Arp security – Allied Telesis x900-48 series User Manual

Page 13 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches

DHCP filtering > ARP security

set dhcpsnooping port=<port-list> maxlease=<number>

Any filter or flowgroup that is using a classifier containing a DHCP snooping parameter, and is
applied to a port in the list, will be replicated maxlease times as it is written into the
hardware table. Then, as the IP addresses are allocated to devices on the port, the addresses
in the leases can be written in these replicated filter entries.

For example, when the first device on the port receives a lease, the first member of the
relevant set of replicated filters is filled in with the lease address. When a second device on
the port receives a lease, the second member of the set of replicated filters receives the new
lease address, and so on.

ARP security

It is also possible to enable DHCP snooping ARP security. If enabled this will ensure that ARP
packets received on non-trusted ports are only permitted if they originate from an IP address
that has been allocated by DHCP.

enable dhcpsnooping arpsecurity

DHCP snooping filter show command

To see what addresses have been inserted into filters using DHCP snooping classifiers, use
the command show dhcpsnooping filter:

List of terms:

The FlowID refers to the associated QoS FlowGroup.

The EntryID refers to the associated entry in the DHCP snooping database.

The ClassID refers to the dynamically created classifier entry.

X

To configure how many times the filters or flowgroups will be replicated:

X

To enable DHCP snooping ARP security:

Manager > show dhcpsnooping filter

DHCPSnooping ACL ( 150 entries )

ClassID FlowID Port EntryID IP Address/Port/Mac

----------------------------------------------------------------------

60161 150 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

61161 150 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

62161 151 16 3 10.11.67.50/16/00-03-47-6b-a5-7a

...