DGS-3000 Series Layer 2 Managed Gigabit Ethernet Switch CLI Reference Guide
275
the unauthorized machine, giving the attacker the possibility of filtering traffic for passwords or
employing a ‘man-in-the-middle’ attack.
DHCP filtering works by allowing the administrator to configure each port as a trusted or untrusted
port. The port that has the authorized DHCP server should be configured as a trusted port. Any
DHCP responses received on a trusted port will be forwarded. All other ports should be configured
as untrusted. Any DHCP (or BOOTP) responses received on the ingress side will be discarded.
Thi command has three purposes:
1. Specify to filter all DHCP server packets on the specific port.
2. Specify to allow some DHCP server packets with pre-defined server IP addresses.
3. Deny all DHCPOFFER requests by using the default DHCP Server filtering method to specify
explicit “permit” rules for the (DHCP server IP, client’s MAC address, and port list from the
DHCP server). With this function, we can restrict the DHCP server to service specific DHCP
clients. This is useful when two DHCP servers are present on the network, one of them
provides the private IP address, and the other provides the public IP address.
Enabling DHCP server port state filtering will create one access profile and create one access rule
per port (UDP port = 67). Filter commands in this file will share the same access profile.
Addition of a permit DHCP entry will create one access profile and create one access rule. Filtering
commands in this file will share the same access profile.
Format
config filter dhcp_server [add permit server_ip <ipaddr> {client_mac <macaddr>} ports
[<portlist> | all] | delete permit server_ip <ipaddr> {client_mac <macaddr>} ports [<portlist>
| all] | ports [<portlist> | all] state [enable | disable] | illegal_server_log_suppress_duration
[1min | 5min | 30min] | trap_log [enable | disable]]
Parameters
add
- Specify to add a DHCP filter.
permit
- Specify a permission DHCP filter.
server_ip
- The IP address of the DHCP server to be filtered.
<ipaddr>
- Enter the DHCP server IP address here.
client_mac
- (Optional) The MAC address of the DHCP client.
<macaddr>
- Enter the DHCP client MAC address here.
ports
- The port number of filter DHCP server.
<portlist>
- Enter the list of ports to be configured here.
all
- Specify that all the port will be used for this configuration.
delete
- Specify to delete the DHCP filter.
permit
- Specify the permission DHCP filter.
server_ip
- The IP address of the DHCP server to be filtered.
<ipaddr>
- Enter the DHCP server IP address here.
client_mac
- (Optional) The MAC address of the DHCP client.
<macaddr>
- Enter the DHCP client MAC address here.
ports
- The port number of filter DHCP server.
<portlist>
- Enter the list of ports to be configured here.
all
- Specify that all the port will be used for this configuration.
state
- Specify to enable or disable the filter DHCP server state.
enable
- Specify that the filter DHCP server state will be enabled.
disable
- Specify that the filter DHCP server state will be disabled.
illegal_server_log_suppress_duration
- Specify the same illegal DHCP server IP address
detected will be logged only once within the duration. The default value is 5 minutes.
1min
- Specify that illegal server log suppress duration value will be set to 1 minute.
5min
- Specify that illegal server log suppress duration value will be set to 5 minutes.
30min
- Specify that illegal server log suppress duration value will be set to 30 minutes.
trap_log
- Specify to enable or disable the trap and log function.
enable
- Enables the trap and log function.
Summary of Contents for DGS-3000 series
Page 1: ......