Home » D-Link Manuals » Hubs & Switches » D-Link DGS-6600-48TS » Manual Viewer

D-Link DGS-6600-48TS Configuration Guide - Page 466

Configuring an allow-untrusted port, Configuring Snooping Trusts

Get D-Link DGS-6600-48TS PDF manuals and user guides

View all D-Link DGS-6600-48TS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 466 highlights

Volume 8-Security & Authentication / Chapter 44-DHCP Snooping Configuration DHCP Snooping Configuration Commands Configuring an "allow-untrusted port" The DHCP snooping function validates the DHCP packets when it arrives at the port on the VLAN that is enabled for DHCP snooping. By default, the validation process will drop the packet If gateway address!=0 or option 82 is present. Use the ip dhcp snooping information option allow-untrusted command to allow the packet with relay option 82 arriving at the un-trusted interface. Command ip dhcp snooping information option allowuntrusted Explanation Use this command to globally allow DHCP packets with relay option 82 on the un-trusted interface. Use the no form of the command to not allow the packets with relay option 82. This example shows how to enable DHCP snooping option-82 allow-untrusted port: DGS-6600# configure terminal DGS-6600(config)# ip dhcp snooping information option allow-untrusted DGS-6600(config)# Configuring Snooping Trusts Normally, the ports connected to DHCP server or to other switches should be configured as a trusted interface. The ports connected to DHCP clients should be configured as un-trusted interface. When a port is configured as an un-trusted interface, the DHCP message arrives at the port on a vlan that is enabled for DHCP and snooping will be validated by the following checks. (1)The received message should be all sent by the client. If the message is sent by the DHCP server, the message will be dropped. (2)If ip dhcp snooping verify mac-address is enabled, the source MAC in the Ethernet header must be the same as the DHCP client hardware address to pass the validation. (3)For the received release and decline packets, the received port is also checked against the binding database entry. The packet will be dropped if inconsistent. (4)If gateway address!=0 or option 82 is present, the packet is dropped In addition to doing the validation, DHCP snooping also create a binding entry based on the IP address assigned to client by the server in DHCP snooping binding database. The binding entry contains information including MAC address, IP address, the VLAN ID and port ID where the client is located, and the expiry of the lease time. Command ip dhcp snooping trust Explanation Use this command to configure a port as interface trusted for DHCP snooping. Use the no form of this command to return to the default setting. This example shows how to enable DHCP snooping trust for port 3.3: DGS-6600(config)# interface eth3.3 DGS-6600(config-if)# ip dhcp snooping trust DGS-6600(config)# DGS-6600 Configuration Guide 466

