C613-16086-00 REV B

www.alliedtelesis.com

AlliedWare

How To |

Introduction

It has increasingly become a legal requirement for service providers to identify which of their

customers were using a specific IP address at a specific time. This means that service

providers must be able to:

z Know which customer was allocated an IP address at any time.

z Guarantee that customers cannot avoid detection by spoofing an IP address that was not

actually allocated to them.

These security features provide a traceable history in the event of an official query. Three

components are used to provide this traceable history:

z DHCP snooping

z DHCP Option 82

z DHCP filtering

With DHCP snooping an administrator can control port-to-IP connectivity by:

z permitting port access to specified IP addresses only

z permitting port access to DHCP issued IP addresses only

z dictating the number of IP clients on any given port

z passing location information about an IP client to the DHCP server

z permitting only known IP clients to ARP

This document explains each feature and provides the minimum configuration to enable

them. There are also two configuration examples that make advanced use of the features.

Use DHCP Snooping, Option 82, and Filtering on

AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i

Series Switches

Page 2 | AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Introduction

This document contains the following contents:

Introduction .............................................................................................................................................. 1

Which products and software version does this information apply to? .............................. 2

Related How To Notes ................................................................................................................... 3

DHCP snooping ....................................................................................................................................... 3

Minimum configuration ................................................................................................................... 3

The database ..................................................................................................................................... 4

Trusted and non-trusted ports ..................................................................................................... 6

Enabling DHCP snooping ............................................................................................................... 6

Static binding ..................................................................................................................................... 6

Completely removing the DHCP snooping database .............................................................. 7

DHCP Option 82 .................................................................................................................................... 8

Protocol details ................................................................................................................................. 9

Configuring Option 82 .................................................................................................................. 10

DHCP filtering ........................................................................................................................................ 11

Configuring filtering ....................................................................................................................... 11

ARP security .................................................................................................................................... 12

Resource considerations .............................................................................................................. 12

Configuration examples ....................................................................................................................... 14

Configuring the switch for DHCP snooping, filtering and Option 82, when it is

acting as a layer 2 switch ....................................................................................................... 14

Configuring the switch for DHCP snooping, filtering, and Option 82, when it is

acting as a layer 3 BOOTP Relay Agent ............................................................................ 17

Troubleshooting ..................................................................................................................................... 20

No trusted ports configured ....................................................................................................... 20

The DHCP client continually sends requests instead of a discover ................................... 21

Switch is dropping ARPs ............................................................................................................... 22

Displaying log entries .................................................................................................................... 24

Appendix

: ISC DHCP server .......................................................................................................... 25

Which products and software version does this

information apply to?

The information provided in this document applies to the following switches, running

AlliedWare version 2.7.6 and above:

z AT-8800 series

z AT-8600 series

z AT-8700XL series

z Rapier and Rapier i series