Home » Dell Manuals » Servers » Dell Force10 S55T » Manual Viewer

Dell Force10 S55T S55 Configuration Guide FTOS 8.3.5.3 - Page 244

DHCP Snooping, Every time the relay agent receives a DHCPACK on an trusted port - s55 manual

Add to My Manuals
Save this manual to your list of manuals

Page 244 highlights

www.dell.com | support.dell.com The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • track the number of address requests per relay agent; restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent. The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task All platforms: Enable Option 82. Remote ID is the MAC of the switch. S4810, S60, S55: Enables Option 82. Remote ID is the hostname of the switch. S4810, S60, S55: Enables Option 82. Remote ID is remote-id Command Syntax ip dhcp relay information-option ip dhcp relay information-option remote-id hostname ip dhcp relay information-option remote-id remote-id Command Mode CONFIGURATION CONFIGURATION CONFIGURATION DHCP Snooping DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted. When DHCP Snooping is enabled, the relay agent builds a binding table-using DHCPACK messages- containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table. The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded to the server for validation. This check-point prevents an attacker from spoofing a client and declining or releasing the real client's address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering as a DHCP server to facilitate a man-in-the-middle attack. 244 | Dynamic Host Configuration Protocol (DHCP)

Section	Page
About this Guide	23
Objectives	23
Audience	23
Conventions	23
Information Symbols	24
Related Documents	24
Configuration Fundamentals	25
Accessing the Command Line	25
CLI Modes	26
Navigating CLI Modes	27
The do Command	30
Undoing Commands	30
Obtaining Help	31
Entering and Editing Commands	31
Command History	32
Filtering show Command Outputs	33
Multiple Users in Configuration mode	34
Getting Started	35
Console access	35
Serial console	35
Default Configuration	36
Configure a Host Name	37
Access the System Remotely	37
Access the C-Series and E-Series and the S4810 Remotely	37
Access the S-Series Remotely	39
Configure the Enable Password	40
Configuration File Management	40
Copy Files to and from the System	41
Save the Running-configuration	42
Configure the Overload bit for Startup Scenario	43
View Files	44
File System Management	45
View command history	46
Upgrading FTOS	46
Management	47
Configure Privilege Levels	47
Create a Custom Privilege Level	47
Apply a Privilege Level to a Username	51
Apply a Privilege Level to a Terminal Line	51
Configure Logging	51
Log Messages in the Internal Buffer	52
Configuration Task List for System Log Management	52
Disable System Logging	52
Send System Messages to a Syslog Server	53
Configure a Unix System as a Syslog Server	53
Change System Logging Settings	53
Display the Logging Buffer and the Logging Configuration	54
Configure a UNIX logging facility level	56
Synchronize log messages	57
Enable timestamp on syslog messages	57
File Transfer Services	58
Configuration Task List for File Transfer Services	58
Terminal Lines	60
Deny and Permit Access to a Terminal Line	60
Configure Login Authentication for Terminal Lines	61
Time out of EXEC Privilege Mode	62
Telnet to Another Network Device	63
Lock CONFIGURATION mode	64
Viewing the Configuration Lock Status	65
Recovering from a Forgotten Password on the S55	65
Recovering from a Forgotten Enable Password on the S55	66
Recovering from a Failed Start on the S55	67
802.1ag	69
Ethernet CFM	69
Maintenance Domains	70
Maintenance Points	70
Maintenance End Points	71
Implementation Information	72
Configure CFM	72
Related Configuration Tasks	72
Enable Ethernet CFM	73
Create a Maintenance Domain	73
Create a Maintenance Association	74
