Home » Dell Manuals » Servers » Dell Force10 MXL Blade » Manual Viewer

Dell Force10 MXL Blade MXL 10/40GbE Switch IO Module Configuration Guide - Page 181

DHCP Snooping, Enable DCHP Snooping

View all Dell Force10 MXL Blade manuals

Add to My Manuals
Save this manual to your list of manuals

Page 181 highlights

DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, all ports are either trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted. When you enable DHCP snooping, the relay agent builds a binding table-using DHCPACK messages- containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table. The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate, and that the packet arrived on the correct port. Packets that do not pass this check are dropped. This check-point prevents an attacker from spoofing a client and declining or releasing the real client's address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering as a DHCP server to facilitate a man-in-the-middle (MITM) attack. Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, DHCPDECLINE. FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP snooping was available for Layer 3 only and dependent on DHCP relay agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP snooping to Layer 2. You do not have to enable relay agent to snoop on Layer 2 interfaces. FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. The switch maintains a list of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed. Note: DHCP server packets are dropped on all untrusted interfaces of a system configured for DHCP snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port. Enable DCHP Snooping To enable DCHP snooping, follow these steps: Step 1 2 3 Task Enable DHCP snooping globally. Specify ports connected to DHCP servers as trusted. Enable DHCP snooping on a VLAN. Command Syntax ip dhcp snooping ip dhcp snooping trust ip dhcp snooping vlan Command Mode CONFIGURATION INTERFACE CONFIGURATION Dynamic Host Configuration Protocol (DHCP) | 179

