DHCP Authentication

Summary

Through the use of this functionality, the administrator can implement a permission-based access control by designating which terminals are permitted to access certain networks (registered terminals) and which terminals are not (non-registered terminals).
This enables different access rights to be assigned for each terminal e.g. allow registered terminals to access all in-house and external networks and restrict non-registered terminals from accessing specific segments of the in-house network, and so on.

The method of reserving an IP address assigned by DHCP to terminals to be permitted, is a mechanism for granting access permission to terminals. IP addresses are reserved by setting terminal MAC addresses in the router in advance.
Additionally, a primary and secondary address mechanism is used to distinguish registered and unregistered terminals on the network. A single physical network to which terminals are connected is divided into two logical networks (primary and secondary networks) and registered terminals are separated from unregistered terminals by assigning primary network compliant IP addresses to registered terminals and assigning are assigned secondary network compliant IP addresses to unregistered terminals.

When authenticating terminals using IP addresses assigned by DHCP, there is the problem that a fixed IP address will be set as the primary address even for unregistered terminals, which then become able to have the same network access as registered terminals, we solve this problem but with this function, by combining Ethernet level filtering using MAC addresses. For packets sent from the primary network, by packet filtering to determine whether the sending terminal is registered, unregistered terminals are prevented from illegal communications from the primary network.

This functionality is realized by combining the following functions.

Ethernet level filtering
Only permitted MAC addresses are passed.
Other than dynamic setting information, you can also specify DHCP reservation setting information
When setting DHCP reservation settings information, check not only the MAC address for a match but also the IP address.
DHCP Reservation limitation
IP address assignment can be limited to just reserved clients.
Even in the state where IP addresses can be assigned within a scope, only reserved clients are assigned.
Notification
Notification of filtering results is by log display and email.
DHCP Status Display and Settings Change
Assignment state display information can easily be migrated from the listing and settings changed to reservation information.
DHCP Server and DHCP Relay Agent linking
DHCP relay agent is notified of DHCP scope information set by DHCP server and address reservation information and references this during filtering.

Compatible Models & Firmware Revisions

The following models as well as firmware in the YAMAHA RT Series support DHCP authentication.

Model Firmware
RTX5000 Rev.14.00.15 or later
FWX120 Rev.11.03.16 or later
RTX810 Rev.11.01.15 or later

Command

Ethernet Filter Configuration

[Syntax]
ethernet filter NUM KIND SRC_MAC [DST_MAC [OFFSET BYTE_LIST]]
ethernet filter NUM KIND TYPE [SCOPE] [OFFSET BYTE_LIST]
no ethernet filter NUM [KIND ...] 
[Setting Value]
  • NUM
    • Static filter number (1-100)
  • KIND
    • pass-log ... Pass if matched (record in the log)
    • pass-nolog ... Pass if matched (not record in the log)
    • reject-log ... Discard if matched (record in the log)
    • reject-nolog ... Discard if matched (not record in the log)
  • SRC_MAC
    • Source MAC address
    • XX:XX:XX:XX:XX:XX (where XX is a hexadecimal number or *)
    • * (Applied to all MAC addresses)
  • DST_MAC
    • Destination MAC address
    • Same format as the source MAC address SRC_MAC
    • Same as a single * when omitted.
  • TYPE
    • dhcp-bind ... Apply to hosts reserved by the specified DHCP scope
    • dhcp-not-bind ... Apply to hosts not reserved by the specified DHCP scope
  • SCOPE
    • DHCP scope
    • Integer, 1..65535
    • The IP addresses included in the lease range of the DHCP scope
  • OFFSET
    • Decimal value representing the offset (the byte immediately after the source MAC address of the Ethernet frame is assumed to be zero)
  • BYTE_LIST
    • Byte list
    • of XX (two-digit hexadecimal) and * (represents all bytes) separated by commas (up to 16 items)
[Description]

Sets an Ethernet frame filter. The filters set by this command are used by the "ethernet lan filter" command.
Normal filters are applied to the source MAC address, destination MAC address, etc., of sent and received Ethernet frames.
dhcp-bind filters are applied to the Ethernet frames listed below. Frames that the filter does not apply to are filtered out.

For IPv4 packets that meet one of the following requirements:

  • The Ethernet type is IPv4 (0x0800).
  • In a PPPoE environment, the Ethernet type is PPoE data frame (0x8864), and the protocol ID is IPv4 (0x0800).
  • In a 802.1Q tag VLAN environment, the TPID is 802.1Q tag (0x8100), and the Ethernet type is IPv4 (0x0800).

If the source MAC address and source IP address of an Ethernet frame are reserved in the specified DHCP scope, the frame passes through the filter.

For the following Ethernet types:

  • ARP(0x0806)
  • RARP(0x8035)
  • PPPoE discovery packet (0x8863)
  • MAC layer control packet (0x8808)

Ethernet frames whose source MAC address is reserved in the specified DHCP scope pass through the filter.

dhcp-not-bind filters are applied to the Ethernet frames listed below. Frames that the filter does not apply to are filtered out.

  • When the Ethernet type is IPv4 (0x0800)

If the source IP address of the Ethernet frame is within the leased range of the target DHCP scope, and if the source MAC Address is not reserved in the DHCP scope in the dhcp-not-bind type filter, then it is deemed to match the filter.

Use the SCOPE parameter to specify the DHCP scope to use in dhcp-bind and dhcp-not-bind filters.

You can specify the SCOPE parameter by entering a DHCP scope number or by entering the IP address of a subnet with a defined DHCP scope. If you specify an IP address with multiple scopes, the scope with the longest netmask is selected.

If you omit the SCOPE parameter, the scope is selected from all the scopes in the specified interface.

When a dhcp-bind or dhcp-not-bind filter is specified on a router that is functioning as a DHCP relay agent, the DHCP scope and its client reservation information are obtained from the DHCP server and referred to when the filter is applied. The router obtains the DHCP scope and reservation information from the DHCP server during the relay of DHCP messages. The reservation information is written in the options field of the DHCP messages.