Section	Page
DGS-6600 Configuration Guide v1.0.pdf	3
Audience	3
Related Documentation	3
Typographical Conventions	3
Notes, Notices, and Cautions	4
Table of Contents	5
DGS-6600 Series Switch Product Summary	18
Chapter Overview	18
An Introduction to the DGS-6600 Series Switch	18
Components and Hardware	19
Chassis	20
Module Plug-in Frame	20
Module List	21
Supported User Interfaces	24
Quick Start	25
Chapter Overview	25
An Introduction to Quickly Setting Up the DGS-6600 Series Switch	25
Preparation for Installation	25
Static Discharge Damage Prevention	26
Moving the Device	26
System Grounding Requirements	27
Simple Grounding Steps	28
Installation Site Requirements	28
Ventilation Requirements	28
Removing and Installing Modules from the DGS-6600 Series Switch	29
Removing Modules from the DGS-6600	29
Installing Modules in the DGS-6604 & DGS-6608	29
Configuring the Connection To The Switch	30
Connecting a Terminal to the Console Port	30
SNMP-Based Management	30
Part 1- Configuration Fundamentals	31
Command-Line Interface (CLI)	32
Command-Line Interface Overview	32
An Introduction to the Command-Line Interface	32
Command Mode and User Privilege Level	32
User EXEC Mode Configuration Commands	35
Help Features	38
Editing Features	40
Using Abbreviated Commands	41
Error Messages	42
Command Prompt	43
Login Banner	46
Establishing a Telnet Connection to a Remote Device	47
Common Parameter Syntax Conventions	48
Allowed Character Strings And String Examples	49
Time and Date Configuration	50
Calendar Dates	50
Time	51
Countdown Timer	51
Accessing the Command Line Interface	52
Chapter Overview	52
An Introduction to Accessing the Switch Using a Console Connection	52
Accessing the Switch Using a Telnet Connection	54
Enabling the Telnet Service	55
Configuring the Telnet Service Port	55
Specifying Telnet Terminals	55
Displaying Trusted Host Telnet Terminals	56
Closing an Active Terminal Session	56
Terminal Settings	56
Configuring the Number of Lines Displayed on Terminal Screen	56
Configuring the Max Number of Characters Displayed per Terminal Line	57
Configuring the Terminal Timeout	58
List of Constants and Default Settings	58
User Account Configuration	59
Chapter Overview	59
An Introduction to Configuring User Accounts	59
Creating User Accounts with Different Privilege Levels	59
Creating User Accounts	59
Displaying the User Accounts Setup on the Switch	60
Displaying Active User Sessions on the Switch	61
Creating and Configuring Enabled Passwords	61
Creating an Enabling Password	61
Displaying Enabled Passwords	62
Logging into the Switch with a Different User Account	62
Encrypting Passwords	63
List of Constants and Default Settings	64
Accessing the Web Interface (Web UI)	65
Chapter Overview	65
An Introduction to Accessing the Switch using the Web Interface	65
Configuration Commands	65
List of Constants and Default Settings	67
Time Configuration	68
Chapter Overview	68
An Introduction to Time Configuration	68
Configuration Commands	68
Manual Configuration of Time	68
Automatic Configuration of Time	69
Configuring Summer Time	70
List of Constants and Default Settings	71
DGS-6600 Default Metric	73
Chapter Overview	73
Part 2- Interface and Hardware Configurations	74
Interface Configuration	75
Chapter Overview	75
An Introduction to Interface Configuration	76
Identification of an Interface	76
Switch Port Interface	76
Port Channel Interface	76
VLAN Interface	76
Out-of-Band (OOB) Management Port Interface	76
Configuration Commands	77
Entering Interface Configuration Mode	77
Adding a Description to an Interface	77
Removing a Description from an Interface	78
Displaying Interface Status	78
Configuring Switch Port Interfaces	79
Configuring Duplex Mode	80
Configuring Flow Control	80
Configuring Speed	80
Shutting Down an Interface	81
Configuring the Maximum Allowed Frame Size	81
Configuring the MTU	82
Clearing Counters	82
Configuring VLAN Interfaces	83
Configuring the MTU on a VLAN Interface	83
Configuring the OOB Management Interface	83
Configuring an IP Address on the Management Interface	84
Configuring a Default Gateway on the OOB Management Interface	84
Configuring the IP MTU on the OOB Management Interface	85
Configuring an IPv6 Address on the OOB Management Interface	85
Configuring a IPv6 Default Gateway on the OOB Management Interface	86
Shutting Down the Management Interface	86
Displaying the OOB Management Port Interface Status	87
List of Constants and Default Settings	87
Part 3- Layer 2 Configurations	88
VLAN Configuration	89
Chapter Overview	89
An Introduction to VLAN	89
Packet Classification	90
VLAN Configuration Commands	90
Configuration Examples	96
VLAN Configuration Examples	96
Relations with Other Modules	98
List of Constants and Default Settings	98
VLAN Tunneling	99
Chapter Overview	99
An Introduction to VLAN Tunneling	99
VLAN Encapsulation	100
VLAN Remarking	101
CoS Remarking	101
Packet Forwarding Flow	101
UNI to NNI or UNI to UNI Forwarding	102
NNI to UNI or NNI to NNI Forwarding	104
VLAN Tunneling Configuration Commands	107
Configuration Examples	112
QinQ Configuration Example	112
List of Constants and Default Settings	116
GARP VLAN Registration Protocol (GVRP) Configuration	117
Chapter Overview	117
An Introduction to GARP	117
GARP Configuration Commands	117
List of Constants and Default Settings	123
MAC Address Tables	124
Chapter Overview	124
An Introduction to Mac Address Tables	124
Mac Address Configuration Commands	124
Relations with Other Modules	127
List of Constants and Default Settings	127