Section	Page
About this Guide	25
Objectives	25
Audience	25
Conventions	26
Information Symbols	26
Related Documents	26
Configuration Fundamentals	27
Accessing the Command Line	27
CLI Modes	28
Navigating CLI Modes	29
The do Command	31
Undoing Commands	32
Obtaining Help	33
Entering and Editing Commands	34
Command History	35
Filtering show Command Outputs	35
Multiple Users in Configuration Mode	37
Getting Started	39
Console access	39
Serial Console	39
External Serial Port with a USB Connector	41
Boot Process	41
Default Configuration	44
Configure a Host Name	44
Access the System Remotely	44
Access the MXL Switch Remotely	44
Configure the Management Port IP Address	45
Configure a Management Route	45
Configure a Username and Password	46
Configure the Enable Password	46
Configuration File Management	47
Copy Files to and from the System	47
Important Points to Remember	47
Save the Running-Configuration	48
View Files	49
View Configuration Files	50
File System Management	51
View the Command History	52
Upgrading and Downgrading FTOS	52
Management	53
Configure Privilege Levels	53
Create a Custom Privilege Level	53
Removing a Command from EXEC Mode	54
Move a Command from EXEC Privilege Mode to EXEC Mode	54
Allow Access to CONFIGURATION Mode Commands	54
Allow Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode	54
Apply a Privilege Level to a Terminal Line	57
Configure Logging	57
Log Messages in the Internal Buffer	57
Configuration Task List for System Log Management	57
Disable System Logging	58
Send System Messages to a Syslog Server	58
Configure a Unix System as a Syslog Server	58
Change System Logging Settings	58
Display the Logging Buffer and the Logging Configuration	59
Configure a UNIX Logging Facility Level	61
Synchronize log messages	62
Enable timestamp on Syslog Messages	63
File Transfer Services	63
Configuration Task List for File Transfer Services	63
Enable the FTP Server	64
Configure the FTP Server Parameters	64
Configure FTP Client Parameters	65
Terminal Lines	65
Configure Login Authentication for Terminal Lines	66
Time Out of EXEC Privilege Mode	67
Telnet to Another Network Device	68
Lock CONFIGURATION Mode	68
Viewing the Configuration Lock Status	69
Recovering from a Forgotten Password	70
Recovering from a Forgotten Enable Password	70
Recovering from a Failed Start	71
Access Control Lists (ACLs)	73
Overview	73
IP Access Control Lists (ACLs)	74
Implementing ACLs on FTOS	74
ACLs and VLANs	75
ACL Optimization	75
Determine the Order in Which ACLs are Used to Classify Traffic	75
IP Fragment Handling	76
IP Fragments ACL Examples	76
Layer 4 ACL Rules Examples	77
Configure a Standard IP ACL	78
Configure an Extended IP ACL	80
Configure Filters with a Sequence Number	81
Configure Filters Without a Sequence Number	81
Established Flag	82
Configuring Layer 2 and Layer 3 ACLs on an Interface	83
Assign an IP ACL to an Interface	83
Counting ACL Hits	84
Configuring Ingress ACLs	85
Configuring Egress ACLs	86
Egress Layer 3 ACL Lookup for Control-Plane IP Traffic	86
IP Prefix Lists	87
Implementation Information	88
Configuration Task List for Prefix Lists	88
Configure a Prefix List	88
Use a Prefix List for Route Redistribution	91
ACL Resequencing	92
Resequencing an ACL or Prefix List	93
Route Maps	94
Implementation Information	94
Important Points to Remember	94
Configuration Task List for Route Maps	95
Create a Route Map	95
Configure Route Map Filters	97
Configure a Route Map for Route Redistribution	99
Configure a Route Map for Route Tagging	99
Continue Clause	100
Bare Metal Provisioning (BMP)	103
Overview	103
Auto-Configuration	105
BMP Mode	105
MAC-Based IP Assignment	105
DHCP Configuration	106
IP Server	107
Domain Name Server	107
Boot Commands	108
System Boot and Set-Up Behavior	108
Content Addressable Memory (CAM)	111
CAM Allocation	111
Test CAM Usage	112
View CAM-ACL Settings	113
CAM Optimization	114
Data Center Bridging (DCB)	115
Ethernet Enhancements in Data Center Bridging	115
Priority-Based Flow Control	116
Enhanced Transmission Selection	117
Data Center Bridging Exchange Protocol (DCBX)	119
Data Center Bridging in a Traffic Flow	119
Enabling Data Center Bridging	120
QoS dot1p Traffic Classification and Queue Assignment	121
Configuring Priority-Based Flow Control	122
Configuring Lossless Queues	124
Configuring the PFC Buffer in a Switch Stack	125
Configuring Enhanced Transmission Selection	126
ETS Prerequisites and Restrictions	126
Creating a QoS ETS Output Policy	127
Creating an ETS Priority Group	129
Applying an ETS Output Policy for a Priority Group to an Interface	130
ETS Operation with DCBX	131
Configuring Bandwidth Allocation for DCBX CIN	131
Applying DCB Policies in a Switch Stack	133
Configuring DCBX Operation	134
DCBX Operation	134
DCBX Port Roles	135
DCB Configuration Exchange	136
Configuration Source Election	137
Propagation of DCB Information	137
Auto-Detection and Manual Configuration of the DCBX Version	138
DCBX Example	138
DCBX Prerequisites and Restrictions	139
DCBX Configuration Procedure	140
Configuring DCBX on an Interface	140
Configuring DCBX Globally on the Switch	142
DCBX Error Messages	143
An error in DCBX operation is displayed using the following syslog messages:	143
Debugging DCBX on an Interface	144
Verifying DCB Configuration	145
PFC and ETS Configuration Examples	155
Using PFC and ETS to Manage Data Center Traffic	155
Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack	158
Hierarchical Scheduling in ETS Output Policies	159
Dynamic Host Configuration Protocol (DHCP)	161
Overview	161
DHCP Packet Format and Options	162
