooped DHCP client. IP Address: The IP address that has been allocated to the snooped DHCP client. Expires: The time, in seconds, until the DHCP client entry will expire. VLAN: The VLAN to which the snooped DHCP client is connected. Port: The port to which the snooped DHCP client is connected. ID: The unique ID for the entry in the DHCP snooping database. This ID is dynamically allocated to all clients. (The same ID can be seen i
Summary of the content on the page No. 6
DHCP snooping Trusted and non-trusted ports The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping: Trusted ports connect to a trusted entity in the network, and are under the complete control of the network manager. Non-trusted ports connect an untrusted entity to the trusted network. Non-trusted ports can connect to non-trusted ports. In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers. DHCP snooping
Summary of the content on the page No. 7
DHCP snooping Completely removing the DHCP snooping database To completely remove the database, it is necessary to delete the file nvs:bindings.dsn. Manager > delete fi=nvs:bindings.dsn nvs:bindings.dsn successfully deleted 1 file deleted. Info (1056003): Operation successful. Manager > enable dhcpsnooping DHCPSN_DB: Reloading static entries... Info (1137057): DHCPSNOOPING has been enabled. Manager > DHCPSN_DB: Reading entries from file... DHCPSN_DB: Full file name is: (nvs:bindings.dsn) DHCPSN_
Summary of the content on the page No. 8
DHCP Option 82 DHCP Option 82 DHCP Relay Agent Information Option 82 is an extension to the Dynamic Host Configuration Protocol (DHCP), and is defined in RFC 3046 and RFC 3993. DHCP Option 82 can be used to send information about DHCP clients to the authenticating DHCP server. DHCP Option 82 will identify the VLAN number, port number and, optionally a customer ID of a client, during any IP address allocation. When DHCP Option 82 is enabled on the switch, it inserts the above information int
Summary of the content on the page No. 9
DHCP Option 82 Protocol details In the DHCP packet, the Option 82 segment is organized as a single DHCP option containing one or more sub-options that convey information known by the relay agent. The format of the option is shown below: Code Len Agent Information Field +------+------+------+------+------+------+---+------+ | 82 | N | i1 | i2 | i3 | i4 | | iN | +------+------+------+------+------+------+---+------+ The sub-options with
Summary of the content on the page No. 10
DHCP Option 82 Analysis The following table provides an analysis of the strings in the above DHCP Request packet extract: Text Colour Analysis Green This is the Agent Circuit ID Blue This is the Agent Red This is the subscriber ID sub-option The Agent circuit ID string 00 30 00 05 translates as: 30 = vlan48 05 = switch port 5 Configuring Option 82 Different commands are used to turn on Option 82 depending on whether the switch is performing DHCP snooping or DHCP relay. For the DHCP snooping,
Summary of the content on the page No. 11
DHCP filtering DHCP filtering The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them. DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on. The dynamic classifiers are attached to filters
Summary of the content on the page No. 12
DHCP filtering ARP security It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP packets received on non-trusted ports are only permitted if they originate from an IP address that has been allocated by DHCP. To enable DHCP snooping ARP security: enable dhcpsnooping arpsecurity DHCP snooping filter show command To see what addresses have been inserted into filters using DHCP snooping classifiers, use the command show dhcpsnooping filter: Manager > sh
Summary of the content on the page No. 13
DHCP filtering a maximum of 13 leases and ports 3 to 8 given 1 lease each. After that, no port could have its leases increased because the filter resource is completely used up. Note: On Allied Telesis switches, IGMP snooping and MLD snooping are enabled by default, which occupy 2 filter entries. To dedicate 119 entries to DHCP snooping, IGMP and MLD snooping would need to be disabled with disable igmpsnooping and disable mldsnooping. Disabling these services is not desirable if multicasting
Summary of the content on the page No. 14
Configuration examples Configuration examples This section contains the following examples: "Configuring the switch for DHCP snooping, filtering and Option 82, when it is acting as a layer 2 switch" on page 14 "Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent" on page 17 Configuring the switch for DHCP snooping, filtering and Option 82, when it is acting as a layer 2 switch In a layer 2 switching environment, a switch confi
Summary of the content on the page No. 15
Configuration examples Add the tagged uplink ports to the VLAN: add vlan="48" port=24 frame=tagged uplink Add the untagged ports for the customers: add vlan="48" port=1-23 This is a layer 2 solution. The IP protocol does not need to be configured. Enable DHCP snooping and Option 82 support: enable dhcpsnooping enable dhcpsnooping option82 It is also possible to enable DHCP snooping ARP security. If enabled, this will ensure that ARP packets received on non-trusted ports are only permitted i
Summary of the content on the page No. 16
Configuration examples Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database. Define the ups
Summary of the content on the page No. 17
Configuration examples Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent In a layer 3 routing environment, the switch takes on a role of BOOTP Relay Agent, with support for DHCP Option 82. The relay agent inserts the information mentioned above when forwarding client-originated DHCP packets to a DHCP server. DHCP servers that are configured to recognise the relay agent information option may use the information to keep a lo
Summary of the content on the page No. 18
Configuration examples Configure the switch’s IP: enable ip add ip int=vlan48 ip=10.11.67.254 mask=255.255.255.0 add ip int=vlan50 ip=10.50.1.254 mask=255.255.255.0 add ip rou=0.0.0.0 mask=0.0.0.0 int=vlan50 next=10.50.1.1 For layer 3 support, enable the BOOTP Relay: enable bootp relay add bootp relay=10.50.1.100 Here the DHCP server is set to 10.50.1.100. Enable DHCP snooping and Option 82 support: enable dhcpsnooping enable dhcpsnooping option82 Note: It is also possible to enable DHCP sn
Summary of the content on the page No. 19
Configuration examples Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database. Define the ups
Summary of the content on the page No. 20
Troubleshooting Troubleshooting Use the command enable dhcpsnooping debug=all to get the most verbose level of debugging available. In the following sections, all debugging comes from that command. Let’s look at how you can use debugging to investigate some common problem scenarios. No trusted ports configured In the following output, you can see that a DHCP request has arrived at the switch on port 1. The switch does not forward this on to any other port. DHCPSN_Process: [0b4333cc] DHCP Snoop