Correct configuration of dhcp-snooping on OS6560

Reginaldo · Post by **Reginaldo** » 19 Mar 2024 17:05

Hello!

I have some doubts regarding the correct configuration of dhcp-snooping on the Alcatel model: OS6560.

I have used the configuration below:

dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping port 1/1/47-48 trust

Doubts:
- Does this configuration of mine really block, for example, the use of strange DHCP on my network?
- On Cisco equipment, it is necessary to configure the number of each vlan in dhcp-snooping, in the case of Alcatel it is also necessary, how to do it?
- Does the dhcp-snooping configuration consume a lot of switch CPU usage?
- To configure dhcpv6 on this model, do I use exactly these same commands or are there variations?

If there is any suggestion for better use of dhcp-snooping, I would appreciate your collaboration.

Best regards!

Post by **silvio** » 21 Mar 2024 08:10

To forbid unwanted dhcp server (for all vlans) the first und the last line are enough. You can reach the same result with the feature UserPorts.
With dhcp-snooping you have on top the possibility to protect against arp-spoofing attacks. For this you need the binding and the ip-source-filter.
regards
Silvio

Reginaldo · Post by **Reginaldo** » 21 Mar 2024 13:42

Thanks for the instructions, Silvio!

Just confirming what the best protection for my network looks like.
Both for strange dhcp and arp-spoofing attack protection.
Would the settings be like this?

dhcp-snooping admin-state enable
dhcp-snooping binding admin-state enable
dhcp-snooping ip-source-filter port 1/1/1-46 admin-state enable
dhcp-snooping port 1/1/47-48 trust

One last question. Should ip-source-filter be configured on all ports or only untrusted ones?

Thanks!

Post by **silvio** » 25 Mar 2024 02:58

normaly you configure dhcp-snooping at the access switch. So the trust ports are the uplink to core.
ISF is for the user ports - so the untrust port. Your config is correct. But you need to know: If you activate ISF than only the clients within the binding table are able to communicate. If you activate all the commands during the working hours than the clients need to restart (or to get a new ip address).
BR Silvio

Cristek · Post by **Cristek** » 25 Mar 2024 07:05

Hi,
Not OP but mind if I throw a question in? ISF, where would you typically use this?
I mean, if you use it on a port that has an AP connected to it, then when the user roams to another AP won't they be blocked then, correct?
What's the typical use for this feature?

Gleylancer · Post by **Gleylancer** » 25 Mar 2024 11:40

DHCP snooping is to find DHCP -Servers- and instantly block them, not DHCP clients. Wireless Roaming has nothing to do with this.

Post by **silvio** » 26 Mar 2024 02:53

ISF protects against arp spoofing attacks. If a wireless client is rooming between APs at the same switch there should be no impact. But if the client is rooming to an AP at another switch than the entry in the binding table don't know the client - and it will be blocked.
So at ports to APs I would ISF not activate.
BR Silvio

Cristek · Post by **Cristek** » 26 Mar 2024 11:06

Gleylancer wrote: ↑25 Mar 2024 11:40 DHCP snooping is to find DHCP -Servers- and instantly block them, not DHCP clients. Wireless Roaming has nothing to do with this.

Hi,
I was referring to ISF and not DHCP-snooping. Silvio already replied and cleared by doubt. It's a bad idea as I was wondering myself!
BR

Alcatel Unleashed

Correct configuration of dhcp-snooping on OS6560

Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560

Re: Correct configuration of dhcp-snooping on OS6560