[Note]

When you are using the LAN division function, you need to be careful to specify filtering. Since the router internally uses 0x8100 to 0x810f for the Ethernet type, if you specify filtering of such an Ethernet frame to disable sending and receiving data, ports using the LAN division function cannot communicate.

Because dhcp-bind and dhcp-not-bind filters use the Ethernet frame's source MAC address and source IP address for filtering, you can normally only specify the "in" direction with the "ethernet lan filter" command when you use these filters. If you specify the "out" direction, the source MAC address becomes the address of the router itself, and it will not match with the DHCP reservation information or leased address.

Because the dhcp-bind filter only allows reserved clients to pass, it is typically used with pass filters. On the other hand, because the dhcp-not-bind filter discards clients that are not reserved, it is typically used with reject filters.

[Applicable Models]
RTX5000 RTX810 FWX120

Set the Application to the Interface

[Syntax]
ethernet INTERFACE filter DIR LIST
no ethernet INTERFACE filter DIR [LIST] 
[Setting Value]
  • INTERFACE ... LAN interface name
  • DIR
    • in ... Filtering of packets coming in from the LAN interface
    • out ... Filtering of packets output to the LAN interface
  • LIST ... Series of static filter numbers delimited by spaces (up to 100)
[Description]

Limits the types of packets to pass the LAN interface by combining with the packet filter specified by the "ethernat filter" command.

[Note]

You can specify a physical LAN interface and an interface used for the LAN division function for the LAN interface name. You can specify the VLAN interface for the interface used for the LAN division function.

[Applicable Models]
RTX5000 RTX810 FWX120

Set the DHCP Address Assignment Operation

[Syntax]
dhcp scope lease type SCOPE_NUM TYPE [fallback=FALLBACK_SCOPE_NUM]
no dhcp scope lease type SCOPE [TYPE ...] 
[Setting Value]
  • SCOPE_NUM, FALLBACK_SCOPE_NUM ... Scope number (1..65535)
  • TYPE ... Assignment type
    • bind-priority ... Assign by giving priority to the reservation information
    • bind-only ... Assign based only on the reservation information
[Initial Value]
  • TYPE
    • bind-priority
[Description]
  • Control how addresses are assigned within the DHCP scope specified by the SCOPE_NUM parameter.
  • If TYPE is set to bind-priority, clients whose addresses have been reserved by the "dhcp scope bind" command get their reserved addresses assigned to them. Clients that do not have reserved addresses get the remaining unreserved IP addresses within the scope assigned to them.
  • You cannot specify a fallback option if TYPE is set to bind-priority.
  • If TYPE is set to bind-only, the operation varies depending on whether or not a fallback scope is specified as the fallback option.
  • If no fallback option is specified, clients whose addresses have been reserved by the "dhcp scope bind" command get their reserved addresses assigned to them. Clients without reserved addresses do not get addresses assigned to them even if there are unreserved addresses in the scope.
  • Described below is the operation for when type is set to bind-only and a fallback scope is specified as the fallback option.
    • (1) Clients with reserved IP addresses within the scope get those addresses assigned to them.
    • (2) Clients that do not have reserved IP addresses within the scope but that do have reserved addresses within the fallback scope get their reserved fallback scope addresses assigned to them.
    • (3) For clients that do not have a reserved address within the scope or the fallback scope, the operation varies depending on how the "dhcp scope lease type" command is set.
      • (3a) If the "dhcp scope lease type" command for the fallback scope is set to bind-priority, the client gets an address from the fallback scope assigned to it as long as an address is available.
      • (3b) If the "dhcp scope lease type" command for the fallback scope is set to bind-only, the client does not get an IP address assigned to it.
  • For both cases, the lease period is determined by the DHCP scope definition.
[Applicable Models]
RTX5000 RTX810 FWX120

Generate Reserved Settings Based on the DHCP Assignment Information

[Syntax]
dhcp convert lease to bind SCOPE_N [except] [IDX [...]] 
[Setting Value]
  • SCOPE_N ... Scope no. (1-65535)
  • IDX
    • Number ... Index numbers shown by the show status dhcp summary command (up to 100 numbers)
    • all ... All information that is assigned
    • Omitted ... all if omitted.
[Description]

Generates reserved settings based on the current assignment information. If the except keyword is specified, information other than the specified number is applied to the reserved settings.

[Note]

The IP address assignment information is converted to reserved settings according to the following rules.

Client ID type of the IP address
assignment information (name show
status dhcp)
Client ID Information
Example
Reserved Setting Information
Example
Client Ethernet address: 00:a0:de:01:02:03 ethernet 00:a0:de:01:02:03 *1
00:a0:de:01:02:03 *2
Client ID (01) 00 a0 de 01 02 03 ethernet 00:a0:de:01:02:03
(01) 00 a0 de 01 02 03 04 01 00 a0 de 01 02 03 04
(00) 31 32 33 00 31 32 33

*1: If rfc2131 compliant on or use-clientid is specified, the display of the IP address assignment information is highly likely to be the result of the ARP check. Because the client ID option is normally used in the assignment, this format is used to specify the reserved settings. However, if there are hosts that use client IDs that differ from the MAC addresses, the reservation through this automatic conversion does not work effectively. If such hosts exist, the reserved settings must be specified manually.
*2: If rfc2131 compliant off or use-clientid is specified, use the chaddr field.

Generates reserved settings based on the assignment information at the time the command is executed. If time has passed since the summary was displayed until this conversion command was executed, you should check that the reservation of intended pairs has been created using "show config" after executing this command.

