[Enhancement] Support DHCPSNP filter-only mode via CLI/WEB/SNMP Follow
Overview
DHCP Snooping allows a switch to protect a network from rogue DHCP servers and port information to the DHCP server.
The switch support filter-only mode per interface which will filter the DHCP packets based on the trust status of the port interface and the content of packets. No binding entry will be added.
The filter-only mode may be used if the client number is larger than the maximum binding limit and there is no demand for IP Source Guard and Dynamic ARP Inspection, because they both rely on binding entries.
The switch support filter-only mode per interface which will filter the DHCP packets based on the trust status of the port interface and the content of packets. No binding entry will be added.
The filter-only mode may be used if the client number is larger than the maximum binding limit and there is no demand for IP Source Guard and Dynamic ARP Inspection, because they both rely on binding entries.
Configuration (Support CLI/WEB GUI/SNMP) - ECS4120 Series as an example.
- Enable the basic DHCPSNP function.
Console#con
Console(config)#ip dhcp snooping
Console(config)#ip dhcp snooping vlan 1
Console(config)#interface ethernet 1/28
Console(config-if)#ip dhcp snooping trust
Console(config-if)#end
<A> CLI Command
- Enable DHCPSNP filter-only mode on port interface configuration.
[CLI format]
ip dhcp snooping max-number { <max_num> | filter-only }
<max_num> - Client number of per port. Default value is 16. Range is 1-32.
filter-only - Only filter DHCP packets and does not add binding entries. The number of clients is not limited.
Console#con
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping max-number filter-only
Console(config-if)#end
Console#show ip dhcp snooping
Global DHCP Snooping Status: enabled
DHCP Snooping Information Option Status: disabled
DHCP Snooping Information Option Sub-option Format: extra subtype included
DHCP Snooping Information Option Remote ID: MAC Address (hex encoded)
DHCP Snooping Information Option Remote ID TR101 VLAN Field: enabled
DHCP Snooping Information Option TR101 Board ID: none
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
1
Verify Source MAC-Address: enabled
DHCP Snooping Rate Limit: unlimited
Max Circuit-ID Circuit-ID Circuit-ID Carry To Vlan
Interface Trusted Num mode Value TR101 VLAN Client Flooding
--------- ------- ---- --------------- ----------- ---------- -------- --------
Eth 1/1 No filter-only VLAN-Unit-Port --- enabled disabled enabled
Eth 1/2 No 16 VLAN-Unit-Port --- enabled disabled enabled
Eth 1/3 No 16 VLAN-Unit-Port --- enabled disabled enabled
<B> WEB GUI
- Enable DHCPSNP filter-only mode on port interface configuration.
[WEB GUI]
Security -> DHCP Snooping -> Step: 3. Configure Interface -> Enabled Filter Only.
<C> SNMP
- Enable DHCPSNP filter-only mode on port interface configuration.
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {dhcpSnoopPortMaxNumber}.{dhcpSnoopPortIfIndex} {integer} {value}
For dhcpSnoopPortMaxNumber, OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.6
This object indicates the max client number of per port.
The range of the value is from 1 to 32, and 65535.
Set OID 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.6 to 65535, it means the filter-only mode is enabled.
For dhcpSnoopPortIfIndex: The port interface of dhcpSnoopPortIfIndex.
The ifIndex value of the port or trunk.
Enable DHCPSNP filter-only mode on Eth1/2.
C:\>snmpset -v 2c -c private 192.168.1.2 1.3.6.1.4.1.259.10.1.45.1.46.3.1.1.6.2 i 65535
SNMPv2-SMI::enterprises.259.10.1.45.1.46.3.1.1.6.2 = INTEGER: 65535
Support models and software version:
ECS4120 series V1.2.2.28 and above.
ECS4100 series V1.2.40.194 and above.
ECS4620 series V1.2.2.49 and above.
ECS4210 series V1.0.0.55 and above.
ECS4110 series V1.2.3.7 and above.
ECS3510-28T/52T series V1.5.2.7 and above.
ES3510MA series V1.5.2.7 and above.
ES3528MV2 series V1.5.2.8 and above.
Comments
0 comments
Please sign in to leave a comment.