Create Maintenance Points	74
Create a Maintenance End Point	74
Create a Maintenance Intermediate Point	75
MP Databases	75
Continuity Check Messages	77
Enable CCM	78
Enable Cross-checking	78
Loopback Message and Response	78
Linktrace Message and Response	78
Link Trace Cache	79
Enable CFM SNMP Traps.	80
Display Ethernet CFM Statistics	81
802.1X	83
Protocol Overview	83
The Port-authentication Process	84
EAP over RADIUS	85
Configuring 802.1X	87
Related Configuration Tasks	87
Important Points to Remember	87
Enabling 802.1X	87
Configuring Request Identity Re-transmissions	90
Configuring a Quiet Period after a Failed Authentication	90
Forcibly Authorizing or Unauthorizing a Port	91
Re-authenticating a Port	93
Periodic Re-authentication	93
Configuring Timeouts	94
Dynamic VLAN Assignment with Port Authentication	95
Guest and Authentication-fail VLANs	96
Configuring a Guest VLAN	97
Configuring an Authentication-fail VLAN	97
Access Control Lists (ACL), Prefix Lists, and Route-maps	99
Overview	99
IP Access Control Lists (ACLs)	100
CAM Profiling, CAM Allocation, and CAM Optimization	100
Implementing ACLs on FTOS	103
IP Fragment Handling	104
Configure a standard IP ACL	106
Configure an extended IP ACL	109
Configuring Layer 2 and Layer 3 ACLs on an Interface	112
Assign an IP ACL to an Interface	112
Counting ACL Hits	114
Configuring Ingress ACLs	114
Configuring Egress ACLs	115
Egress Layer 3 ACL Lookup for Control-plane IP Traffic	116
Configuring ACLs to Loopback	116
Applying an ACL on Loopback Interfaces	117
IP Prefix Lists	118
Implementation Information	118
Configuration Task List for Prefix Lists	119
ACL Resequencing	123
Resequencing an ACL or Prefix List	124
Route Maps	125
Implementation Information	125
Important Points to Remember	125
Configuration Task List for Route Maps	126
Border Gateway Protocol IPv4 (BGPv4)	135
Protocol Overview	136
Autonomous Systems (AS)	136
Sessions and Peers	138
Route Reflectors	139
Confederations	140
BGP Attributes	141
Best Path Selection Criteria	141
Weight	144
Local Preference	144
Multi-Exit Discriminators (MEDs)	144
Origin	145
AS Path	146
Next Hop	147
Multiprotocol BGP	147
Implementing BGP with FTOS	147
4-Byte AS Numbers	148
AS4 Number Representation	149
AS Number Migration	151
BGP4 Management Information Base (MIB)	153
Important Points to Remember	153
Configuration Information	154
BGP Configuration	155
Configuration Task List for BGP	155
MBGP Configuration	196
BGP Regular Expression Optimization	197
Debugging BGP	197
Storing Last and Bad PDUs	198
Capturing PDUs	199
PDU Counters	201
Sample Configurations	201
Bare Metal Provisioning 2.0	211
Prerequisites	211
Restrictions	212
Overview	212
Jumpstart mode	213
DHCP Server	213
File Server	216
Domain Name Server	216
Switch boot and set-up behavior in Jumpstart Mode	216
Content Addressable Memory	219
Content Addressable Memory	219
CAM Profiles	220
Microcode	221
CAM Profiling for ACLs	222
Boot Behavior	223
When to Use CAM Profiling	225
Important Points to Remember	225
Select CAM Profiles	225
CAM Allocation	226
Test CAM Usage	227
View CAM Profiles	228
View CAM-ACL settings	228
View CAM Usage	229
CAM Optimization	230
Applications for CAM Profiling	230
LAG Hashing	230
LAG Hashing based on Bidirectional Flow	231
CAM profile for the VLAN ACL group feature	231
Troubleshoot CAM Profiling	231
CAM Profile Mismatches	231
QoS CAM Region Limitation	232
Dynamic Host Configuration Protocol (DHCP)	233
Protocol Overview	233
DHCP Packet Format and Options	234
Assigning an IP Address using DHCP	235
Implementation Information	236
Configuration Tasks	236
Configure the System to be a DHCP Server	237
Configuration Tasks	237
Configure the Server for Automatic Address Allocation	238
Specify a Default Gateway	239
Enable DHCP Server	239
Configure a Method of Hostname Resolution	240
Create Manual Binding Entries	241
Debug DHCP server	241
DHCP Clear Commands	241
