Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Jimm Chen

13 Posts

46925

May 6th, 2013 03:00

PowerConnect 5448, How to confine DHCP BOOTREPLY message to a specific LAN port?

In order to ward off the effect of rogue DHCP server on my Ethernet network. I need to confine DHCP BOOTREPLY message to a specific LAN port on which the authorized DHCP server resides. 

I tried to read the "Configuring DHCP Snooping" section of 54xx User Guide, but does not get a clear idea. That description in that user guide seems to coarse and intuitive for me to understand.

Does "Defining Trusted Interface" help? I think I need "trusted port" feature. I hope only trusted ports on 5448 can receive  DHCP BOOTREPLY packets, while BOOTREPLY arriving at untrusted ports is rejected.

Jimm Chen

13 Posts

June 9th, 2013 03:00

Daniel finally figure out the missing link after some email exchange with me.

I have to add

console(config)# ip dhcp snooping vlan 1

to make it finally work -- even if I do not use VLAN yet.

Cheers.

Jimm Chen

13 Posts

May 20th, 2013 21:00

Thank you. I tried, but no effect. I need more explanation.

To verify your answer, I do the following:

  1. Reset 8448 to factory default.
  2. Plug two DHCP servers on port g1 and g5 respectively. I use the Scapy tool to verify the two DHCP servers both respond to client's DHCPDISCOVER message; they respond with DHCPOFFER. The scapy tool seems to be the most direct way to detect DHCP servers I know of. Ref: http://trac.secdev.org/scapy/wiki/IdentifyingRogueDHCPServers
  3. From 5448's serial console, I execute commands you suggest:

console(config)# ip dhcp snooping

console(config)# interface ethernet g1

console(config-if)# ip dhcp snooping trust

console(config-if)# exit                 
console(config)# exit
console# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping is configured on following VLANs:
DHCP snooping database is Disabled
Verification of hwaddr field is Enabled
DHCP snooping file update frequency is configured to: 1200 seconds

 Interface    Trusted    
----------- ------------
g1          Yes         

With the above process, I hope only DHCPOFFER message from g1 can passthrough.

However, when I launch Scapy script to check again. I still get response from BOTH DHCP servers.

Could you explain what's the problem here?

BTW:  Powerconnect 5448 version is:

*** Running SW Ver. 2.0.0.35 Date 27-Jan-2009 Time 18:13:34 ***

@

Jimm Chen

13 Posts

May 21st, 2013 19:00

Thanks for replying Daniel. Since my question is clear and I have prepared a true environment to verify it, so could you please consult DELL engineers who know the answer and help me out?

The "54xx System User Guide" at my hand is poor at guiding the reader towards the solution.

  • It does not concretely describe what "trusted interface" mean.
    • What determines a "trusted interface"? The statement you quoted(mark red in image below) seems to say that "trusted interface is determined by the packets received" -- ridiculous!
    • He is talking about DHCP trusted interfaces on the 5448 switch, then what does "network firewall" have anything to do with that? 
    • What determines "within the network" or "outside the network"?

  • How does binding database work? The user guide says nothing about it. Sigh.

In order to make me understand, I think he(user guide) should explain with some concrete example so that we can know how the settings affect DHCP packets passing through the switch?

Jimm Chen

13 Posts

May 21st, 2013 20:00

Sorry, typo fixed: "too coarse and unintuitive to understand".

rogena34

2 Posts

June 14th, 2013 05:00

Daniel finally figure out the missing link after some email exchange with me.

I have to add

console(config)# ip dhcp snooping vlan 1

to make it finally work -- even if I do not use VLAN yet.

Cheers.

Was this post helpful?

View All

No Events found!

Top