[Applicable Models]
RTX5000 RTX810 FWX120

Set the Mail Notification Trigger

[Syntax]
mail notify ID TEMPLATE_ID trigger backup IF_B [[RANGE_B] IF_B ...]]
mail notify ID TEMPLATE_ID trigger route ROUTE [ROUTE ...]
mail notify ID TEMPLATE_ID trigger filter ethernet IF_F DIR_F [IF_F DIR_F [...]]
mail notify ID TEMPLATE_ID trigger status TYPE [TYPE [...]]
mail notify ID TEMPLATE_ID trigger intrusion IF_I [RANGE_I] DIR_I [IF_I [RANGE_I] DIR_I [...]]
no mail notify ID [...]
[Setting Value]
  • ID
    • Setup number (1..10)
  • TEMPLATE_ID
    • Template ID (1..10)
  • IF_B ... Backup interface for performing the mail notification
    • pp ... PP backup
    • lanN ... LAN backup
    • tunnel ... TUNNEL backup
  • RANGE_B
    • Interface number and range specification
    • Only pp or tunnel (*,xx-yy,zz etc)
  • ROUTE
    • Route with the netmask
  • IF_F
    • LAN interface on which the filter for performing mail notification is set
  • DIR_F ... Filter setting direction
    • in ... Receive direction
    • out ... Send direction
  • TYPE ... Information included in the mail notification
    • all ... All information
    • interface ... Interface information
    • routing ... Routing information
    • vpn ... VPN information
    • nat ... NAT information
    • firewall ... Firewall information
    • config-log ... Configuration and log information
  • IF_I ... Unauthorized access detection setup interface
    • pp ... PP interface
    • lanN(N,M,N/M) ... LAN interface
    • wan1 ... WAN interface
    • tunnel ... TUNNEL interface
    • * ... ALL interfaces
  • RANGE_I
    • Interface number and range specification
    • lan(*,x)
    • pp,tunnel(*,x,xx-yy,zz etc)
  • DIR_I ... Unauthorized access detection setup direction
    • in ... Receive direction
    • out ... Send direction
    • in/out ... Receive and send directions
[Description]

Sets the trigger operation for the mail notification. Backup, route change, Ethernet filter log display, the "mail notify status exec" command execution, and unauthorized access can be specified as triggers.

The items set by the following commands are applicable for backup and route.

  • PP backup ... "pp backup" command
  • LAN backup ... "lan backup" command
  • TUNNEL backup ... "tunnel backup" command
  • Route backup ... "ip route" command

Ethernet filters that are displayed in the log are applicable.

  • Ethernet filter ... pass-log and reject-log parameter definitions

The "mail notify status exec" command must be executed for the internal condition to be reported.
When unauthorized access detection notification is enabled, mail notifications are sent for items that are detected by the "ip INTERFACE intrusion detection" command.
In addition, mail notification settings belonging to a single template ID are processed collectively.

[Note]

RTX5000 does not support WAN interface for INTERFACE parameter.

[Example]
mail notify 1 1 trigger backup pp * lan2 lan3 tunnel 1-10,12
mail notify 2 1 trigger route 192.168.1.0/24 172.16.0.0/16
mail notify 3 1 trigger filter ethernet lan1 in
mail notify 4 1 trigger status all
mail notify 5 1 trigger intrusion lan1 in/out pp * in tunnel 1-3,5 out
[Applicable Models]
RTX5000 RTX810 FWX120

Set the Reserved DHCP Address

[Syntax]
dhcp scope bind SCOPE_NUM IP_ADDRESS [TYPE] ID
dhcp scope bind SCOPE_NUM IP_ADDRESS MAC_ADDRESS
dhcp scope bind SCOPE_NUM IP_ADDRESS ipcp
no dhcp scope bind SCOPE_NUM IP_ADDRESS
[Setting Value]
  • SCOPE_NUM ... Scope number (1..65535)
  • IP_ADDRESS
    • xxx.xxx.xxx.xxx ... IP address to be reserved (xxx is a decimal number)
    • * ... Do not specify an IP address
  • TYPE ... Determine the TYPE field of the Client-Identifier option
    • text ... 0x00
    • ethernet ... 0x01
  • ID
    • When TYPE is ethernet ... MAC Address
    • When type is text ... Text string
    • When type is omitted ... Two-digit hexadecimal sequence, the head of which is the type field.
  • MAC_ADDRESS ... xx:xx:xx:xx:xx:xx (xx is a hexadecimal number) MAC address of the reserved DHCP client
  • ipcp ... Keyword indicating that the address is provided to the remote end through IPCP
[Description]

Fixes the DHCP client to which the IP address is to be assigned.

You can specify a client only without fixing the IP address. When deleting this format, you cannot omit the client identifier.

[Note]

The IP address must be within the DHCP scope range specified by the scope_num parameter. Multiple IP addresses within a DHCP scope cannot be assigned to a single MAC address. If an IP address that is being leased to another DHCP client is reserved, the IP address is assigned after the completion of the current lease.

If the "dhcp scope" command is executed, all related reservations are cleared. The ipcp designation is limited by the number of B channels that can connect simultaneously. In addition, the address granted by IPCP is selected from the scope on the LAN side.

To use the first syntax of the command, "dhcp server rfc2131 compliant" on must be specified or the useclientid function must be enabled in advance. In addition, when "dhcp server rfc2131 compliant" off is specified or the use-clientid function is disabled, all reservations other than those specified by the second syntax of the command are cleared.

The client identifier in the first syntax of the command is set to the value sent by the client as an option. If the TYPE parameter is omitted, enter the command including the value of the TYPE field. If a keyword is specified in the TYPE parameter, the TYPE field value is uniquely determined. Thus, enter only the value of the Client-Identifier field.

The MAC address reservation using the second syntax of the command uses the chaddr field of the DHCP packet for client identification. The reservation function in this form works only if the RT is set to "dhcp server rfc2131 compliant" off, the useclientid function is disabled, or the DHCP client does not include the Client-Identifier option in the DHCP packet.

If "dhcp server rfc2131 compliant" on or the use-clientid parameter is specified, the reservation using the second syntax of the command is invalid when the client uses the Client-Identifier option.