Configure the System to be a Relay Agent	242
Configure the System for User Port Stacking	243
Configure Secure DHCP	243
Option 82	243
DHCP Snooping	244
Drop DHCP packets on snooped VLANs only	246
Dynamic ARP Inspection	247
Source Address Validation	249
Dell Force10 Resilient Ring Protocol	253
Protocol Overview	253
Ring Status	254
Multiple FRRP Rings	255
Important FRRP Points	256
Important FRRP Concepts	257
Implementing FRRP	258
FRRP Configuration	258
Troubleshooting FRRP	263
Configuration Checks	263
Sample Configuration and Topology	263
GARP VLAN Registration Protocol	265
Protocol Overview	265
Important Points to Remember	265
Configuring GVRP	266
Related Configuration Tasks	267
Enabling GVRP Globally	267
Enabling GVRP on a Layer 2 Interface	268
Configuring GVRP Registration	268
Configuring a GARP Timer	269
Internet Group Management Protocol	271
IGMP Implementation Information	271
IGMP Protocol Overview	271
IGMP version 2	272
IGMP version 3	273
Configuring IGMP	276
Related Configuration Tasks	276
Viewing IGMP Enabled Interfaces	276
Selecting an IGMP Version	277
Viewing IGMP Groups	277
Adjusting Timers	278
Adjusting Query and Response Timers	278
Adjusting the IGMP Querier Timeout Value	278
Configuring a Static IGMP Group	279
Enabling IGMP Immediate-leave	279
IGMP Snooping	280
IGMP Snooping Implementation Information	280
Configuring IGMP Snooping	280
Enabling IGMP Immediate-leave	280
Disabling Multicast Flooding	281
Specifying a Port as Connected to a Multicast Router	281
Configuring the Switch as Querier	281
Fast Convergence after MSTP Topology Changes	282
Designating a Multicast Router Interface	282
Interfaces	283
Interface Types	284
View Basic Interface Information	284
Enable a Physical Interface	286
Physical Interfaces	287
Configuration Task List for Physical Interfaces	287
Overview of Layer Modes	288
Configure Layer 2 (Data Link) Mode	288
Configure Layer 3 (Network) Mode	289
Management Interfaces	290
Configure Management Interfaces on the E-Series and C-Series and on the S55	290
Configure Management Interfaces on the S-Series	291
VLAN Interfaces	292
Loopback Interfaces	293
Null Interfaces	294
Port Channel Interfaces	294
Bulk Configuration	306
Interface Range	306
Bulk Configuration Examples	307
Interface Range Macros	309
Define the Interface Range	309
Choose an Interface-range Macro	309
Monitor and Maintain Interfaces	310
Maintenance using TDR	311
Link Debounce Timer	312
Important Points to Remember about Link Debounce Timer	312
Assign a debounce time to an interface	313
Show debounce times in an interface	313
Disable ports when one only SFM is available (E300 only)	313
Disable port on one SFM	314
Link Dampening	314
Important Points to Remember	314
Enable Link Dampening	315
Ethernet Pause Frames	316
Threshold Settings	317
Enable Pause Frames	318
Configure MTU Size on an Interface	319
Port-pipes	320
Auto-Negotiation on Ethernet Interfaces	321
View Advanced Interface Information	323
Display Only Configured Interfaces	323
Configure Interface Sampling Size	324
Dynamic Counters	326
IPv4 Addressing	329
IP Addresses	329
Implementation Information	330
Configuration Task List for IP Addresses	330
Directed Broadcast	334
Resolution of Host Names	334
ARP	337
Configuration Task List for ARP	337
ARP Learning via Gratuitous ARP	339
ARP Learning via ARP Request	340
Configurable ARP Retries	341
ICMP	341
Configuration Task List for ICMP	341
IPv6 Addressing	343
Protocol Overview	343
Extended Address Space	344
Stateless Autoconfiguration	344
IPv6 Headers	345
Extension Header fields	347
Addressing	348
Implementing IPv6 with FTOS	350
ICMPv6	352
Path MTU Discovery	353
IPv6 Neighbor Discovery	354
IPv6 Neighbor Discovery of MTU packets	354
QoS for IPv6	354
IPv6 Multicast	355
SSH over an IPv6 Transport	355
Configuration Task List for IPv6	356
Change your CAM-Profile on an E-Series system	356