Assigning an IP Address Using DHCP	163
Implementation Information	164
Configuration Tasks	164
Configure the System to be a DHCP Server	164
Configuration Tasks	165
Related Configuration Tasks	165
Configure the Server for Automatic Address Allocation	165
Create an IP Address Pool	165
Exclude Addresses from the Address Pool	166
Specify an Address Lease Time	166
Specify a Default Gateway	166
Enable DHCP Server	167
Configure a Method of Hostname Resolution	167
Address Resolution using DNS	167
Address Resolution using NetBIOS WINS	168
Create Manual Binding Entries	168
Debug DHCP Server	169
DHCP Clear Commands	169
Configure the System to be a Relay Agent	169
Configure the System to be a DHCP Client	171
DHCP Client on a Management Interface	177
DHCP Client Operation with other Features	178
Stacking	178
VLT	178
VLAN and Port Channels	178
DHCP Snooping	178
DHCP Server	178
VRRP	179
Configure Secure DHCP	180
Option 82	180
DHCP Snooping	181
Enable DCHP Snooping	181
Add a Static Entry in the Binding Table	182
Clear the Binding Table	182
Display the Contents of the Binding Table	182
Drop DHCP Packets on Snooped VLANs Only	183
Dynamic ARP Inspection	184
Bypass the ARP Inspection	186
Source Address Validation	186
IP Source Address Validation	187
DHCP MAC Source Address Validation	187
IP+MAC Source Address Validation	187
FIP Snooping	189
Fibre Channel over Ethernet	189
Ensuring Robustness in a Converged Ethernet Network	189
FIP Snooping on Ethernet Bridges	191
FIP Snooping in a Switch Stack	193
Configuring FIP Snooping	193
Enabling the FIP Snooping Feature	194
Enabling FIP Snooping on VLANs	194
Configuring the FC-MAP Value	194
Configuring a Port for a Bridge-to-FCF Link	195
Impact on other Software Features	195
FIP Snooping Prerequisites	195
FIP Snooping Restrictions	196
Configuration Procedure	196
Displaying FIP Snooping Information	197
FIP Snooping Configuration Example	204
GARP VLAN Registration Protocol (GVRP)	207
Overview	207
Important Points to Remember	207
Configuring GVRP	208
Related Configuration Tasks	209
Enabling GVRP Globally	210
Enabling GVRP on a Layer 2 Interface	210
Configuring GVRP Registration	210
Configuring a GARP Timer	211
Internet Group Management Protocol (IGMP)	213
Overview	213
IGMP Version 2	213
Joining a Multicast Group	214
Leaving a Multicast Group	214
IGMP Version 3	215
Joining and Filtering Groups and Sources	216
Leaving and Staying in Groups	217
IGMP Snooping	217
IGMP Snooping Implementation Information	218
Configuring IGMP Snooping	218
Related Configuration Tasks	218
Enabling IGMP Immediate-leave	218
Disabling Multicast Flooding	219
Specifying a Port as Connected to a Multicast Router	219
Configuring the Switch as Querier	219
Adjusting the Last Member Query Interval	219
Fast Convergence after MSTP Topology Changes	220
Designating a Multicast Router Interface	220
Interfaces	221
Basic Interface Configuration:	221
Advanced Interface Configuration:	221
Interface Types	222
View Basic Interface Information	222
Enable a Physical Interface	225
Physical Interfaces	225
Configuration Task List for Physical Interfaces	225
Overview of Layer Modes	226
Configure Layer 2 (Data Link) Mode	226
Configure Layer 3 (Network) Mode	227
Management Interfaces	228
Configure Management Interfaces on the MXL Switch	229
VLAN Interfaces	231
Loopback Interfaces	232
Null Interfaces	232
Port Channel Interfaces	233
Port Channel Definition and Standards	233
Port Channel Benefits	233
Port Channel Implementation	233
100/1000/10000 Mbps Interfaces in Port Channels	234
Configuration Task List for Port Channel Interfaces	235
Create a Port Channel	235
Add a Physical Interface to a Port Channel	235
Reassign an Interface to a New Port Channel	238
Configure the Minimum oper up Links in a Port Channel (LAG)	239
Add or Remove a Port Channel from a VLAN	239
Assign an IP Address to a Port Channel	240
Delete or Disable a Port Channel	240
Bulk Configuration	240
Interface Range	240
Bulk Configuration Examples	241
Create a Single-Range	241
Create a Multiple-Range	241
Exclude Duplicate Entries	241
Exclude a Smaller Port Range	242
Overlap Port Ranges	242
Commas	242
Add Ranges	242
Interface Range Macros	243
Define the Interface Range	243
Choose an Interface-range Macro	243
Monitor and Maintain Interfaces	245
Maintenance Using TDR	246
Splitting QSFP Ports to SFP+ Ports	247
Important Points	248
MTU Size on an Interface	248
Layer 2 Flow Control Using Ethernet Pause Frames	249
Enable Pause Frames	249
Configure MTU Size on an Interface	250
Port-Pipes	251
Auto-Negotiation on Ethernet Interfaces	252
Setting Speed and Duplex Mode of Ethernet Interfaces	252
Setting Auto-Negotiation Options	254
Adjust the Keepalive Timer	255
View Advanced Interface Information	255
Display Only Configured Interfaces	255
Configure Interface Sampling Size	257
Dynamic Counters	259
Clear Interface Counters	259
IPv4 Routing	261
IP Addresses	261
Implementation Information	262
Configuration Task List for IP Addresses	262
Assign IP Addresses to an Interface	262
Configure Static Routes	263
Configure Static Routes for the Management Interface	265
Directed Broadcast	265
Resolution of Host Names	266
Enable Dynamic Resolution of Host Names	266
Specify Local System Domain and a List of Domains	267
DNS with Traceroute	267
Addess Resolution Protocol (ARP)	268
Configuration Task List for ARP	269
Configure Static ARP Entries	269
Enable Proxy ARP	270
Clear ARP Cache	271
ARP Learning via Gratuitous ARP	271
ARP Learning via ARP Request	272
Configurable ARP Retries	272
Internet Control Message Protocol (ICMP)	273