[Applicable Models]
RTX5000 RTX810 FWX120

Show the DHCP Server Status

[Syntax]
show status dhcp [summary] [SCOPE_N] 
[Setting Value]
  • summary ... Show a summary of the IP address assignment status of each DHCP scope
  • SCOPE_N ... Scope number (1-65535)
[Description]
  • Shows the lease status of each DHCP. The following items are shown.
    • Lease status of the DHCP scope
    • DHCP scope number
    • Network address
    • Assigned IP address
    • MAC address of the assigned client
    • Remaining lease time
    • Reserved (unused) IP address
    • Number of all IP addresses in the DHCP scope
    • Number of IP addresses that are excluded
    • Number of assigned IP addresses
    • Number of addresses that can be used and the number of reserved IP address in parentheses
[Applicable Models]
RTX5000 RTX810 FWX120

Settings Examples

[Settings for Primary Network Only, Example 1] Permit External Communications for Specified Terminals Only

[Summary]
  • Each terminal acquires IP address as DHCP client from router, which is DHCP server.
  • Reserve IP addresses to be given to specified terminals at DHCP server.
  • Do not give IP addresses to other than specified terminals.
  • Reject communications to outside from other than specified terminals.
[Topology Map]
               172.16.1.0/24
            +---+         |
 Terminal A | o +---------+
            +---+         |
 00:a0:de:01:02:03        |
 Give 172.16.1.2          |
                          |
            +---+         |
 Terminal B | o +---------+
            +---+         |
 00:a0:de:11:12:13        |      +----------+   To external network
 Give 172.16.1.3          +------+  Router  +---------->
                          | lan1 +----------+
            +---+         |      DHCP server
 Terminal C | o +---------+
            +---+         |
 00:a0:de:21:22:23        |
 Give 172.16.1.4          |
                          |
            +---+         |
            | x +---------+
            +---+         |
 Other access to outside prohibited
[Setting Procedure]
# ethernet filter 1 pass-nolog dhcp-bind 1
# ethernet lan1 filter in 1
# dhcp service server
# dhcp scope lease type 1 bind-only
# dhcp scope 1 172.16.1.2-172.16.1.127/24
# dhcp scope bind 1 172.16.1.2 ethernet 00:a0:de:01:02:03
# dhcp scope bind 1 172.16.1.3 ethernet 00:a0:de:11:12:13
# dhcp scope bind 1 172.16.1.4 ethernet 00:a0:de:21:22:23 
[Explanation]
  • # ethernet filter 1 pass-nolog dhcp-bind 1
    # ethernet lan1 filter in 1
    Only MAC address and IP address that match DHCP reservation settings are passed.
  • # dhcp service server
    allow DHCP server function
  • # dhcp scope lease type 1 bind-only
    If there is vacant IP address within scope 1, do not assign IP address to other than reserved clients.
  • # dhcp scope 1 172.16.1.2-172.16.1.127/24
    set range of addresses to be given to clients by DHCP server
  • # dhcp scope bind 1 172.16.1.2 ethernet 00:a0:de:01:02:03
    # dhcp scope bind 1 172.16.1.3 ethernet 00:a0:de:11:12:13
    # dhcp scope bind 1 172.16.1.4 ethernet 00:a0:de:21:22:23
    Reserve IP address assignment for terminals A/B/C.

[Settings for Primary Network Only, Example 2] Notification by email when detecting communications by non-permitted terminal.

[Summary]
  • Set a static filtering for LAN 1 of the router
  • If there is access from terminal other than A/B/C, send email notification by route of mx.example.co.jp.
[Topology Map]
               172.16.1.0/24
            +---+         |
 Terminal A | o +---------+
            +---+         |
 00:a0:de:01:02:03        |
                          |
            +---+         |
 Terminal B | o +---------+
            +---+         |
 00:a0:de:11:12:13        |      +----------+   To external network
                          +------+  Router  +---------->
                          | lan1 +----------+
            +---+         |         |
 Terminal C | o +---------+    -----+---+-----
            +---+         |             | mx.example.co.jp
 00:a0:de:21:22:23        |      +------+--------+
                          |      |  Mail server  |
            +---+         |      +---------------+
            | x +---------+ 
            +---+         |
 Other access to outside prohibited
[Setting Procedure]
# ethernet filter 1 pass-nolog 00:a0:de:01:02:03
# ethernet filter 2 pass-nolog 00:a0:de:11:12:13
# ethernet filter 3 pass-nolog 00:a0:de:21:22:23
# ethernet filter 100 reject-log *
# ethernet lan1 filter in 1 2 3 100
# mail server smtp 1 mx.example.co.jp
# mail template 1 1 From:filter@rtx810 To:admin@example.co.jp
# mail notify 1 1 trigger filter ethernet lan1 in 
[Explanation]
  • # ethernet filter 1 pass-nolog 00:a0:de:01:02:03
    # ethernet filter 2 pass-nolog 00:a0:de:11:12:13
    # ethernet filter 3 pass-nolog 00:a0:de:21:22:23
    Set filter definition to allow packets from terminal A/B/C to pass.
  • # ethernet filter 100 reject-log *
    Set filter definition for output of log for email notification.
  • # ethernet lan1 filter in 1 2 3 100
    Apply individual definitions for packets to be sent from LAN1.
  • # mail server smtp 1 mx.example.co.jp
    # mail template 1 1 From:filter@rtx810 To:admin@example.co.jp
    Set SMTP server as well as header information for email notification use.
  • # mail notify 1 1 trigger filter ethernet lan1 in
    Set communications direction for LAN1 filter as trigger for email notification.