Adjust your CAM-Profile on an C-Series or S-Series	357
Assign an IPv6 Address to an Interface	358
Assign a Static IPv6 Route	359
Telnet with IPv6	359
SNMP over IPv6	360
Show IPv6 Information	360
Show an IPv6 Interface	361
Show IPv6 Routes	362
Show the Running-Configuration for an Interface	364
Clear IPv6 Routes	364
iSCSI Optimization	367
iSCSI Optimization Overview	367
Detection and Port Configuration for Dell Compellent Arrays	367
Link Aggregation Control Protoco	369
Introduction to Dynamic LAGs and LACP	369
Important Points to Remember	370
LACP modes	370
LACP Configuration Commands	371
LACP Configuration Tasks	371
Monitor and Debugging LACP	373
Shared LAG State Tracking	374
Configure Shared LAG State Tracking	374
Important Points about Shared LAG State Tracking	376
Configure LACP as Hitless	376
LACP Basic Configuration Example	377
Layer 2	387
Managing the MAC Address Table	387
Clear the MAC Address Table	387
Set the Aging Time for Dynamic Entries	388
Configure a Static MAC Address	388
Display the MAC Address Table	389
MAC Learning Limit	389
mac learning-limit dynamic	390
mac learning-limit mac-address-sticky	391
mac learning-limit station-move	391
Learning Limit Violation Actions	391
Station Move Violation Actions	392
Recovering from Learning Limit and Station Move Violations	392
Per-VLAN MAC Learning Limit	393
NIC Teaming	394
MAC Move Optimization	395
Microsoft Clustering	395
Default Behavior	396
Configuring the Switch for Microsoft Server Clustering	396
Enable and Disable VLAN Flooding	397
Configuring Redundant Pairs	398
Important Points about Configuring Redundant Pairs	399
Restricting Layer 2 Flooding	401
Far-end Failure Detection	402
FEFD state changes	403
Important Points to Remember	404
Configuring FEFD	404
Debugging FEFD	405
Link Layer Discovery Protocol	407
802.1AB (LLDP) Overview	407
Protocol Data Units	407
Optional TLVs	408
Management TLVs	409
TIA-1057 (LLDP-MED) Overview	410
TIA Organizationally Specific TLVs	411
Configuring LLDP	414
Related Configuration Tasks	414
Important Points to Remember	415
LLDP Compatibility	415
CONFIGURATION versus INTERFACE Configurations	415
Enabling LLDP	416
Disabling and Undoing LLDP	416
Advertising TLVs	416
Viewing the LLDP Configuration	418
Viewing Information Advertised by Adjacent LLDP Agents	418
Configuring LLDPDU Intervals	419
Configuring Transmit and Receive Mode	420
Configuring a Time to Live	421
Debugging LLDP	422
Relevant Management Objects	423
Multiple Spanning Tree Protocol	427
Protocol Overview	427
Implementation Information	428
Configure Multiple Spanning Tree Protocol	428
Related Configuration Tasks	428
Enable Multiple Spanning Tree Globally	429
Add and Remove Interfaces	429
Create Multiple Spanning Tree Instances	429
Influence MSTP Root Selection	431
Interoperate with Non-FTOS Bridges	431
Modify Global Parameters	432
Modify Interface Parameters	433
Configure an EdgePort	434
Flush MAC Addresses after a Topology Change	435
MSTP Sample Configurations	436
Debugging and Verifying MSTP Configuration	440
Multicast Features	443
Implementation Information	443
Enable IP Multicast	443
Multicast with ECMP	444
Implementation Information	444
First Packet Forwarding for Lossless Multicast	445
Multicast Policies	446
IPv4 Multicast Policies	446
IPv6 Multicast Policies	451
Multicast Traceroute	453
Multicast Quality of Service	453
Optimize the E-Series for Multicast Traffic	454
Allocate More Buffer Memory for Multicast WRED	454
Allocate More Bandwidth to Multicast using Egress WFQ	454
Tune the Central Scheduler for Multicast	454
Open Shortest Path First (OSPFv2 and OSPFv3)	457
Protocol Overview	458
Autonomous System (AS) Areas	458
Networks and Neighbors	460
Router Types	460
Designated and Backup Designated Routers	462
Link-State Advertisements (LSAs)	463
Virtual Links	464
Router Priority and Cost	464
Implementing OSPF with FTOS	465
