Configuring DHCP Filter

CHAPTERS

1. DHCP Filter

2. DHCPv4 Filter Configuration

3. DHCPv6 Filter Configuration

4. Configuration Examples

5. Appendix: Default Parameters

This guide applies to:

T1500G-8T v2 or above, T1500G-10PS v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-18TS v2 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1700X-16TS v3 or above, T1700G-28TQ v3 or above, T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-28TS v3 or above, T2600G-52TS v3 or above.

1DHCP Filter

1.1Overview

During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.

With DHCP Filter configured, the switch can check whether the received DHCP packets are legal and discard the illegal ones. In this way, DHCP Filter ensures that users get IP addresses only from the legal DHCP server and enhances the network security.

As the following figure shows, there are both legal and illegal DHCP servers on the network. You can configure DHCP Server1 as a legal DHCP server by providing the IP address and port number of DHCP Server1. When receiving the DHCP respond packets, the switch will forward the packets from the legal DHCP server.

Figure 1-1 Network Topology

Additionally, you can limit the forwarding rate of DHCP packets on each port.

1.2Supported Features

The switch supports DHCPv4 Filter and DHCPv6 Filter.

DHCPv4 Filter

DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients.

DHCPv6 Filter

DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients.

2DHCPv4 Filter Configuration

To complete DHCPv4 Filter configuration, follow these steps:

1)Configure the basic DHCPv4 Filter parameters.

2)Configure legal DHCPv4 servers.

2.1Using the GUI

2.1.1Configuring the Basic DHCPv4 Filter Parameters

Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page.

Figure 2-1 DHCPv4 Filter Basic Config

Follow these steps to complete the basic settings of DHCPv4 Filter:

1)In the Global Config section, enable DHCPv4 globally.

2)In the Port Config section, select one or more ports and configure the related parameters.

Port

Displays the port number.

Status

Enable or disable DHCPv4 Filter feature on the port.

MAC Verify

Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different.

This prevents the IP address resource on the DHCPv4 server from being exhausted by forged MAC addresses.

Rate Limit

Select to enable the rate limit feature and specify the maximum number of DHCPv4 packets that can be forwarded on the port per second. The excessive DHCPv4 packets will be discarded.

Decline Protect

Select to enable the decline protect feature and specify the maximum number of Decline packets that can be forwarded on the port per second. The excessive Decline packets will be discarded.

LAG

Displays the LAG that the port is in.

3)Click Apply.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

2.1.2Configuring Legal DHCPv4 Servers

Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page.

Figure 2-2 Adding Legal DHCPv4 Server

Follow these steps to add a legal DHCPv4 server:

1)Configure the following parameters:

Server IP Address

Specify the IP address of the legal DHCPv4 server.

Client MAC Address

(Optional) Specify the MAC address of the DHCP Client. You can also keep this field empty, which represents for all DHCP clients.

Server Port

Select the port that the legal DHCPv4 server is connected.

2)Click Create.

2.2Using the CLI

2.2.1Configuring the Basic DHCPv4 Filter Parameters

Follow these steps to complete the basic settings of DHCPv4 Filter:

Step 1

configure

Enter global configuration mode.

Step 2

ip dhcp filter

Enable DHCPv4 Filter globally.

Step 3

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list }

Enter interface configuration mode.

Step 4

ip dhcp filter

Enable DHCPv4 Filter on the port.

Step 5

ip dhcp filter mac-verify

Enable the MAC Verify feature. There are two fields in the DHCP packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCP packet and discards the packet if the two fields are different. This prevents the IP address resource on the DHCP server from being exhausted by forged MAC addresses.

Step 6

ip dhcp filter limit rate value

Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded.

value: Specify the limit rate value. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate.

Step 7

ip dhcp filter decline rate value

Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port. The excessive Decline packets will be discarded.

value: Specify the limit rate value of Decline packets. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling this feature.

Step 8

show ip dhcp filter

Verify the global DHCPv4 Filter configuration.

Step 9

show ip dhcp filter interface [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ]

Verify the DHCPv4 Filter configuration of the port.

Step 10

end

Return to privileged EXEC mode.

Step 11

copy running-config startup-config

Save the settings in the configuration file.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

The following example shows how to enable DHCPv4 Filter globally and how to enable DHCPv4 Filter, enable the MAC verify feature, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1:

Switch#configure

Switch(config)#ip dhcp filter

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ip dhcp filter

Switch(config-if)#ip dhcp filter mac-verify

Switch(config-if)#ip dhcp filter limit rate 10

Switch(config-if)#ip dhcp filter decline rate 20

Switch(config-if)##show ip dhcp filter

Global Status: Enable

Switch(config-if)#show ip dhcp filter interface gigabitEthernet 1/0/1

Interface state MAC-Verify Limit-Rate Dec-rate LAG

--------- ------- ---------- ---------- -------- ---

Gi1/0/1 Enable Enable 10 20 N/A

Switch(config-if)#end

Switch#copy running-config startup-config

2.2.2Configuring Legal DHCPv4 Servers

Follow these steps configure legal DHCPv4 servers:

Step 1

configure

Enter global configuration mode.