Spanning Tree Protocol (STP) Configuration	128
Chapter Overview	128
An Introduction to Spanning Tree Protocol	128
Spanning Tree Protocol (STP) Concepts	128
Rapid Spanning Tree Protocol (RSTP) Concepts	132
Multiple Spanning Tree Protocol Concepts	133
STP Configuration Commands	134
Configuring a Single Spanning Tree Instance	139
Configuring Multiple Spanning Tree Instances	142
Configuring Optional Features	147
Configuration Examples	149
RSTP Configuration example	149
MSTP Configuration Example	152
List of Constants and Default Settings	157
Link Aggregation	158
Chapter Overview	158
An Introduction to Port Channel Groups and LACP	158
Load Balancing	159
Load Balance Hash Algorithm	159
Port and System Priority	160
Link Aggregation Configuration Commands	160
Configuration Examples	163
Link Aggregation Configuration Example	163
Relations with Other Modules	165
List of Constants and Default Settings	165
Proxy ARP	166
Chapter Overview	166
An Introduction to Proxy ARP	166
Operation Concept	166
Parameters	166
Per Interface parameter	167
Sanity checks for ARP request	167
Acceptable route	167
Proxy ARP Configuration Commands	167
Super VLAN	169
Chapter Overview	169
An Introduction to Super VLAN Overview	169
Super VLAN Configuration Commands	170
Configuration Examples	171
Super VLAN Configuration Examples	171
List of Constraints & restrictions	173
List of Constants	173
Voice VLAN	174
Chapter Overview	174
An Introduction to Voice VLAN	174
Voice VLAN Configuration commands	178
Configuration Examples	180
Voice VLAN Configuration Example	180
Ethernet Ring Protection Switching (ERPS)	182
Chapter Overview	182
An Introduction to ERPS	182
Configuration Example	186
ERPS Configuration Example	186
Relationship with other modules	191
Part 4- Layer 3 Configurations	193
IPv4 Basics	194
Chapter Overview	194
An Introduction to IPv4	194
IPv4 Basics	194
Subnet Masks	195
IPv4 Address Assignment on the DGS-6600 Series Switch	195
IPv4 Basic Configuration Commands	196
Configuration Example	197
Basic Routing (IPV4) Configuration Example	197
IPv4 Static Route Configuration	199
Chapter Overview	199
An Introduction to IPv4 Static Routing	199
IPv4 Static Routing Configuration Commands	199
Configuration Example	201
Static Routing (IPV4) Configuration Example	201
Routing Information Protocol (RIP)	204
Chapter Overview	204
An Introduction to RIP	204
RIP Configuration Commands	205
Configuration Examples	213
RIP Configuration Example	213
List of Constants and Default Settings	216
Open Shortest Path First (OSPF)	217
Chapter Overview	217
An Introduction to OSPF	217
OSPF Configuration Commands	218
Basic Commands and Functions	218
Generating a Default Route	226
Redistributing Routes to OSPF	227
Displaying Border Routers	230
Restarting OSPF	238
Configuration Examples	239
OSPFv2 Configuration (Basic) Example	239
OSPFv2 Configuration Example 2	241
List of Constants and Default Settings	247
ECMP	248
Chapter Overview	248
An Introduction to ECMP	248
ECMP Overview	248
Configuring ECMP	249
IPv6 Basics	250
Chapter Overview	250
An introduction to Internet Protocol Version 6 (IPv6) Basics	250
IPv6 Configuration Commands	253
IPv6 Static Route Configuration	256
Chapter Overview	256
An Introduction to IPv6 Static Route Configuration	256
IPv6 Static Route Configuration Commands	257
Configuration Example	258
IPv6 Static Route Configuration Example	258
Routing Information Protocol Next Generation (RIPng)	261
Chapter Overview	261
An Introduction to RIPng	261
RIPng Configuration Commands	266
Configuration Examples	267
RIPng Configuration Example	267
Limitations	269
Open Shortest Path First Version 3 (OSPFv3)	271
Chapter Overview	271
An Introduction to OSPFv3	271
OSPFv3 Configuration Commands	279
Configuration Examples	280
OSPFv3 Configuration Example	280
Limitations	283
Behavior	283
IPv6 Tunneling	285
Chapter Overview	285
An Introduction to IPv6 Tunneling	285
Operation concept	285
IPv6 Tunneling Configuration Commands	287
Configuration Examples	287
IPv6 tunneling manual Configuration Example	287
IPv6 tunneling 6to4 Configuration Example	289
IPv6 tunneling ISATAP Configuration Example	291
Border Gateway Protocol (BGP)	293
Chapter Overview	293
An Introduction to BGP	293
BGP Configuration commands	294
Configuration Examples	324
BGP Configuration Example	324
Policy Based Route Map (PBR)	331
Chapter Overview	331
An Introduction to Policy Based Route Map	331
PBR Configuration Commands	333
Usage Guideline	334
Configuration example	335
PBR Configuration Example	335
Virtual Router Redundancy Protocol (VRRP)	339
Chapter Overview	339
An introduction to VRRP	339
VRRP Configuration Commands	343
Configuration Example	344
VRRP Configuration Example	344
Part 5- Multiprotocol Label Switching (MPLS)	349
Multiprotocol Label Switching (MPLS)	350
Chapter Overview	350
An Introduction to MPLS Authentication	350
MPLS Operation	350
MPLS Configuration Commands	351
Configuration Examples	354
MPLS, LDP (Dynamic Label) Configuration Example	354
MPLS (Static Label) Configuration Example	358
MPLS QoS Configuration Example	362
Configuration Restrictions	367
Virtual Private Wire Service (VPWS)	368
Chapter Overview	368
An Introduction to VPWS (Virtual Pseudo Wire Service)	368
VPWS Configuration Commands	369
Configuration examples	370
Configuring a VPWS	370
Configuration Restrictions and constants	372
Virtual Private Lan Services (VPLS)	373
Chapter Overview	373
An Introduction to VPLS	373
VPLS Configuration Commands	375
Configuration Examples	377
MPLS - VPLS Configuration Example	377
