- Allied Telesis, Inc Switches Datasheet

ManualsBrandsAllied Telesis ManualsSwitchRapier i Series

C613-16086-00 REV B

www.alliedtelesis.com

AlliedWare

How To |

Introduction

It has increasingly become a legal requirement for service providers to identify which of their

customers were using a specific IP address at a specific time. This means that service

providers must be able to:

z Know which customer was allocated an IP address at any time.

z Guarantee that customers cannot avoid detection by spoofing an IP address that was not

actually allocated to them.

These security features provide a traceable history in the event of an official query. Three

components are used to provide this traceable history:

z DHCP snooping

z DHCP Option 82

z DHCP filtering

With DHCP snooping an administrator can control port-to-IP connectivity by:

z permitting port access to specified IP addresses only

z permitting port access to DHCP issued IP addresses only

z dictating the number of IP clients on any given port

z passing location information about an IP client to the DHCP server

z permitting only known IP clients to ARP

This document explains each feature and provides the minimum configuration to enable

them. There are also two configuration examples that make advanced use of the features.

Use DHCP Snooping, Option 82, and Filtering on

AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i

Series Switches

Summary of content (26 pages)

PAGE 1
AlliedWareTM OS How To | Use DHCP Snooping, Option 82, and Filtering on AT-8800, AT-8600, AT-8700XL, Rapier, and Rapier i Series Switches Introduction It has increasingly become a legal requirement for service providers to identify which of their customers were using a specific IP address at a specific time. This means that service providers must be able to: z Know which customer was allocated an IP address at any time.
PAGE 2
Introduction This document contains the following contents: Introduction .............................................................................................................................................. 1 Which products and software version does this information apply to? .............................. 2 Related How To Notes ................................................................................................................... 3 DHCP snooping .......................................
PAGE 3
DHCP snooping Related How To Notes The following How To Note describes DHCP snooping on AT-9900, x900-48 and AT-8948 series switches: z How To Use DHCP Snooping, Option 82, and Filtering on AT-9900 and x900-48 Series Switches The following How To Notes also use DHCP snooping in their solutions: z How To Use MAC-Forced Forwarding with DHCP Snooping to Create Enhanced Private VLANs z How To Create A Secure Network With Allied Telesis Managed Layer 3 Switches z How To Use DHCP Snooping and ARP Security
PAGE 4
DHCP snooping The database The switch watches the DHCP packets that it is passing back-and-forth. It also maintains a database that lists the DHCP leases it knows are being held by devices downstream of its ports.
PAGE 5
DHCP snooping List of terms: MAC Address: The MAC address of the snooped DHCP client. IP Address: The IP address that has been allocated to the snooped DHCP client. Expires: The time, in seconds, until the DHCP client entry will expire. VLAN: The VLAN to which the snooped DHCP client is connected. Port: The port to which the snooped DHCP client is connected. ID: The unique ID for the entry in the DHCP snooping database. This ID is dynamically allocated to all clients.
PAGE 6
DHCP snooping Trusted and non-trusted ports The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping: z Trusted ports connect to a trusted entity in the network, and are under the complete control of the network manager. z Non-trusted ports connect an untrusted entity to the trusted network. z Non-trusted ports can connect to non-trusted ports. In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers.
PAGE 7
DHCP snooping Completely removing the DHCP snooping database To completely remove the database, it is necessary to delete the file nvs:bindings.dsn. Manager > delete fi=nvs:bindings.dsn nvs:bindings.dsn successfully deleted 1 file deleted. Info (1056003): Operation successful. Manager > enable dhcpsnooping DHCPSN_DB: Reloading static entries... Info (1137057): DHCPSNOOPING has been enabled. Manager > DHCPSN_DB: Reading entries from file... DHCPSN_DB: Full file name is: (nvs:bindings.
PAGE 8
DHCP Option 82 DHCP Option 82 DHCP Relay Agent Information Option 82 is an extension to the Dynamic Host Configuration Protocol (DHCP), and is defined in RFC 3046 and RFC 3993. DHCP Option 82 can be used to send information about DHCP clients to the authenticating DHCP server. DHCP Option 82 will identify the VLAN number, port number and, optionally a customer ID of a client, during any IP address allocation.
PAGE 9
DHCP Option 82 Protocol details In the DHCP packet, the Option 82 segment is organized as a single DHCP option containing one or more sub-options that convey information known by the relay agent.
PAGE 10
DHCP Option 82 Analysis The following table provides an analysis of the strings in the above DHCP Request packet extract: Text Colour Analysis Green This is the Agent Circuit ID Blue This is the Agent Red This is the subscriber ID sub-option The Agent circuit ID string 00 30 00 05 translates as: 30 = vlan48 05 = switch port 5 Configuring Option 82 Different commands are used to turn on Option 82 depending on whether the switch is performing DHCP snooping or DHCP relay.
PAGE 11
DHCP filtering DHCP filtering The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them. DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on.
PAGE 12
DHCP filtering ARP security It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP packets received on non-trusted ports are only permitted if they originate from an IP address that has been allocated by DHCP.