Fast Convergence ( OSPFv2, IPv4 only)	466
Multi-Process OSPF (OSPFv2, IPv4 only)	466
RFC-2328 Compliant OSPF Flooding	467
OSPF ACK Packing	468
OSPF Adjacency with Cisco Routers	468
Configuration Information	468
Configuration Task List for OSPFv2 (OSPF for IPv4)	469
Troubleshooting OSPFv2	486
Configuration Task List for OSPFv3 (OSPF for IPv6)	489
Troubleshooting OSPFv3	494
Sample Configurations for OSPFv2	495
Basic OSPFv2 Router Topology	495
PIM Sparse-Mode	497
Implementation Information	497
Protocol Overview	497
Requesting Multicast Traffic	498
Refusing Multicast Traffic	498
Sending Multicast Traffic	498
Important Points to Remember	499
Configure PIM-SM	499
Related Configuration Tasks	499
Enable PIM-SM	500
Configurable S,G Expiry Timers	501
Configure a Static Rendezvous Point	502
Override Bootstrap Router Updates	503
Configure a Designated Router	503
Create Multicast Boundaries and Domains	504
PIM Source-Specific Mode	505
Implementation Information	507
Important Points to Remember	507
Configure PIM-SM	507
Related Configuration Tasks	507
Enable PIM-SSM	507
Use PIM-SSM with IGMP version 2 Hosts	508
Power over Ethernet	511
Configuring Power over Ethernet	512
Related Configuration Tasks	513
Enabling PoE on a Port	513
Manage Ports using Power Priority and the Power Budget	515
Determine the Power Priority for a Port	515
Determine the Affect of a Port on the Power Budget	517
Monitor the Power Budget	518
Manage Power Priorities	519
Recover from a Failed Power Supply	520
Deploying VOIP	521
Create VLANs for an Office VOIP Deployment	521
Configure LLDP-MED for an Office VOIP Deployment	522
Configure Quality of Service for an Office VOIP Deployment	523
Port Monitoring	527
Important Points to Remember	527
Port Monitoring on E-Series	528
E-Series TeraScale	528
E-Series ExaScale	529
Port Monitoring on C-Series and S-Series	529

Match case Limit results 1 per page

244

Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can

use this information to:

•

track the number of address requests per relay agent; restricting the number of addresses available per

relay agent can harden a server against address exhaustion attacks.

•

associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing

the same MAC address on a different relay agent.

•

assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to

requests from an unauthorized relay agent.

The server echoes the option back to the relay agent in its response, and the relay agent can use the

information in the option to forward a reply out the interface on which the request was received rather than

flooding it on the entire VLAN.

The relay agent strips Option 82 from DHCP responses before forwarding them to the client.

DHCP Snooping

DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either

trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers

cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.

Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.

The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,

DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is

legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded

to the server for validation. This check-point prevents an attacker from spoofing a client and declining or

releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK)

that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering

as a DHCP server to facilitate a man-in-the-middle attack.

Task

Command Syntax

Command Mode

All platforms: Enable Option 82. Remote ID is the

MAC of the switch.

ip dhcp relay information-option

CONFIGURATION

S4810, S60, S55: Enables Option 82. Remote ID is

the hostname of the switch.

ip dhcp relay information-option

remote-id

hostname

CONFIGURATION

S4810, S60, S55: Enables Option 82. Remote ID is

remote-id

ip dhcp relay information-option

remote-id

CONFIGURATION