Configuring DHCP Filter
CHAPTERS
2. DHCPv4 Filter Configuration
3. DHCPv6 Filter Configuration
5. Appendix: Default Parameters
This guide applies to: T1500G-8T v2 or above, T1500G-10PS v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-18TS v2 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1700X-16TS v3 or above, T1700G-28TQ v3 or above, T2500G-10TS v2 or above, T2600G-18TS v2 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above, T2600G-28TS v3 or above, T2600G-52TS v3 or above. |
1.1Overview
During the working process of DHCP, generally there is no authentication mechanism between the DHCP server and the clients. If there are several DHCP servers on the network, security problems and network interference will happen. DHCP Filter resolves this problem.
With DHCP Filter configured, the switch can check whether the received DHCP packets are legal and discard the illegal ones. In this way, DHCP Filter ensures that users get IP addresses only from the legal DHCP server and enhances the network security.
As the following figure shows, there are both legal and illegal DHCP servers on the network. You can configure DHCP Server1 as a legal DHCP server by providing the IP address and port number of DHCP Server1. When receiving the DHCP respond packets, the switch will forward the packets from the legal DHCP server.
Figure 1-1 Network Topology
Additionally, you can limit the forwarding rate of DHCP packets on each port.
1.2Supported Features
The switch supports DHCPv4 Filter and DHCPv6 Filter.
DHCPv4 Filter
DHCPv4 Filter is used for DHCPv4 servers and IPv4 clients.
DHCPv6 Filter
DHCPv6 Filter is used for DHCPv6 servers and IPv6 clients.
To complete DHCPv4 Filter configuration, follow these steps:
1)Configure the basic DHCPv4 Filter parameters.
2)Configure legal DHCPv4 servers.
2.1Using the GUI
2.1.1Configuring the Basic DHCPv4 Filter Parameters
Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page.
Figure 2-1 DHCPv4 Filter Basic Config
Follow these steps to complete the basic settings of DHCPv4 Filter:
1)In the Global Config section, enable DHCPv4 globally.
2)In the Port Config section, select one or more ports and configure the related parameters.
Port |
Displays the port number. |
Status |
Enable or disable DHCPv4 Filter feature on the port. |
MAC Verify |
Enable or disable the MAC Verify feature. There are two fields in the DHCPv4 packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCPv4 packet and discards the packet if the two fields are different. This prevents the IP address resource on the DHCPv4 server from being exhausted by forged MAC addresses. |
Rate Limit |
Select to enable the rate limit feature and specify the maximum number of DHCPv4 packets that can be forwarded on the port per second. The excessive DHCPv4 packets will be discarded. |
Decline Protect |
Select to enable the decline protect feature and specify the maximum number of Decline packets that can be forwarded on the port per second. The excessive Decline packets will be discarded. |
LAG |
Displays the LAG that the port is in. |
3)Click Apply.
Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. |
2.1.2Configuring Legal DHCPv4 Servers
Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page.
Figure 2-2 Adding Legal DHCPv4 Server
Follow these steps to add a legal DHCPv4 server:
1)Configure the following parameters:
Server IP Address |
Specify the IP address of the legal DHCPv4 server. |
Client MAC Address |
(Optional) Specify the MAC address of the DHCP Client. You can also keep this field empty, which represents for all DHCP clients. |
Server Port |
Select the port that the legal DHCPv4 server is connected. |
2)Click Create.