Configuration Restrictions and Constants	381
Part 6- Quality of Service (QoS)	382
Quality of Service (QoS)	383
Chapter Overview	383
An Introduction to QoS	383
Policing and Color Markers	384
QoS Configuration Commands	384
Scheduling	387
Defining the Policing	388
Configuration Examples	393
Configuring QoS Examples	393
QOS Strict Mode Configuration Example	394
QOS WRR Mode Configuration Example	396
Part 7- Multicast Configurations	398
Multicast Configuration	399
Chapter Overview	399
An Introduction to Multicast	399
Multicast Filter Mode Configuration Commands	400
PIM	401
Configuration Examples	403
PIM-DM configuration Examples	403
PIM-SM Configuration Example	405
DVMRP Configuration Example	408
IGMP Snooping Configuration Example	411
Part 8- Security & Authentication	413
Access Control Lists (ACL)	414
Chapter Overview	414
An Introduction to Access Control Lists	414
Configuration Overview	415
ACL Configuration Commands	417
Configuring Access Control Lists	418
Applying Access Control Lists to Interfaces	423
Configuration Examples	425
ACL Configuration Example	425
List of Constants and Default Settings	427
Authentication, Authorization and Accounting (AAA) Configuration	428
Chapter Overview	428
An Introduction to AAA Configuration	428
AAA Configuration Commands	429
Configuring AAA Server Groups	429
List of Constants and Default Settings	432
802.1X Authentication	433
Chapter Overview	433
An Introduction to 802.1X Authentication	434
Port-based and Host-based Access Control	435
802.1X Configuration Commands	435
Configuring 802.1X Authentication	435
Displaying 802.1X Configuration and Status	443
Configuration Examples	446
802.1x Guest VLAN Configuration Example	446
Relations with Other Modules	448
List of Constants and Default Settings	449
DoS Protection	450
Chapter Overview	450
An Introduction to DoS Protection	450
DoS Prevention Overview	450
Architecture	450
Operation Concepts	451
Mechanism	451
Actions	451
Attack Types	451
Configuration Commands	452
Configuration Examples	453
Parameters	454
Dynamic ARP Inspection	455
Chapter Overview	455
An Introduction to Dynamic ARP Inspection	455
Dynamic ARP Inspection Configuration Commands	456
DHCP Server Screening	458
Chapter Overview	458
An introduction to DHCP Server Screening Configuration	458
DHCP Server Screening	459
DHCP Server Screening Operating Concept	459
DHCP Server Screening/Client Filtering Configuration Commands	460
Configuring DHCP Server Screening/Client Filtering	460
DHCP Server Screening Default Settings	463
DHCP Server Screening Limitation	463
DHCP Snooping Configuration	464
Chapter Overview	464
An Introduction to DHCP Snooping	464
DHCP Operation concept	465
DHCP Snooping Configuration Commands	465
Port Security	469
Chapter Overview	469
An Introduction to Port Security Configuration	469
Port Security Configuration Commands	470
Relations with Other Modules	470
List of Constants and Default Settings	471
IP Source Guard	472
Chapter Overview	472
An Introduction to IP Source Guard	472
IP Source Guard Configuration Commands	473
Safeguard Engine Settings	475
Chapter Overview	475
An Introduction to Safeguard Engine Settings	475
Configuration Commands	477
Configuration Command Examples	477
Traffic Segmentation Configuration	479
Chapter Overview	479
An Introduction to Traffic Segmentation	479
Traffic Segmentation Configuration Commands	479
Configuring Traffic Segmentation	479
Configuration Examples	480
Traffic Segmentation Configuration Example	480
Relations with Other Modules	482
List of Constants and Default Settings	482
Part 9- Network Application	483
DHCP Server Configuration	484
Chapter Overview	484
An Introduction to DHCP SERVER	484
Architecture	485
Operation concept	485
Selecting IP address pool	486
DHCP DISCOVER/REQUEST with 'requested IP address	486
Choosing IP address in address pool	487
Responding DHCP DISCOVER/REQUEST packet	487
Receiving DHCP DECLINE	487
Sending back DHCP packet to client	487
PING operation	487
Behavior under multi-netting	487
DHCP server and DHCP relay agent global mode	488
High availability in DHCP server	488
DHCP Server Configuration Commands	488
Configuring a DHCP Address Pool	489
Limitations	497
DHCP Relay Configuration	498
Chapter Overview	498
An Introduction to DHCP Relay Agent Operation	498
DHCP Relay Configuration Commands	500
Configuring the Relay Agent Information Option	501
Configuring Trusted Interfaces	503
List of Constants and Default Settings	505
DHCPv6 Client Configuration	506
Chapter Overview	506
An Introduction to the DHCPv6 Client	506
Operation concept	506
Protocol and Addressing	507
Basic Message Format	508
Message Types	509
Prefix Delegation	511
Restrictions	512
Rapid Commit	512
Address Information Refresh	512
DHCPv6 Configurations Commands	513
Default Settings	519
Restriction/Limitation	519
sFlow	521
Chapter Overview	521
An Introduction to sFlow	521
sFlow Design Overview	522
Configuration Commands	524
Configuration Command Examples	524
sFlow Configuration Example	525
Part 10- Network Management	527
Simple Network Management Protocol (SNMP)	528
Chapter Overview	528
An Introduction to SNMP Overview	528
User-based Security Model	529
View-based Access Control Model	529
SNMP Configuring Commands	529
Configuration Examples	537
SNMPv2 With Trap Configuration Example	537
SNMP v3 with trap Configuration Example	538
List of Constants and Default Settings	541
RMON	542
Chapter Overview	542
An Introduction to RMON	542
RMON Overview	542
Configuring rmon statistics	544
Configuration Examples	544

