Manualshelf

Install guide

ManualsBrandsAllied Telesis ManualsComputer equipmentRapier 16Fi-FX
261262263264265266267268269270
6 Software Reference
Using DHCP filtering and ARP security
ARP security To permit only trusted clients to access the network, you must enable ARP
security. This ensures that only the clients listed in the DHCP snooping
database can send ARP messages into the network. To enable ARP security, use
the command:
enable dhcpsnooping arpsecurity
For more information, see “DHCP Snooping ARP Security” in the DHCP
Snooping chapter of your Software Reference.
DHCP filtering DHCP filtering prevents IP addresses from being falsified or “spoofed”. This
guarantees that malicious devices cannot avoid detection by spoofing IP
addresses that are not actually allocated to them.
On the AT-8600, AT8700XL, and AT-8800, and Rapier Series switches, when
DHCP snooping is enabled, the EAN only allows packets to enter via a given
port if their source IP address is currently allocated to a client connected to that
port. This type of filtering is automatic and does not require any configuration.
You can enhance DHCP filtering so that the switch drops multicast and
broadcast packets sent from a client, except for:
ARP packets
IGMP Replies and IGMP Leaves packets, when IGMP snooping is enabled
DHCP packets, when DHCP snooping is enabled
To enable enhanced DHCP filtering, use the command:
enable dhcpsnooping strictunicast
On the AT-8948, x900-48, and AT-9900 Series switches, to configure DHCP
filtering, you must create classifiers and incorporate them into a QoS
configuration. To create classifiers, enter one or both of the dhcpsnooping
options in the command:
create classifier=rule-id [macsaddress=dhcpsnooping]
[ipsaddress=dhcpsnooping]
You can treat these classifiers like all other classifiers, and use them as part of
any QoS or filtering configuration. See the Generic Packet Classifier chapter of
your Software Reference for further information about creating classifiers.
To enhance DHCP filtering so that the switch drops all IGMP queries sent from
a client, use the command:
enable dhcpsnooping strictunicast
To filter other multicast and broadcast packets, you must use classifiers.