Allied Telesis AT-8700XL Series User Manual
Page 11 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches
DHCP filtering
DHCP filtering
The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’.
This guarantees that customers cannot avoid detection by spoofing an IP address that was
not actually allocated to them.
This guarantees that customers cannot avoid detection by spoofing an IP address that was
not actually allocated to them.
DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are
configured with DHCP snooping placeholders for the source IP address (and possibly source
MAC address), to match on.
configured with DHCP snooping placeholders for the source IP address (and possibly source
MAC address), to match on.
The dynamic classifiers are attached to filters, which are applied to a port. Only those
packets with a source IP address that matches one of the IP addresses allocated to the
devices connected to that port are allowed through.
packets with a source IP address that matches one of the IP addresses allocated to the
devices connected to that port are allowed through.
Configuring filtering
The switch can be configured to block all packets arriving from clients, unless their source
addresses are those known by the switch to have been allocated to the clients by DHCP.
addresses are those known by the switch to have been allocated to the clients by DHCP.
Note:
The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping
process creates a filter which forces DHCP packets to the CPU before any other
filters can process the packet.
process creates a filter which forces DHCP packets to the CPU before any other
filters can process the packet.
set dhcpsnooping port=<port-list> maxlease=<number>
When DHCP snooping is enabled, one blocking filter rule is set up on each port. Then, a
permit rule for each client is set up in the switch’s hardware filtering table after a DHCP
exchange is successfully completed. These dynamic filtering rules are added for each unique
DHCP client until there are maxlease number of entries on that port, or the switch has run
out of filter resources.
permit rule for each client is set up in the switch’s hardware filtering table after a DHCP
exchange is successfully completed. These dynamic filtering rules are added for each unique
DHCP client until there are maxlease number of entries on that port, or the switch has run
out of filter resources.
X
To configure how many times the filters or flowgroups will be replicated:
Client A
Client B
Non-trusted Ports
Trusted Ports
Access Device
DHCP Server