Step 2

ip dhcp filter server permit-entry server-ip ipAddr client-mac macAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id }

Create an entry for the legal DHCPv4 server.

ipAddr: Specify the IP address of the legal DHCPv4 server.

macAddr : Specify the MAC address of the DHCP Client. The value “all” means all client mac addresses.

port-list | port-channel-id: Specify the port that the legal DHCPv4 server is connected to.

Step 3

show ip dhcp filter server permit-entry

Verify configured legal DHCPv4 server information.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create an entry for the legal DHCPv4 server whose IP address is 192.168.0.100 and connected port number is 1/0/1 without client MAC address restricted:

Switch#configure

Switch(config)#ip dhcp filter server permit-entry server-ip 192.168.0.100 client-mac all interface gigabitEthernet 1/0/1

Switch(config)#show ip dhcp filter server permit-entry

Server IP Client MAC Interface

---------------- ----------------- ---------

192.168.0.100 all Gi1/0/1

Switch(config)#end

Switch#copy running-config startup-config

3DHCPv6 Filter Configuration

To complete DHCPv6 Filter configuration, follow these steps:

1)Configure the basic DHCPv6 Filter parameters.

2)Configure legal DHCPv6 servers.

3.1Using the GUI

3.1.1Configuring the Basic DHCPv6 Filter Parameters

Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page.

Figure 3-1 DHCPv6 Filter Basic Config

Follow these steps to complete the basic settings of DHCPv6 Filter:

1)In the Global Config section, enable DHCPv6 globally.

2)In the Port Config section, select one or more ports and configure the related parameters.

Port

Displays the port number.

Status

Enable or disable DHCPv6 Filter feature on the port.

Rate Limit

Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded.

Decline Protect

Select to enable the decline protect feature and specify the maximum number of DHCPv6 Decline packets that can be forwarded on the port per second. The excessive DHCPv6 Decline packets will be discarded.

LAG

Displays the LAG that the port is in.

3)Click Apply.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

3.1.2Configuring Legal DHCPv6 Servers

Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page.

Figure 3-2 Adding Legal DHCPv6 Server

Follow these steps to add a legal DHCPv6 server:

1)Configure the following parameters:

Server IPv6 Address

Specify the IP address of the legal DHCPv6 server.

Server Port

Select the port that the legal DHCPv6 server is connected.

2)Click Create.

3.2Using the CLI

3.2.1Configuring the Basic DHCPv6 Filter Parameters

Follow these steps to complete the basic settings of DHCPv6 Filter:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 dhcp filter

Enable DHCPv6 Filter globally.

Step 3

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list }

Enter interface configuration mode.

Step 4

ipv6 dhcp filter

Enable DHCPv6 Filter on the port.

Step 5

ipv6 dhcp filter limit rate value

Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded.

value: Specify the limit rate value. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate.

Step 6

ipv6 dhcp filter decline rate value

Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port. The excessive Decline packets will be discarded.

value: Specify the limit rate value of Decline packets. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling this feature.

Step 7

show ipv6 dhcp filter

Verify the global DHCPv6 Filter configuration.

Step 8

show ipv6 dhcp filter interface [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ]

Verify the DHCPv6 Filter configuration of the port.

Step 9

end

Return to privileged EXEC mode.

Step 10

copy running-config startup-config

Save the settings in the configuration file.

Note:

The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG.

The following example shows how to enable DHCPv6 Filter globally and how to enable DHCPv6 Filter, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1:

Switch#configure

Switch(config)#ipv6 dhcp filter

Switch(config)#interface gigabitEthernet 1/0/1

Switch(config-if)#ipv6 dhcp filter

Switch(config-if)#ipv6 dhcp filter limit rate 10

Switch(config-if)#ipv6 dhcp filter decline rate 20

Switch(config-if)##show ipv6 dhcp filter

Global Status: Enable

Switch(config-if)#show ip dhcp filter interface gigabitEthernet 1/0/1

Interface state Limit-Rate Dec-rate LAG

--------- ------- ---------- -------- ---

Gi1/0/1 Enable 10 20 N/A

Switch(config-if)#end

Switch#copy running-config startup-config

3.2.2Configuring Legal DHCPv6 Servers

Follow these steps configure legal DHCPv6 servers:

Step 1

configure

Enter global configuration mode.

Step 2

ipv6 dhcp filter server permit-entry server-ip ipAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id }

Create an entry for the legal DHCPv6 server.

ipAddr: Specify the IPv6 address of the legal DHCPv6 server.

port-list | port-channel-id: Specify the port that the legal DHCPv6 server is connected to.

Step 3

show ip dhcp filter server permit-entry

Verify configured legal DHCPv6 server information.

Step 4

end

Return to privileged EXEC mode.