[Settings for Primary Network Only, Example 3] Generate DHCP Reservation Setting from Current DHCP Address Assignment Information

[Summary]
  • Each terminal acquires IP address as DHCP client from router, which is DHCP server.
  • Reserve IP addresses to give to specified terminals using assignment information from a certain point.
  • Do not give IP addresses to other than specified terminals.
  • Reject communications to outside from other than specified terminals.
[Topology Map]
               172.16.1.0/24
            +---+         |
 Terminal A | o +---------+
            +---+         |
 00:a0:de:01:02:03        |
 Give 172.16.1.2          |
                          |
            +---+         |
 Terminal B | o +---------+
            +---+         |
 00:a0:de:11:12:13        |      +----------+   To external network
 Give 172.16.1.3          +------+  Router  +---------->
                          | lan1 +----------+
            +---+         |      DHCP server
 Terminal C | o +---------+
            +---+         |
 00:a0:de:21:22:23        |
 Give 172.16.1.4          |
                          |
            +---+         |
            | x +---------+
            +---+         |
 Other access to outside prohibited
[Setting Procedure]
# dhcp service server
# dhcp scope 1 172.16.1.2-172.16.1.127/24
# show status dhcp summary 1 
DHCP scope no:  1
  1:         172.16.1.2:   00:a0:de:01:02:03, hostname_A
  2:         172.16.1.3:   00:a0:de:11:12:13, hostname_B
  3:         172.16.1.4:   00:a0:de:21:22:23, hostname_C
  4:         172.16.1.5:   00:a0:de:31:32:33, hostname_D
  5:         172.16.1.6:   00:a0:de:41:42:43, hostname_E
# dhcp convert lease to bind 1 1 2 3
# dhcp scope lease type 1 bind-only
# ethernet filter 1 pass-nolog dhcp-bind 1
# ethernet lan1 filter in 1 
[Explanation]
  • # dhcp service server
    Allow DHCP server function
  • # dhcp scope 1 172.16.1.2-172.16.1.127/24
    Set range of addresses to be given to clients by DHCP server.
    Thereafter, DHCP server becomes able to control client assignment information as individual terminals acquire IP addresses, etc.
  • # show status dhcp summary 1
    Display the summary of the IP address assigned to the client.
    # show status dhcp summary 1 
    DHCP scope no:  1
      1:         172.16.1.2:   00:a0:de:01:02:03, hostname_A
      2:         172.16.1.3:   00:a0:de:11:12:13, hostname_B
      3:         172.16.1.4:   00:a0:de:21:22:23, hostname_C
      4:         172.16.1.5:   00:a0:de:31:32:33, hostname_D
      5:         172.16.1.6:   00:a0:de:41:42:43, hostname_E 
    
  • # dhcp convert lease to bind 1 1 2 3
    Migrate the number assignment shown in no. 1, 2, and 3.
    For example, in this case, command is prepared from the no. 1 assignment information.
    dhcp scope bind 1 172.16.1.2 ethernet 00:a0:de:01:02:03
    Command is generated.
    Additionally, generate reservation setting based on assignment information at the point when this command is executed.
    When some time elapses from display of summary to conversion command execution, after command execution check "show config" to confirm that reservation has been generated for intended pair.
  • # dhcp scope lease type 1 bind-only
    If there is vacant IP address within scope 1, do not assign IP address to other than reserved clients.
  • # ethernet filter 1 pass-nolog dhcp-bind 1
    # ethernet lan1 filter in 1
    For packets inbound from LAN1, only the packets that match the DHCP reservation setting for the source MAC address and IP address are allowed to pass.

[Settings for Secondary Network Use, Example 1] Internet Access

[Summary]
  • Place registered terminals (terminal 1) in primary network.
    • No filtering of communications from terminal 1.
  • Place unregistered terminals (terminal 2) in secondary network.
    • Only specified in-house network (192.168.100.0/24) can be accessed from terminal 2.
    • Unregistered terminals are permitted access in-house networks to the minimum necessary extent.
  • If unregistered terminals (terminal 3) are connected to primary network by fixed IP
    • All communications from terminal 3 are rejected.
  • Position 192.168.100.0/24 as only network that can be accessed by unregistered terminals.
    • For example, mail and in-house web servers are set up for this, and the minimum necessary information for business and messages from system administrator can be received.
  • Router A operating as DHCP server
[Topology Map]
               (primary) 192.168.0.0/24
              (secondary) 172.16.0.0/24
                         |
    +------------+       |
    | Terminal 1 +-------+
    +------------+       |
00:a0:de:01:02:03        |
 primary address         |
     (DHCP)              |
                         |
    +------------+       |
    | Terminal 2 +-------+
    +------------+       |
00:a0:de:11:12:13        |
secondary address        |        192.168.100.0/24
     (DHCP)              |               |
                         |               |
    +------------+       |               |
    | Terminal 3 +-------+               | lan3
    +------------+       |               | 192.168.100.1/24
00:a0:de:21:22:23        |            +--+-------+
  192.168.0.200          +------------+ Router A +-----------> To external network
     (Fixed IP)          |       lan1 +----------+ lan2
                          (primary) 192.168.0.1/24
                        (secondary) 172.16.0.1/24
[Setting Procedure]

(WAN Side Settings Omitted)

(Router A)