PAGE 13
DHCP filtering a maximum of 13 leases and ports 3 to 8 given 1 lease each. After that, no port could have its leases increased because the filter resource is completely used up. Note: On Allied Telesis switches, IGMP snooping and MLD snooping are enabled by default, which occupy 2 filter entries. To dedicate 119 entries to DHCP snooping, IGMP and MLD snooping would need to be disabled with disable igmpsnooping and disable mldsnooping.
PAGE 14
Configuration examples Configuration examples This section contains the following examples: z "Configuring the switch for DHCP snooping, filtering and Option 82, when it is acting as a layer 2 switch" on page 14 z "Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent" on page 17 Configuring the switch for DHCP snooping, filtering and Option 82, when it is acting as a layer 2 switch In a layer 2 switching environment, a switch configured wi
PAGE 15
Configuration examples X Add the tagged uplink ports to the VLAN: add vlan="48" port=24 frame=tagged uplink X Add the untagged ports for the customers: add vlan="48" port=1-23 This is a layer 2 solution. The IP protocol does not need to be configured. X Enable DHCP snooping and Option 82 support: enable dhcpsnooping enable dhcpsnooping option82 It is also possible to enable DHCP snooping ARP security.
PAGE 16
Configuration examples X Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database.
PAGE 17
Configuration examples Configuring the switch for DHCP snooping, filtering, and Option 82, when it is acting as a layer 3 BOOTP Relay Agent In a layer 3 routing environment, the switch takes on a role of BOOTP Relay Agent, with support for DHCP Option 82. The relay agent inserts the information mentioned above when forwarding client-originated DHCP packets to a DHCP server.
PAGE 18
Configuration examples X Configure the switch’s IP: enable ip add ip int=vlan48 ip=10.11.67.254 mask=255.255.255.0 add ip int=vlan50 ip=10.50.1.254 mask=255.255.255.0 add ip rou=0.0.0.0 mask=0.0.0.0 int=vlan50 next=10.50.1.1 X For layer 3 support, enable the BOOTP Relay: enable bootp relay add bootp relay=10.50.1.100 Here the DHCP server is set to 10.50.1.100.
PAGE 19
Configuration examples X Create a set of QoS classifiers: create classifier=50 tcpdport=20 create classifier=51 tcpdport=21 create classifier=52 tcpdport=23 create classifier=53 ethformat=ethii prot=0800 Classifiers will be applied in QoS to allow prioritisation or traffic shaping. The above example classifies FTP and telnet. Note: These switches do filtering by default. You do not need to write a rule to drop the traffic that doesn’t have a current binding in the DHCP database.
PAGE 20
Troubleshooting Troubleshooting Use the command enable dhcpsnooping debug=all to get the most verbose level of debugging available. In the following sections, all debugging comes from that command. Let’s look at how you can use debugging to investigate some common problem scenarios. No trusted ports configured In the following output, you can see that a DHCP request has arrived at the switch on port 1. The switch does not forward this on to any other port.
PAGE 21
Troubleshooting The DHCP client continually sends requests instead of a discover This happens when the client is renewing its lease or, for whatever reason, believes that should be issued a specific address. If the client does not receive either an ACK or NACK (from a DHCP server) then the client will continue to request the address. A NACK should cause the client to send a discover packet instead of a request.
PAGE 22
Troubleshooting Increasing the port’s maximum leases will permit multiple clients per port. Manager > set dhcpsnooping port=3 maxleases=2 Info (1137260): DHCP Snooping port(s) 3 updated successfully. Switch is dropping ARPs If you have DHCP snooping in ARP security mode, then unknown clients on untrusted ports will not be able to ARP.
PAGE 23
Troubleshooting You cannot work around dropped ARPs from the DHCP server by statically binding the DHCP server’s IP and MAC address to a port, instead of setting it as trusted. The switch will not send the DHCP server the DHCP request. The switch will not flood the DHCP request to any ports other than trusted ones. So although the switch will let the DHCP server send ARP requests, the DHCP server will not receive any DHCP requests. Manager > add dhcpsnooping binding=00-50-FC-EE-F5-13 ip=172.16.1.
PAGE 24
Troubleshooting Displaying log entries The show log command is also very useful: Manager > sh log Date/Time S Mod Type SType Message -----------------------------------------------------------------------02 21:42:55 3 DHCP DHCPS ADD Adding new entry [chaddr 00-11-22-33-44-15], clientIP 2.2.2.2, vlan1, port3, serverIP 0.0.0.0, Expires N/A (static entry) 02 21:43:20 4 DHCP DHCPS FAIL Error adding entry [chaddr 00-11-22-33-44-16].
PAGE 25
Appendix 1: ISC DHCP server Appendix 1: ISC DHCP server One DHCP server that has been tested against DHCP snooping is ISC DHCP. This is free software with an option of a support contract. At the time of writing this document, ISC DHCP did not support the logging of RFC3993 sub-option 6. For convenience, here is a sample configuration (dhcpd.conf) for ISC DHCP. This configuration lets you specify the IP that is given to each MAC address. You may easily write a range statement to assign to any client.
PAGE 26
The following configuration (thanks to www.thtech.net/article/10) will record Option 82 information in syslog. This part is ignored if no Option 82 information is passed on. The logfile location is configured in syslog. if exists agent.circuit-id { log ( info, concat( "NEW LEASE - IP: ", binary-to-ascii (10, 8, ".", leased-address), ", PORT: ", binary-to-ascii (10, 8, ":", suffix ( option agent.circuit-id, 2)), ", VLAN: ", binary-to-ascii(10, 16, "", substring( option agent.