Configuration Task List for ICMP	273
Enable ICMP Unreachable Messages	273
UDP Helper	274
Configuring UDP Helper	274
Important Points to Remember	274
Enabling UDP Helper	274
Configurations Using UDP Helper	275
UDP Helper with Broadcast-All Addresses	275
UDP Helper with Subnet Broadcast Addresses	276
UDP Helper with Configured Broadcast Addresses	276
UDP Helper with No Configured Broadcast Addresses	277
Troubleshooting UDP Helper	277
iSCSI Optimization	279
iSCSI Optimization Overview	279
Monitoring iSCSI Traffic Flows	281
Application of Quality of Service to iSCSI Traffic Flows	281
Information Monitored in iSCSI Traffic Flows	281
Detection and Autoconfiguration for Dell EqualLogic Arrays	282
Detection and Port Configuration for Dell Compellent Arrays	282
Enabling and Disabling iSCSI Optimization	283
Default iSCSI Optimization Values	284
iSCSI Optimization Prerequisites	284
Configuring iSCSI Optimization	285
Displaying iSCSI Optimization Information	286
Link Aggregation Control Protocol (LACP)	289
Introduction to Dynamic LAGs and LACP	289
Important Points to Remember	290
LACP Modes	290
LACP Configuration Commands	291
LACP Configuration Tasks	291
Create a LAG	291
Configure the LAG Interfaces as Dynamic	292
Set the LACP Long Timeout	292
Monitor and Debugging LACP	293
Shared LAG State Tracking	294
Configure Shared LAG State Tracking	294
Important Points about Shared LAG State Tracking	296
LACP Basic Configuration Example	296
Configuring a LAG on ALPHA	297
Summary of the Configuration on ALPHA	301
Summary of the Configuration on BRAVO	302
Layer 2	307
Managing the MAC Address Table	307
Clear the MAC Address Table	307
Set the Aging Time for Dynamic Entries	307
Configure a Static MAC Address	308
Display the MAC Address Table	308
MAC Learning Limit	309
MAC Learning Limit Dynamic	310
MAC Learning Limit Station-Move	310
Learning Limit Violation Actions	310
Station Move Violation Actions	310
Recovering from Learning Limit and Station Move Violations	311
Network Interface Controller (NIC) Teaming	311
MAC Move Optimization	312
Link Layer Discovery Protocol (LLDP)	315
Overview	315
Protocol Data Units	315
Optional TLVs	316
Management TLVs	317
Organizationally Specific TLVs	317
IEEE Organizationally Specific TLVs	317
TIA-1057 (LLDP-MED) Overview	318
TIA Organizationally Specific TLVs	319
LLDP-MED Capabilities TLV	320
LLDP-MED Network Policies TLV	321
Extended Power via MDI TLV	322
Configuring LLDP	322
Related Configuration Tasks	323
Important Points to Remember	323
LLDP Compatibility	323
CONFIGURATION versus INTERFACE Configurations	323
Enabling LLDP	324
Disabling and Undoing LLDP	324
Advertising TLVs	325
Viewing the LLDP Configuration	326
Viewing Information Advertised by Adjacent LLDP Agents	327
Configuring LLDPDU Intervals	329
Configuring Transmit and Receive Mode	330
Configuring a Time to Live	331
Debugging LLDP	332
Relevant Management Objects	333
Multiple Spanning Tree Protocol (MSTP)	339
Overview	339
Implementation Information	340
Configure Multiple Spanning Tree Protocol	340
Related Configuration Tasks	340
Enable Multiple Spanning Tree Globally	341
Create Multiple Spanning Tree Instances	341
Influence MSTP Root Selection	342
Interoperate with Non-FTOS Bridges	343
Modify Global Parameters	344
Enable BPDU Filtering globally	345
Modify Interface Parameters	346
Configure an EdgePort	347
Flush MAC Addresses after a Topology Change	348
MSTP Sample Configurations	348
Debugging and Verifying an MSTP Configuration	353
Open Shortest Path First (OSPFv2)	357
Overview	357
Autonomous System (AS) Areas	358
Area Types	359
Networks and Neighbors	359
Router Types	359
Backbone Router (BR)	361
Area Border Router (ABR)	361
Autonomous System Border Router (ASBR)	361
Internal Router (IR)	361
Designated and Backup Designated Routers	361
Link-State Advertisements (LSAs)	362
LSA Throttling	363
Router Priority and Cost	363
Implementing OSPF with FTOS	364
Fast Convergence (OSPFv2, IPv4 only)	365
Multi-Process OSPF (OSPFv2, IPv4 only)	365
Processing SNMP and Sending SNMP Traps	365
RFC-2328 Compliant OSPF Flooding	365
OSPF ACK Packing	366
OSPF Adjacency with Cisco Routers	367
Configuration Information	367
Configuration Task List for OSPFv2 (OSPF for IPv4)	368
Enable OSPFv2	368
Enable Multi-Process OSPF	370
Assign an OSPFv2 area	371
Enable OSPFv2 on Interfaces	371
Configure Stub Areas	373
Configure LSA Throttling Timers	374
Enable Passive Interfaces	374
Enable Fast-Convergence	376
Change OSPFv2 Parameters on Interfaces	377
Enable OSPFv2 Authentication	379
Filter Routes	380
Redistribute Routes	381
Troubleshooting OSPFv2	382
Sample Configurations for OSPFv2	384
Basic OSPFv2 Router Topology	384
Port Monitoring	387
Important Points to Remember	387
Port Monitoring	388
Configuring Port Monitoring	390
Private VLANs (PVLAN)	393
Private VLAN Concepts	394
Private VLAN Commands	395
Private VLAN Configuration Task List	396
Creating PVLAN Ports	396
Creating a Primary VLAN	397
Creating a Community VLAN	398
Creating an Isolated VLAN	398
Private VLAN Configuration Example	399
Inspecting the Private VLAN Configuration	400
Per-VLAN Spanning Tree Plus (PVST+)	405
Overview	405
Implementation Information	406
Configuring Per-VLAN Spanning Tree Plus	406
Related Configuration Tasks	406
Enable PVST+	407
Disable PVST+	407
Influence PVST+ Root Selection	407
Modify Global PVST+ Parameters	409
Enable BPDU Filtering globally	410
Modify Interface PVST+ Parameters	411
Configure an EdgePort	412
PVST+ in Multi-vendor Networks	413
PVST+ Extended System ID	413
PVST+ Sample Configurations	415
Quality of Service (QoS)	417
Overview	417