2.2Using the CLI
2.2.1Configuring the Basic DHCPv4 Filter Parameters
Follow these steps to complete the basic settings of DHCPv4 Filter:
Step 1 |
configure Enter global configuration mode. |
Step 2 |
ip dhcp filter Enable DHCPv4 Filter globally. |
Step 3 |
interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list } Enter interface configuration mode. |
Step 4 |
ip dhcp filter Enable DHCPv4 Filter on the port. |
Step 5 |
ip dhcp filter mac-verify Enable the MAC Verify feature. There are two fields in the DHCP packet that contain the MAC address of the host. The MAC Verify feature compares the two fields of a DHCP packet and discards the packet if the two fields are different. This prevents the IP address resource on the DHCP server from being exhausted by forged MAC addresses. |
Step 6 |
ip dhcp filter limit rate value Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded. value: Specify the limit rate value. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate. |
Step 7 |
ip dhcp filter decline rate value Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port. The excessive Decline packets will be discarded. value: Specify the limit rate value of Decline packets. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling this feature. |
Step 8 |
show ip dhcp filter Verify the global DHCPv4 Filter configuration. |
Step 9 |
show ip dhcp filter interface [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the DHCPv4 Filter configuration of the port. |
Step 10 |
end Return to privileged EXEC mode. |
Step 11 |
copy running-config startup-config Save the settings in the configuration file. |
Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. |
The following example shows how to enable DHCPv4 Filter globally and how to enable DHCPv4 Filter, enable the MAC verify feature, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1:
Switch#configure
Switch(config)#ip dhcp filter
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#ip dhcp filter
Switch(config-if)#ip dhcp filter mac-verify
Switch(config-if)#ip dhcp filter limit rate 10
Switch(config-if)#ip dhcp filter decline rate 20
Switch(config-if)##show ip dhcp filter
Global Status: Enable
Switch(config-if)#show ip dhcp filter interface gigabitEthernet 1/0/1
Interface state MAC-Verify Limit-Rate Dec-rate LAG
--------- ------- ---------- ---------- -------- ---
Gi1/0/1 Enable Enable 10 20 N/A
Switch(config-if)#end
Switch#copy running-config startup-config
2.2.2Configuring Legal DHCPv4 Servers
Follow these steps configure legal DHCPv4 servers:
Step 1 |
configure Enter global configuration mode. |
Step 2 |
ip dhcp filter server permit-entry server-ip ipAddr client-mac macAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Create an entry for the legal DHCPv4 server. ipAddr: Specify the IP address of the legal DHCPv4 server. macAddr : Specify the MAC address of the DHCP Client. The value “all” means all client mac addresses. port-list | port-channel-id: Specify the port that the legal DHCPv4 server is connected to. |
Step 3 |
show ip dhcp filter server permit-entry Verify configured legal DHCPv4 server information. |
Step 4 |
end Return to privileged EXEC mode. |
Step 5 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to create an entry for the legal DHCPv4 server whose IP address is 192.168.0.100 and connected port number is 1/0/1 without client MAC address restricted:
Switch#configure
Switch(config)#ip dhcp filter server permit-entry server-ip 192.168.0.100 client-mac all interface gigabitEthernet 1/0/1
Switch(config)#show ip dhcp filter server permit-entry
Server IP Client MAC Interface
---------------- ----------------- ---------
192.168.0.100 all Gi1/0/1
Switch(config)#end
Switch#copy running-config startup-config
To complete DHCPv6 Filter configuration, follow these steps:
1)Configure the basic DHCPv6 Filter parameters.
2)Configure legal DHCPv6 servers.
3.1Using the GUI
3.1.1Configuring the Basic DHCPv6 Filter Parameters
Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page.
Figure 3-1 DHCPv6 Filter Basic Config
Follow these steps to complete the basic settings of DHCPv6 Filter:
1)In the Global Config section, enable DHCPv6 globally.
2)In the Port Config section, select one or more ports and configure the related parameters.
Port |
Displays the port number. |
Status |
Enable or disable DHCPv6 Filter feature on the port. |
Rate Limit |
Select to enable the rate limit feature and specify the maximum number of DHCPv6 packets that can be forwarded on the port per second. The excessive DHCPv6 packets will be discarded. |
Decline Protect |
Select to enable the decline protect feature and specify the maximum number of DHCPv6 Decline packets that can be forwarded on the port per second. The excessive DHCPv6 Decline packets will be discarded. |
LAG |
Displays the LAG that the port is in. |
3)Click Apply.
Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. |
3.1.2Configuring Legal DHCPv6 Servers
Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page.
Figure 3-2 Adding Legal DHCPv6 Server
Follow these steps to add a legal DHCPv6 server:
1)Configure the following parameters:
Server IPv6 Address |
Specify the IP address of the legal DHCPv6 server. |
Server Port |
Select the port that the legal DHCPv6 server is connected. |
2)Click Create.