# ip lan1 address 192.168.0.1/24
# ip lan1 secondary address 172.16.0.1/24
# ip lan3 address 192.168.100.1/24
# dhcp service server
# dhcp scope 1 192.168.0.2-192.168.0.5/24
# dhcp scope 2 172.16.0.2-172.16.0.5/24
# dhcp scope bind 1 192.168.0.2 ethernet 00:a0:de:01:02:03
# dhcp scope lease type 1 bind-only fallback=2
# ip filter 1 pass-nolog 192.168.0.0/24 *
# ip lan2 secure filter out 1
# ethernet filter 1 reject-log dhcp-not-bind 192.168.0.1
# ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
# ethernet lan1 filter in 1 2 
[Explanation]
  • # ip lan1 address 192.168.0.1/24
    # ip lan1 secondary address 172.16.0.1/24
    Set primary and secondary address on LAN side (lan1 port).
  • # ip lan3 address 192.168.100.1/24
    Set IP address on LAN side (lan3 port).
  • # dhcp service server
    Allow DHCP server function
  • # dhcp scope 1 192.168.0.2-192.168.0.5/24
    # dhcp scope 2 172.16.0.2-172.16.0.5/24
    Define DHCP scope for primary and secondary networks.
    Gateway parameters are omitted, so you are notified of all router IP addresses are as gateway addresses.
  • # dhcp scope bind 1 192.168.0.2 ethernet 00:a0:de:01:02:03
    Reserve terminal 1 IP address in primary network DHCP scope (DHCP scope number 1).
  • # dhcp scope lease type 1 bind-only fallback=2
    For terminals reserved in primary network DHCP scope (DHCP scope number 1), reserved addresses are assigned.
    When address assignment from Scope 1 fails, try assigning address from Scope 2.
  • # ip filter 1 pass-nolog 192.168.0.0/24 *
    # ip lan2 secure filter out 1
    Only packets from primary network are passed to external network.
  • # ethernet filter 1 reject-log dhcp-not-bind 192.168.0.1
    # ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
    # ethernet lan1 filter in 1 2
    Regarding packets from primary network at DHCP server, packets from terminals that are not registered with the "dhcp scope bind" command are discarded.
    All packets from other than primary network are passed.
[Reference]

When you want to restrict access from secondary network (172.16.0.0/24) to primary network (192.168.0.0/24) change IP filter settings as follows.
In this case, you need to be careful not to filter DHCP packets that reach router A from secondary network.

# ip filter 1 pass-nolog 172.16.0.0/24 192.168.100.0/24 *
# ip filter 2 pass-nolog 192.168.0.0/24 *
# ip filter 3 pass-nolog 0.0.0.0 *
# ip filter 4 pass-nolog 172.16.0.0/24 172.16.0.1 *
# ip lan1 secure filter in 1 2 3 4 

[Settings for Secondary Network Use, Example 2] Internet VPN

[Summary]
  • 3 point topology of branch 1, branch 2, and center
  • Connection by Internet VPN between center and individual branches.
  • Bulk administration of terminal registrations in router at center.
  • At center and at individual branches, registered terminals (terminal A1 , terminal B1, terminal C1) are positioned on primary network.
    • Communications from registered terminals are not filtered.
  • At center and at individual branches, unregistered terminals (terminal A2, terminal B2, terminal C2) are positioned on secondary network.
    • Internal specified networks (192.168.200.0/24) cannot be accessed from unregistered terminals.
  • At center and at individual branches, when unregistered terminals (terminal A3 , terminal B3, terminal C3) are positioned with fixed IP addresses on secondary network
    • All communications from these terminals are rejected.
  • At center, position 192.168.200.0/24 as only network that unregistered terminals can access.
    • For example, mail and in-house web servers are set up for this, and the minimum necessary information for business and messages from system administrator can be received.
  • Router A and router B operate as relay agents
  • Router C operates as DHCP server
[Topology Map]
(p): primary
(s): secondary
                                                          (p) 192.168.0.0/24
                                                          (s) 192.168.100.0/24
                                                                     |
                                              +-------------+        |
                                              | Terminal C1 +--------+
                                              +-------------+        |
                                             00:a0:de:61:62:63       |
                                              primary address        |
                                                                     |
                                              +-------------+        |
                                              | Terminal C2 +--------+
                                              +-------------+        |
                                             00:a0:de:71:72:73       |
                                             secondary address       |
              (p) 192.168.1.0/24                  (DHCP)             |
              (s) 192.168.101.0/24                                   |
                         |                    +-------------+        |
   +-------------+       |                    | Terminal C3 +--------+
   | Terminal A1 +-------+                    +-------------+        |
   +-------------+       |                    00:a0:de:81:82:83      |
  00:a0:de:01:02:03      |                      192.168.0.200        |
   primary address       |                        (Fixed IP)         |
       (DHCP)            |                                           |
                         |                                           |
   +-------------+       |                      (p) 192.168.0.1/24   |
   | Terminal A2 +-------+                      (s) 192.168.100.1/24 |    192.168.200.0/24
   +-------------+       |                                      lan1 |           |
  00:a0:de:11:12:13      |                                     +-----+-----+     |
  secondary address      |                            (Center) | Router C  +-----+
       (DHCP)            |                                     +-----+-----+ lan3
                         |                                      lan2 |      192.168.200.1/24
   +-------------+       |                                           |
   | Terminal A3 +-------+                                           |
   +-------------+       |          (Branch 1)                 +----+---+
  00:a0:de:21:22:23      |            +----------+             |        |
    192.168.1.200        +------------+ Router A +-------------+        |
      (Fixed IP)         |       lan1 +----------+ lan2        |        |
                          (p) 192.168.1.1/24                   |        |
                          (s) 192.168.101.1/24                 |        |
                                                               |        |
                                                               |        |
                                                               |        |
              (p) 192.168.2.0/24                               |        |
              (s) 192.168.102.0/24                             |        |
                         |                                     |        |
   +-------------+       |                                     |        |
   | Terminal B1 +-------+                                     |  VPN   |
   +-------------+       |                                     | tunnel |
  00:a0:de:31:32:33      |                                     |        |
   primary address       |                                     |        |
       (DHCP)            |                                     |        |
                         |                                     |        |
   +-------------+       |                                     |        |
   | Terminal B2 +-------+                                     |        |
   +-------------+       |                                     |        |
  00:a0:de:41:42:43      |                                     |        |
  secondary address      |                                     |        |
       (DHCP)            |                                     |        |
                         |                                     |        |
   +-------------+       |                                     |        |
   | Terminal B3 +-------+                                     |        |
   +-------------+       |         (Branch 2)                  |        |
  00:a0:de:51:52:53      |            +----------+             |        |
    192.168.2.200        +------------+ router B +-------------+        |
      (fixed IP)         |       lan1 +----------+ lan2        |        |
                          (p) 192.168.2.1/24                   +--------+
                          (s) 192.168.102.1/24
[Setting Procedure]

