This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Training, Documentation, & General Discussions
- FAQs
- SecureStack/G/D-Series Configuration to Block Pack...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SecureStack/G/D-Series Configuration to Block Packets From a Rogue DHCP Server
SecureStack/G/D-Series Configuration to Block Packets From a Rogue DHCP Server
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-04-2013 02:25 PM
Article ID: 12008
Products
SecureStack C3, firmware 1.02.01.0004 and higher
SecureStack C2, firmware 5.02.01.0006 and higher
SecureStack B3, firmware 1.02.01.0004 and higher
SecureStack B2, firmware 4.02.01.0006 and higher
G-Series, firmware 1.02.00.0043 and higher
D-Series, firmware 6.03.01.0008 and higher
Goals
Block packets from a rogue DHCP server.
Configure DHCP Snooping.
Sample configuration.
Solution/Workaround
DHCP Snooping prevents DHCP server packets such as "offers" from being passed onto the network. This will stop rogue DHCP servers from supplying incorrect IP addresses to DHCP clients.
For at least minimal/default functionality, here are the three commands required:
B2(su)->set dhcpsnooping ?
binding Add a static DHCP snooping binding [default: none]
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range. [default: 300 seconds]
disable Disable DHCP snooping globally. [default: disable]
enable Enable DHCP snooping globally.
limit Configure rate limiting parameters on the port. [default: 15 pps]
log-invalid Enable logging of invalid packets. [default: disable]
trust Configure the interface as trusted or untrusted for
DHCP snooping. [default: disable]
verify Configure DHCP snooping to filter on source MAC
address. [default: enable]
vlan Enable DHCP snooping on a range of VLANs. [default: none]
B2(su)->clear dhcpsnooping ?
binding Clear DHCP snooping bindings
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range.
limit Set rate limiting and burst interval to defaults 15
pps and 1 second respectivey .
statistics Clear DHCP snooping statistics
B2(su)->show dhcpsnooping ?
Press enter to execute the command.
binding Display DHCP snooping bindings.
database Display DHCP snooping Database persistency
configuration.
port Display DHCP Snooping Interface configuration.
statistics Display DHCP snooping statistics.
B2(su)->
For more background regarding the use and configuration of DHCP Snooping, please refer to the Configuration Guide or CLI Reference Guide for your product and firmware version.
See also: 11392 and 12196.
Workaround:
For the A4-Series and A2-Series, which do not support DHCP Snooping or Policy, DiffServ (5848) provides a means to perform a similar function, albeit in a less sophisticated manner. This sample configuration denies DHCP traffic sourced from any DHCP Server (destination port 68 traffic is server-to-client) plugged into port ge.1.1. Add this service to all ports that you wish to disallow for DHCP server attachment/operation:
#diffserv
set diffserv adminmode enable
set diffserv class create all classDHCP
set diffserv class match dstl4port number classDHCP 68
set diffserv policy create policyDropDHCP in
set diffserv policy class add policyDropDHCP classDHCP
set diffserv policy police style simple policyDropDHCP classDHCP 1000000 128
set diffserv policy police action conform drop policyDropDHCP classDHCP
set diffserv service add in ge.1.1 policyDropDHCP
Products
SecureStack C3, firmware 1.02.01.0004 and higher
SecureStack C2, firmware 5.02.01.0006 and higher
SecureStack B3, firmware 1.02.01.0004 and higher
SecureStack B2, firmware 4.02.01.0006 and higher
G-Series, firmware 1.02.00.0043 and higher
D-Series, firmware 6.03.01.0008 and higher
Goals
Block packets from a rogue DHCP server.
Configure DHCP Snooping.
Sample configuration.
Solution/Workaround
DHCP Snooping prevents DHCP server packets such as "offers" from being passed onto the network. This will stop rogue DHCP servers from supplying incorrect IP addresses to DHCP clients.
For at least minimal/default functionality, here are the three commands required:
- Enable the feature globally:B2(su)->set dhcpsnooping enable
- Enable the feature on at least one VLAN:B2(su)->set dhcpsnooping vlan enable
- Configure the trusted ports through which valid DHCP server packets will be sourced (12682). Typically these are uplinks that are in the data path to the actual DHCP server:B2(su)->set dhcpsnooping trust port enable
B2(su)->set dhcpsnooping ?
binding Add a static DHCP snooping binding [default: none]
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range. [default: 300 seconds]
disable Disable DHCP snooping globally. [default: disable]
enable Enable DHCP snooping globally.
limit Configure rate limiting parameters on the port. [default: 15 pps]
log-invalid Enable logging of invalid packets. [default: disable]
trust Configure the interface as trusted or untrusted for
DHCP snooping. [default: disable]
verify Configure DHCP snooping to filter on source MAC
address. [default: enable]
vlan Enable DHCP snooping on a range of VLANs. [default: none]
B2(su)->clear dhcpsnooping ?
binding Clear DHCP snooping bindings
database Configure DHCP snooping bindings store interval in
<15> to <86400> seconds range.
limit Set rate limiting and burst interval to defaults 15
pps and 1 second respectivey .
statistics Clear DHCP snooping statistics
B2(su)->show dhcpsnooping ?
binding Display DHCP snooping bindings.
database Display DHCP snooping Database persistency
configuration.
port Display DHCP Snooping Interface configuration.
statistics Display DHCP snooping statistics.
B2(su)->
For more background regarding the use and configuration of DHCP Snooping, please refer to the Configuration Guide or CLI Reference Guide for your product and firmware version.
See also: 11392 and 12196.
Workaround:
For the A4-Series and A2-Series, which do not support DHCP Snooping or Policy, DiffServ (5848) provides a means to perform a similar function, albeit in a less sophisticated manner. This sample configuration denies DHCP traffic sourced from any DHCP Server (destination port 68 traffic is server-to-client) plugged into port ge.1.1. Add this service to all ports that you wish to disallow for DHCP server attachment/operation:
#diffserv
set diffserv adminmode enable
set diffserv class create all classDHCP
set diffserv class match dstl4port number classDHCP 68
set diffserv policy create policyDropDHCP in
set diffserv policy class add policyDropDHCP classDHCP
set diffserv policy police style simple policyDropDHCP classDHCP 1000000 128
set diffserv policy police action conform drop policyDropDHCP classDHCP
set diffserv service add in ge.1.1 policyDropDHCP
0 REPLIES 0