3.2Using the CLI
3.2.1Configuring the Basic DHCPv6 Filter Parameters
Follow these steps to complete the basic settings of DHCPv6 Filter:
Step 1 |
configure Enter global configuration mode. |
Step 2 |
ipv6 dhcp filter Enable DHCPv6 Filter globally. |
Step 3 |
interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list | interface port-channel port-channel-id | interface range port-channel port-channel-id-list } Enter interface configuration mode. |
Step 4 |
ipv6 dhcp filter Enable DHCPv6 Filter on the port. |
Step 5 |
ipv6 dhcp filter limit rate value Enable the limit rate feature and specify the maximum number of DHCP messages that can be forwarded on the port per second. The excessive DHCP packets will be discarded. value: Specify the limit rate value. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling limit rate. |
Step 6 |
ipv6 dhcp filter decline rate value Enable the decline protect feature and specify the maximum number of Decline packets can be forwarded per second on the port. The excessive Decline packets will be discarded. value: Specify the limit rate value of Decline packets. The following options are provided: 0, 5,10,15,20,25 and 30 (packets/second). The default value is 0, which indicates disabling this feature. |
Step 7 |
show ipv6 dhcp filter Verify the global DHCPv6 Filter configuration. |
Step 8 |
show ipv6 dhcp filter interface [ fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port | port-channel port-channel-id ] Verify the DHCPv6 Filter configuration of the port. |
Step 9 |
end Return to privileged EXEC mode. |
Step 10 |
copy running-config startup-config Save the settings in the configuration file. |
Note: The member port of an LAG (Link Aggregation Group) follows the configuration of the LAG and not its own. The configurations of the port can take effect only after it leaves the LAG. |
The following example shows how to enable DHCPv6 Filter globally and how to enable DHCPv6 Filter, set the limit rate as 10 pps and set the decline rate as 20 pps on port 1/0/1:
Switch#configure
Switch(config)#ipv6 dhcp filter
Switch(config)#interface gigabitEthernet 1/0/1
Switch(config-if)#ipv6 dhcp filter
Switch(config-if)#ipv6 dhcp filter limit rate 10
Switch(config-if)#ipv6 dhcp filter decline rate 20
Switch(config-if)##show ipv6 dhcp filter
Global Status: Enable
Switch(config-if)#show ip dhcp filter interface gigabitEthernet 1/0/1
Interface state Limit-Rate Dec-rate LAG
--------- ------- ---------- -------- ---
Gi1/0/1 Enable 10 20 N/A
Switch(config-if)#end
Switch#copy running-config startup-config
3.2.2Configuring Legal DHCPv6 Servers
Follow these steps configure legal DHCPv6 servers:
Step 1 |
configure Enter global configuration mode. |
Step 2 |
ipv6 dhcp filter server permit-entry server-ip ipAddr interface { fastEthernet port-list | gigabitEthernet port-list | ten-gigabitEthernet port-list | port-channel port-channel-id } Create an entry for the legal DHCPv6 server. ipAddr: Specify the IPv6 address of the legal DHCPv6 server. port-list | port-channel-id: Specify the port that the legal DHCPv6 server is connected to. |
Step 3 |
show ip dhcp filter server permit-entry Verify configured legal DHCPv6 server information. |
Step 4 |
end Return to privileged EXEC mode. |
Step 5 |
copy running-config startup-config Save the settings in the configuration file. |
The following example shows how to create an entry for the legal DHCPv6 server whose IPv6 address is 2001::54 and connected port number is 1/0/1:
Switch#configure
Switch(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1
Switch(config)#show ipv6 dhcp filter server permit-entry
Server IP Interface
---------------- ---------
2001::54 Gi1/0/1
Switch(config)#end
Switch#copy running-config startup-config
4.1Example for DHCPv4 Filter
4.1.1Network Requirements
As shown below, all the DHCPv4 clients get IP addresses from the legal DHCPv4 server, and any other DHCPv4 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv4 server is allowed to assign IP addresses to the clients.
Figure 4-1 Network Topology
4.1.2Configuration Scheme
To meet the requirements, you can configure DHCPv4 Filter to filter the DHCPv4 packets from the illegal DHCPv4 server.
The overview of configuration is as follows:
1)Enable DHCPv4 Filter globally and on all ports.
2)Create an entry for the legal DHCPv4 server.
Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
4.1.3Using the GUI
1)Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Basic Config to load the following page. Enable DHCPv4 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply.
Figure 4-2 Basic Config
2)Choose the menu SECURITY > DHCP Filter > DHCPv4 Filter > Legal DHCPv4 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv4 server. Click Create.
Figure 4-3 Create Entry for Legal DHCPv4 Server
3)Click to save the settings.