(WAN Side Settings Omitted)

(Router A)

# ip lan1 address 192.168.1.1/24
# ip lan1 secondary address 192.168.101.1/24
# dhcp service relay
# dhcp relay server 192.168.0.1
# ip filter 1 pass-nolog 192.168.101.0/24 192.168.200.0/24
# ip filter 2 pass-nolog 192.168.1.0/24 *
# ip lan2 secure filter out 1 2
# ethernet filter 1 reject-log dhcp-not-bind 192.168.1.1
# ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
# ethernet lan1 filter in 1 2 

(router B)

# ip lan1 address 192.168.2.1/24
# ip lan1 secondary address 192.168.102.1/24
# dhcp service relay
# dhcp relay server 192.168.0.1
# ip filter 1 pass-nolog 192.168.102.0/24 192.168.200.0/24
# ip filter 2 pass-nolog 192.168.2.0/24 *
# ip lan2 secure filter out 1 2
# ethernet filter 1 reject-log dhcp-not-bind 192.168.2.1
# ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
# ethernet lan1 filter in 1 2 

(router C)

# ip lan1 address 192.168.0.1/24
# ip lan1 secondary address 192.168.100.1/24
# ip lan3 address 192.168.200.1/24
# dhcp service server

# dhcp scope 1 192.168.1.2-192.168.1.5/24 gateway 192.168.1.1
# dhcp scope 2 192.168.101.2-192.168.101.5/24 gateway 192.168.101.1
# dhcp scope bind 1 192.168.1.2 ethernet 00:a0:de:01:02:03
# dhcp scope lease type 1 bind-only fallback=2

# dhcp scope 3 192.168.2.2-192.168.2.5/24 gateway 192.168.2.1
# dhcp scope 4 192.168.102.2-192.168.102.5/24 gateway 192.168.102.1
# dhcp scope bind 3 192.168.2.2 ethernet 00:a0:de:31:32:33
# dhcp scope lease type 3 bind-only fallback=4

# dhcp scope 5 192.168.0.2-192.168.0.5/24 gateway 192.168.0.1
# dhcp scope 6 192.168.100.2-192.168.100.5/24 gateway 192.168.100.1
# dhcp scope bind 5 192.168.0.2 ethernet 00:a0:de:61:62:63
# dhcp scope lease type 5 bind-only fallback=6

# ip filter 1 pass-nolog 192.168.0.0/24 *
# ip lan2 secure filter out 1
# ethernet filter 1 reject-log dhcp-not-bind 192.168.0.1
# ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
# ethernet lan1 filter in 1 2 
[Explanation]

(router A)

  • # ip lan1 address 192.168.1.1/24
    # ip lan1 secondary address 192.168.101.1/24
    Set primary and secondary address on LAN side (lan1).
  • # dhcp service relay
    # dhcp relay server 192.168.0.1
    Allow to operate as DHCP relay agent.
    Center side router is designated as DHCP server.
  • # ip filter 1 pass-nolog 192.168.101.0/24 192.168.200.0/24
    # ip filter 2 pass-nolog 192.168.1.0/24 *
    # ip lan2 secure filter out 1 2
    Of all packets from secondary network only packets to 192.168.100.0/24 are passed.
    All packets from primary network are passed.
  • # ethernet filter 1 reject-log dhcp-not-bind 192.168.1.1
    # ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
    # ethernet lan1 filter in 1 2
    Regarding packets from primary network at DHCP server on center side, packets from terminals that are not registered with the "dhcp scope" command are discarded.
    All packets from other than primary network are passed.

(router B)

Omitted

(router C)

  • # ip lan1 address 192.168.0.1/24
    # ip lan1 secondary address 192.168.100.1/24
    Set primary and secondary address on LAN side (lan1).
  • # ip lan3 address 192.168.200.1/24
    Set IP address on LAN side (lan3).
  • # dhcp service server
    Allow DHCP server function
  • # dhcp scope 1 192.168.1.2-192.168.1.5/24 gateway 192.168.1.1
    # dhcp scope 2 192.168.101.2-192.168.101.5/24 gateway 192.168.101.1
    # dhcp scope bind 1 192.168.1.2 ethernet 00:a0:de:01:02:03
    # dhcp scope lease type 1 bind-only fallback=2
    Configure as DHCP server that can handle network of branch 1.
    Set DHCP scope for primary and secondary networks of branch 1, and reserve address of terminal A1 on primary network
    Assign addresses from secondary network DHCP scope (DHCP scope number 2) to terminals that are not reserved in DHCP scope of primary network (DHCP scope number 1).
  • # dhcp scope 3 192.168.2.2-192.168.2.5/24 gateway 192.168.2.1
    # dhcp scope 4 192.168.102.2-192.168.102.5/24 gateway 192.168.102.1
    # dhcp scope bind 3 192.168.2.2 ethernet 00:a0:de:31:32:33
    # dhcp scope lease type 3 bind-only fallback=4
    Configure base 2 just like branch 1.
  • # dhcp scope 5 192.168.0.2-192.168.0.5/24 gateway 192.168.0.1
    # dhcp scope 6 192.168.100.2-192.168.100.5/24 gateway 192.168.100.1
    # dhcp scope bind 5 192.168.0.2 ethernet 00:a0:de:61:62:63
    # dhcp scope lease type 5 bind-only fallback=6
    Configure center just like branch 1.
  • # ip filter 1 pass-nolog 192.168.0.0/24 *
    # ip lan2 secure filter out 1
    All packets from primary network are passed to outside.
  • # ethernet filter 1 reject dhcp-not-bind 192.168.0.1
    # ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
    # ethernet lan1 filter in 1 2
    Regarding packets from primary network at DHCP server, packets from terminals that are not registered with the "dhcp scope bind" command are discarded.
    All packets from other than primary network are passed.

