Hello!
I have some doubts regarding the correct configuration of dhcp-snooping on the Alcatel model: OS6560.
I have used the configuration below:
dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping port 1/1/47-48 trust
Doubts:
- Does this configuration of mine really block, for example, the use of strange DHCP on my network?
- On Cisco equipment, it is necessary to configure the number of each vlan in dhcp-snooping, in the case of Alcatel it is also necessary, how to do it?
- Does the dhcp-snooping configuration consume a lot of switch CPU usage?
- To configure dhcpv6 on this model, do I use exactly these same commands or are there variations?
If there is any suggestion for better use of dhcp-snooping, I would appreciate your collaboration.
Best regards!
Correct configuration of dhcp-snooping on OS6560
Re: Correct configuration of dhcp-snooping on OS6560
To forbid unwanted dhcp server (for all vlans) the first und the last line are enough. You can reach the same result with the feature UserPorts.
With dhcp-snooping you have on top the possibility to protect against arp-spoofing attacks. For this you need the binding and the ip-source-filter.
regards
Silvio
With dhcp-snooping you have on top the possibility to protect against arp-spoofing attacks. For this you need the binding and the ip-source-filter.
regards
Silvio
Re: Correct configuration of dhcp-snooping on OS6560
Thanks for the instructions, Silvio!
Just confirming what the best protection for my network looks like.
Both for strange dhcp and arp-spoofing attack protection.
Would the settings be like this?
dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping ip-source-filter port 1/1/1-46 admin-state enable
dhcp-snooping port 1/1/47-48 trust
One last question. Should ip-source-filter be configured on all ports or only untrusted ones?
Thanks!
Just confirming what the best protection for my network looks like.
Both for strange dhcp and arp-spoofing attack protection.
Would the settings be like this?
dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping ip-source-filter port 1/1/1-46 admin-state enable
dhcp-snooping port 1/1/47-48 trust
One last question. Should ip-source-filter be configured on all ports or only untrusted ones?
Thanks!
Re: Correct configuration of dhcp-snooping on OS6560
normaly you configure dhcp-snooping at the access switch. So the trust ports are the uplink to core.
ISF is for the user ports - so the untrust port. Your config is correct. But you need to know: If you activate ISF than only the clients within the binding table are able to communicate. If you activate all the commands during the working hours than the clients need to restart (or to get a new ip address).
BR Silvio
ISF is for the user ports - so the untrust port. Your config is correct. But you need to know: If you activate ISF than only the clients within the binding table are able to communicate. If you activate all the commands during the working hours than the clients need to restart (or to get a new ip address).
BR Silvio
Re: Correct configuration of dhcp-snooping on OS6560
Hi,
Not OP but mind if I throw a question in? ISF, where would you typically use this?
I mean, if you use it on a port that has an AP connected to it, then when the user roams to another AP won't they be blocked then, correct?
What's the typical use for this feature?
Not OP but mind if I throw a question in? ISF, where would you typically use this?
I mean, if you use it on a port that has an AP connected to it, then when the user roams to another AP won't they be blocked then, correct?
What's the typical use for this feature?
- Gleylancer
- Member
- Posts: 156
- Joined: 08 May 2013 03:14
Re: Correct configuration of dhcp-snooping on OS6560
DHCP snooping is to find DHCP -Servers- and instantly block them, not DHCP clients. Wireless Roaming has nothing to do with this.
Re: Correct configuration of dhcp-snooping on OS6560
ISF protects against arp spoofing attacks. If a wireless client is rooming between APs at the same switch there should be no impact. But if the client is rooming to an AP at another switch than the entry in the binding table don't know the client - and it will be blocked.
So at ports to APs I would ISF not activate.
BR Silvio
So at ports to APs I would ISF not activate.
BR Silvio
Re: Correct configuration of dhcp-snooping on OS6560
Hi,Gleylancer wrote: ↑25 Mar 2024 11:40 DHCP snooping is to find DHCP -Servers- and instantly block them, not DHCP clients. Wireless Roaming has nothing to do with this.
I was referring to ISF and not DHCP-snooping. Silvio already replied and cleared by doubt. It's a bad idea as I was wondering myself!
BR