Step 5

copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to create an entry for the legal DHCPv6 server whose IPv6 address is 2001::54 and connected port number is 1/0/1:

Switch#configure

Switch(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1

Switch(config)#show ipv6 dhcp filter server permit-entry

Server IP Interface

---------------- ---------

2001::54 Gi1/0/1

Switch(config)#end

Switch#copy running-config startup-config

4Configuration Examples

4.1Example for DHCPv4 Filter

4.1.1Network Requirements

As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.

Figure 4-1 Network Topology

4.1.2Configuration Scheme

To meet the requirements, you can configure DHCPv4 Filter to filter the DHCPv4 packets from the illegal DHCPv4 server.

The overview of configuration is as follows:

1)Enable DHCPv4 Filter globally and on all ports.

2)Create an entry for the legal DHCPv4 server.

Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

4.1.3Using the GUI

1)Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply.

Figure 4-2 Basic Config

2)Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv4 server. Click Create.

Figure 4-3 Create Entry for Legal DHCPv4 Server

3)Click to save the settings.

4.1.4Using the CLI

1)Enable DHCPv4 Filter globally and on all pots:

Switch_A#configure

Switch_A(config)#ip dhcp filter

Switch_A(config)#interface range gigabitEthernet 1/0/1-28

Switch_A(config-if-range)#ip dhcp filter

Switch_A(config-if-range)#exit

2)Create an entry for the legal DHCPv4 server:

Switch_A(config)#ip dhcp filter server permit-entry server-ip 192.168.0.200 client-mac all interface gigabitEthernet 1/0/1

Switch_A(config)#end

Switch_A#copy running-config startup-config

Verify the Configuration

Verify the global DHCPv4 Filter configuration:

Switch_A#show ip dhcp filter

Global Status: Enable

Verify the DHCPv4 Filter configuration on ports:

Switch_A#show ip dhcp filter interface

Interface state MAC-Verify Limit-Rate Dec-rate LAG

--------- ------- ---------- ---------- -------- ---

Gi1/0/1 Enable Disable Disable Disable N/A

Gi1/0/2 Enable Disable Disable Disable N/A

Gi1/0/3 Enable Disable Disable Disable N/A

Gi1/0/4 Enable Disable Disable Disable N/A

...

Verify the legal DHCPv4 server configuration:

Switch_A#show ip dhcp filter server permit-entry

Server IP Client MAC Interface

---------------- ----------------- ---------

192.168.0.200 all Gi1/0/1

4.2Example for DHCPv6 Filter

4.2.1Network Requirements

As shown below, all the DHCPv6 clients get IP addresses from the legal DHCPv6 server, and any other DHCPv6 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv6 server is allowed to assign IP addresses to the clients.

Figure 4-1 Network Topology

4.2.2Configuration Scheme

To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.

The overview of configuration is as follows:

1)Enable DHCPv6 Filter globally and on all ports.

2)Create an entry for the legal DHCPv6 server.

Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.

4.2.3Using the GUI

1)Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page. Enable DHCPv6 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply.

Figure 4-2 Basic Config

2)Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create.

Figure 4-3 Create Entry for Legal DHCPv6 Server

3)Click to save the settings.

4.2.4Using the CLI

1)Enable DHCPv6 Filter globally and on all pots:

Switch_A#configure

Switch_A(config)#ipv6 dhcp filter

Switch_A(config)#interface range gigabitEthernet 1/0/1-28

Switch_A(config-if-range)#ipv6 dhcp filter

Switch_A(config-if-range)#exit

2)Create an entry for the legal DHCPv6 server:

Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1

Switch_A(config)#end

Switch_A#copy running-config startup-config

Verify the Configuration

Verify the global DHCPv6 Filter configuration:

Switch_A#show ipv6 dhcp filter

Global Status: Enable

Verify the DHCPv6 Filter configuration on ports:

Switch_A#show ipv6 dhcp filter interface

Interface state Limit-Rate Dec-rate LAG

--------- ------- ---------- -------- ---

Gi1/0/1 Enable Disable Disable N/A

Gi1/0/2 Enable Disable Disable N/A

Gi1/0/3 Enable Disable Disable N/A

Gi1/0/4 Enable Disable Disable N/A

...

Verify the legal DHCPv6 server configuration:

Switch_A#show ipv6 dhcp filter server permit-entry

Server IP Interface

---------------- ----------

2001::54 Gi1/0/1

5Appendix: Default Parameters

Default settings of DHCPv4 Filter are listed in the following table:

Table 5-1DHCPv4 Filter

Parameter

Default Setting

Global Config

DHCPv4 Filter

Disable

Port Config

Status

Disable

MAC Verify

Disable

Rate Limit

Disable

Decline Protect

Disable

Default settings of DHCPv6 Filter are listed in the following table:

Table 5-2DHCPv6 Filter

Parameter

Default Setting

Global Config

DHCPv6 Filter

Disable

Port Config

Status

Disable

MAC Verify

Disable

Rate Limit

Disable

Decline Protect

Disable