Match case Limit results 1 per page

Volume 8-Security & Authentication / Chapter 44-DHCP Snooping Configuration

DHCP Snooping Configuration Commands

DGS-6600 Configuration Guide

466

Configuring an “allow-untrusted port”

The DHCP snooping function validates the DHCP packets when it arrives at the port on the VLAN

that is enabled for DHCP snooping. By default, the validation process will drop the packet If gateway

address!=0 or option 82 is present. Use the ip dhcp snooping information option allow-untrusted

command to allow the packet with relay option 82 arriving at the un-trusted interface.

This example shows how to enable DHCP snooping option-82 allow-untrusted port:

Configuring Snooping Trusts

Normally, the ports connected to DHCP server or to other switches should be configured as a

trusted interface. The ports connected to DHCP clients should be configured as un-trusted interface.

When a port is configured as an un-trusted interface, the DHCP message arrives at the port on a

vlan that is enabled for DHCP and snooping will be validated by the following checks.

(1)The received message should be all sent by the client. If the message is sent by the DHCP

server, the message will be dropped.

(2)If ip dhcp snooping verify mac-address is enabled, the source MAC in the Ethernet header must

be the same as the DHCP client hardware address to pass the validation.

(3)For the received release and decline packets, the received port is also checked against the

binding database entry. The packet will be dropped if inconsistent.

(4)If gateway address!=0 or option 82 is present, the packet is dropped In addition to doing the

validation, DHCP snooping also create a binding entry based on the IP address assigned to client

by the server in DHCP snooping binding database. The binding entry contains information including

MAC address, IP address, the VLAN ID and port ID where the client is located, and the expiry of the

lease time.

This example shows how to enable DHCP snooping trust for port 3.3:

Command

Explanation

ip dhcp snooping information option allow-

untrusted

Use this command to globally allow DHCP packets

with relay option 82 on the un-trusted interface.

Use the no form of the command to not allow the

packets with relay option 82.

DGS-6600# configure terminal

DGS-6600(config)# ip dhcp snooping information option allow-untrusted

DGS-6600(config)#

Command

Explanation

ip dhcp snooping trust

Use this command to configure a port as interface

trusted for DHCP snooping. Use the no form of this

command to return to the default setting.

DGS-6600(config)# interface eth3.3

DGS-6600(config-if)# ip dhcp snooping trust

DGS-6600(config)#