Alcatel-Lucent 6850-48 ネットワークガイド
Configuring DHCP Security Features
Configuring DHCP Relay
page 31-22
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Configuring Port IP Source Filtering
IP source filtering applies to DHCP Snooping ports and restricts port traffic to only packets that contain
the client source MAC address and IP address. The DHCP Snooping binding table is used to verify the
client information for the port that is enabled for IP source filtering.
the client source MAC address and IP address. The DHCP Snooping binding table is used to verify the
client information for the port that is enabled for IP source filtering.
By default IP source filtering is disabled for a DHCP Snooping port. Use the
command to enable or disable this function for a
specific port or range of ports. For example:
-> ip helper dhcp-snooping port 1/10 ip-source-filtering enable
-> ip helper dhcp-snooping port 2/1-5 ip-source-filtering enable
Note that when IP source filtering is enabled, the maximum number of clients supported is 125 per switch-
ing ASIC. Each switching ASIC controls 12 ports (e.g., ports 1–12, 13–24, etc.) on an OS6800 and 24
ports (e.g. ports 1–24, 25–48, etc.) on an OS6850 unit or OS9000 module.
ing ASIC. Each switching ASIC controls 12 ports (e.g., ports 1–12, 13–24, etc.) on an OS6800 and 24
ports (e.g. ports 1–24, 25–48, etc.) on an OS6850 unit or OS9000 module.
Configuring the DHCP Snooping Binding Table
The DHCP Snooping binding table is automatically enabled by default when DHCP Snooping is enabled
at either the switch or VLAN level. This table is used by DHCP Snooping to filter DHCP traffic that is
received on untrusted ports.
at either the switch or VLAN level. This table is used by DHCP Snooping to filter DHCP traffic that is
received on untrusted ports.
Entries are made in this table when the relay agent receives a DHCPACK packet from a trusted DHCP
server. The agent extracts the client information, populates the binding table with the information and then
forwards the DHCPACK packet to the port where the client request originated.
server. The agent extracts the client information, populates the binding table with the information and then
forwards the DHCPACK packet to the port where the client request originated.
To enable or disable the DHCP Snooping binding table, use the
command. For example:
-> ip helper dhcp-snooping binding enable
-> ip helper dhcp-snooping binding disable
Note that enabling the binding table functionality is not allowed if Option-82 data insertion is not enabled
at either the switch or VLAN level.
at either the switch or VLAN level.
In addition, it is also possible to configure static binding table entries. This type of entry is created using
available
available
command parameters to define the static entry. For example,
the following command creates a static DHCP client entry:
-> ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address
17.15.3.10 lease-time 3 vlan 200
To remove a static binding table entry, use the no form of the ip helper dhcp-snooping binding
command. For example:
command. For example:
-> no ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address
17.15.3.10 lease-time 3 vlan 200
To view the DHCP Snooping binding table contents, use the
command. See the OmniSwitch CLI Reference Guide for example outputs of this command.