Match case Limit results 1 per page

Dynamic Host Configuration Protocol (DHCP)

179

DHCP Snooping

DHCP snooping protects networks from spoofing. In the context of DHCP snooping, all ports are either

trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers

cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

When you enable DHCP snooping, the relay agent builds a binding table—using DHCPACK messages—

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.

Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.

The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,

DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is

legitimate, and that the packet arrived on the correct port. Packets that do not pass this check are dropped.

This check-point prevents an attacker from spoofing a client and declining or releasing the real client’s

address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK) that arrive on an untrusted

port are also dropped. This check-point prevents an attacker from impostering as a DHCP server to

facilitate a man-in-the-middle (MITM) attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,

DHCPNACK, DHCPDECLINE.

Enable DCHP Snooping

To enable DCHP snooping, follow these steps:

FTOS Behavior:

Introduced in FTOS version 7.8.1.0, DHCP snooping was available for Layer 3 only

and dependent on DHCP relay agent (

ip helper-address

). FTOS version 8.2.1.0 extends DHCP

snooping to Layer 2. You do not have to enable relay agent to snoop on Layer 2 interfaces.

FTOS Behavior:

Binding table entries are deleted when a lease expires or when the relay agent

encounters a DHCPRELEASE. The switch maintains a list of snooped VLANs. When the binding table

is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded

across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments

are made. However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP

snooping table can decrease in size. After the table usage falls below the maximum limit of 4000

entries, new IP address assignments are allowed.

Note:

DHCP server packets are dropped on all untrusted interfaces of a system configured for DHCP

snooping. To prevent these packets from being dropped, configure

ip dhcp snooping trust

on the

server-connected port.

Step

Task

Command Syntax

Command Mode

Enable DHCP snooping globally.

ip dhcp snooping

CONFIGURATION

Specify ports connected to DHCP servers as trusted.

ip dhcp snooping trust

INTERFACE

Enable DHCP snooping on a VLAN.

ip dhcp snooping vlan

CONFIGURATION