[Secondary Network Use Settings, Example 3] Switch to Provider that uses Filter Routing

[Summary]
  • Place registered terminals (terminal 1) in primary network.
    • Connect terminal 1 to Internet through provider A route.
  • Place unregistered terminals (terminal 2) in secondary network.
    • Connect terminal 2 to Internet through provider A route.
  • If unregistered terminals (terminal 3) are connected to primary network by fixed IP
    • All communications from terminal 3 are rejected.
[Topology Map]
          (primary) 192.168.0.0/24
         (secondary) 172.16.0.0/24
                         |
    +------------+       |
    | Terminal 1 +-------+
    +------------+       |
  00:a0:de:01:02:03      |
   primary address       |
       (DHCP)            |
                         |            +-----> The Internet
    +------------+       |            |
    | Terminal 2 +-------+        +---+---+
    +------------+       |        | ISP A |
  00:a0:de:11:12:13      |        +---+---+
  secondary address      |            |                    +--> The Internet
       (DHCP)            |        +---+---+                |
                         |        | modem |            +---+---+
    +------------+       |        +---+---+            | ISP B |
    | Terminal 3 +-------+            |                +---+---+
    +------------+       |            | lan3               |
  00:a0:de:21:22:23      |         +--+-------+ lan2   +---+---+
    192.168.0.200        +---------+ Router A +--------+ Modem |
      (Fixed IP)         |    lan1 +----------+        +-------+
                          (primary) 192.168.0.1/24
                         (secondary) 172.16.0.1/24
[Setting Procedure]
# ip lan1 address 192.168.0.1/24
# ip lan1 secondary address 172.16.0.1/24

# dhcp service server
# dhcp scope 1 192.168.0.2-192.168.0.5/24
# dhcp scope 2 172.16.0.2-172.16.0.5/24
# dhcp scope bind 1 192.168.0.2 ethernet 00:a0:de:01:02:03
# dhcp scope lease type 1 bind-only fallback=2

# nat descriptor type 1 masquerade
# nat descriptor address inner 1 192.168.0.2-192.168.0.5
# pp select 1
pp1# pppoe use lan3
pp1# pp auth accept chap pap
pp1# pp auth myname ID_A PASSWORD_A
pp1# ppp ipcp ipaddress on
pp1# ppp ipcp msext on
pp1# ip pp nat descriptor 1
pp1# ppp lcp mru on 1454
pp1# ip pp mtu 1454
pp1# pp enable 1
pp1# pp select none

# nat descriptor type 2 masquerade
# nat descriptor address inner 2 172.16.0.2-172.16.0.5
# pp select 2
pp2# pppoe use lan2
pp2# pp auth accept chap pap
pp2# pp auth myname ID_B PASSWORD_B
pp2# ppp ipcp ipaddress on
pp2# ppp ipcp msext on
pp2# ip pp nat descriptor 2
pp2# ppp lcp mru on 1454
pp2# ip pp mtu 1454
pp2# pp enable 1
pp2# pp select none

# ip filter 1 pass-nolog 192.168.0.0/24 * * * *
# ip filter 2 pass-nolog 172.16.0.0/24 * * * *
# ip route default gateway pp 1 filter 1 pp 2 filter 2

# ethernet filter 1 reject-log dhcp-not-bind 192.168.0.1
# ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
# ethernet lan1 filter in 1 2 
[Explanation]
  • # ip lan1 address 192.168.0.1/24
    # ip lan1 secondary address 172.16.0.1/24
    Set primary and secondary IP address on LAN side (lan1 port).
  • # dhcp service server
    # dhcp scope 1 192.168.0.2-192.168.0.5/24
    # dhcp scope 2 172.16.0.2-172.16.0.5/24
    # dhcp scope bind 1 192.168.0.2 ethernet 00:a0:de:01:02:03
    # dhcp scope lease type 1 bind-only fallback=2
    Set up DHCP Server Operations
    Reserve terminal 1 IP address in Scope 1.
    Terminals reserved in Scope 1 are assigned addresses from Scope 1 and terminals not reserved in Scope 1 are assigned vacant addresses from Scope 2.
  • # nat descriptor type 1 masquerade
    # nat descriptor address inner 1 192.168.0.2-192.168.0.5
    # pp select 1
    pp1# pppoe use lan3
    pp1# pp auth accept chap pap
    pp1# pp auth myname ID_A PASSWORD_A
    pp1# ppp ipcp ipaddress on
    pp1# ppp ipcp msext on
    pp1# ip pp nat descriptor 1
    pp1# ppp lcp mru on 1454
    pp1# ip pp mtu 1454
    pp1# pp enable 1
    pp1# pp select none
    Set up connection to Provider A using lan3.
  • # nat descriptor type 2 masquerade
    # nat descriptor address inner 2 172.16.0.2-172.16.0.5
    # pp select 2
    pp2# pppoe use lan2
    pp2# pp auth accept chap pap
    pp2# pp auth myname ID_B PASSWORD_B
    pp2# ppp ipcp ipaddress on
    pp2# ppp ipcp msext on
    pp2# ip pp nat descriptor 2
    pp2# ppp lcp mru on 1454
    pp2# ip pp mtu 1454
    pp2# pp enable 1
    pp2# pp select none
    Set up connection to Provider A using lan2.
  • # ip filter 1 pass-nolog 192.168.0.0/24 * * * *
    # ip filter 2 pass-nolog 172.16.0.0/24 * * * *
    # ip route default gateway pp 1 filter 1 pp 2 filter 2
    Route everything using filter routing, packets from primary address go to pp1 (ISP A), and packets from secondary address got to pp2 (ISP B)
  • # ethernet filter 1 reject-log dhcp-not-bind 192.168.0.1
    # ethernet filter 2 pass-nolog *:*:*:*:*:* *:*:*:*:*:*
    # ethernet lan1 filter in 1 2
    Regarding packets from primary network at DHCP server, packets from terminals that are not registered with the "dhcp scope bind" command are discarded.
    All packets from other than primary network are passed.

Return to Top

Product Categories