4.1.4Using the CLI
1)Enable DHCPv4 Filter globally and on all pots:
Switch_A#configure
Switch_A(config)#ip dhcp filter
Switch_A(config)#interface range gigabitEthernet 1/0/1-28
Switch_A(config-if-range)#ip dhcp filter
Switch_A(config-if-range)#exit
2)Create an entry for the legal DHCPv4 server:
Switch_A(config)#ip dhcp filter server permit-entry server-ip 192.168.0.200 client-mac all interface gigabitEthernet 1/0/1
Switch_A(config)#end
Switch_A#copy running-config startup-config
Verify the Configuration
Verify the global DHCPv4 Filter configuration:
Switch_A#show ip dhcp filter
Global Status: Enable
Verify the DHCPv4 Filter configuration on ports:
Switch_A#show ip dhcp filter interface
Interface state MAC-Verify Limit-Rate Dec-rate LAG
--------- ------- ---------- ---------- -------- ---
Gi1/0/1 Enable Disable Disable Disable N/A
Gi1/0/2 Enable Disable Disable Disable N/A
Gi1/0/3 Enable Disable Disable Disable N/A
Gi1/0/4 Enable Disable Disable Disable N/A
...
Verify the legal DHCPv4 server configuration:
Switch_A#show ip dhcp filter server permit-entry
Server IP Client MAC Interface
---------------- ----------------- ---------
192.168.0.200 all Gi1/0/1
4.2Example for DHCPv6 Filter
4.2.1Network Requirements
As shown below, all the DHCPv6 clients get IP addresses from the legal DHCPv6 server, and any other DHCPv6 server in the LAN is regarded as illegal. Now it is required that only the legal DHCPv6 server is allowed to assign IP addresses to the clients.
Figure 4-1 Network Topology
4.2.2Configuration Scheme
To meet the requirements, you can configure DHCPv6 Filter to filter the DHCPv6 packets from the illegal DHCPv6 server.
The overview of configuration is as follows:
1)Enable DHCPv6 Filter globally and on all ports.
2)Create an entry for the legal DHCPv6 server.
Demonstrated with T2600G-28TS, the following sections provide configuration procedure in two ways: using the GUI and using the CLI.
4.2.3Using the GUI
1)Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Basic Config to load the following page. Enable DHCPv6 Filter globally and click Apply. Select all ports, change Status as Enable, and click Apply.
Figure 4-2 Basic Config
2)Choose the menu SECURITY > DHCP Filter > DHCPv6 Filter > Legal DHCPv6 Servers and click to load the following page. Specify the IP address and connected port number of the legal DHCPv6 server. Click Create.
Figure 4-3 Create Entry for Legal DHCPv6 Server
3)Click to save the settings.
4.2.4Using the CLI
1)Enable DHCPv6 Filter globally and on all pots:
Switch_A#configure
Switch_A(config)#ipv6 dhcp filter
Switch_A(config)#interface range gigabitEthernet 1/0/1-28
Switch_A(config-if-range)#ipv6 dhcp filter
Switch_A(config-if-range)#exit
2)Create an entry for the legal DHCPv6 server:
Switch_A(config)#ipv6 dhcp filter server permit-entry server-ip 2001::54 interface gigabitEthernet 1/0/1
Switch_A(config)#end
Switch_A#copy running-config startup-config
Verify the Configuration
Verify the global DHCPv6 Filter configuration:
Switch_A#show ipv6 dhcp filter
Global Status: Enable
Verify the DHCPv6 Filter configuration on ports:
Switch_A#show ipv6 dhcp filter interface
Interface state Limit-Rate Dec-rate LAG
--------- ------- ---------- -------- ---
Gi1/0/1 Enable Disable Disable N/A
Gi1/0/2 Enable Disable Disable N/A
Gi1/0/3 Enable Disable Disable N/A
Gi1/0/4 Enable Disable Disable N/A
...
Verify the legal DHCPv6 server configuration:
Switch_A#show ipv6 dhcp filter server permit-entry
Server IP Interface
---------------- ----------
2001::54 Gi1/0/1
Default settings of DHCPv4 Filter are listed in the following table:
Table 5-1DHCPv4 Filter
Parameter |
Default Setting |
Global Config |
|
DHCPv4 Filter |
Disable |
Port Config |
|
Status |
Disable |
MAC Verify |
Disable |
Rate Limit |
Disable |
Decline Protect |
Disable |
Default settings of DHCPv6 Filter are listed in the following table:
Table 5-2DHCPv6 Filter
Parameter |
Default Setting |
Global Config |
|
DHCPv6 Filter |
Disable |
Port Config |
|
Status |
Disable |
MAC Verify |
Disable |
Rate Limit |
Disable |
Decline Protect |
Disable |