Using Dhcp Snooping - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual
Software release 6
Hide thumbs
Also See for OmniSwitch 6850-48:
- Cli reference manual (3706 pages) ,
- Management manual (312 pages) ,
- Hardware user's manual (188 pages)
Table of Contents
Advertisement
Configuring DHCP Security Features
Using DHCP Snooping
Using DHCP Snooping improves network security by filtering DHCP messages received from devices
outside the network and building and maintaining a binding table (database) to track access information
for such devices.
In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes
ports as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such
as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer
switch or workstation.
Additional DHCP Snooping functionality provided includes the following:
•
Layer 2 DHCP Snooping—Applies DHCP Snooping functionality to bridged DHCP client/server
broadcasts without using the relay agent or requiring an IP interface on the client/server VLAN. See
"Layer 2 DHCP Snooping" on page 31-24
•
IP Source Filtering—Restricts DHCP Snooping port traffic to only packets that contain the client
source MAC address and IP address. The DHCP Snooping binding table is used to verify the client
information for the port that is enabled for IP source filtering. See
ing" on page 31-22
•
Rate Limiting—Limits the rate of DHCP packets on the port. This functionality is achieved using the
QoS application to configure ACLs for the port. See
OmniSwitch AOS Release 6 Network Configuration Guide for more information.
When DHCP Snooping is first enabled, all ports are considered untrusted. It is important to then configure
ports connected to a DHCP server inside the network as trusted ports. See
Mode" on page 31-21
If a DHCP packet is received on an untrusted port, then it is considered an untrusted packet. If a DHCP
packet is received on a trusted port, then it is considered a trusted packet. DHCP Snooping only filters
untrusted packets and will drop such packets if one or more of the following conditions are true:
•
The packet received is a DHCP server packet, such as a DHCPOFFER, DHCPACK, or DHCPNAK
packet. When a server packet is received on an untrusted port, DHCP Snooping knows that it is not
from a trusted server and discards the packet.
•
The source MAC address of the packet and the DHCP client hardware address contained in the packet
are not the same address.
•
The packet is a DHCPRELEASE or DHCPDECLINE broadcast message that contains a source MAC
address found in the DHCP Snooping binding table, but the interface information in the binding table
does not match the interface on which the message was received.
•
The packet includes a relay agent IP address that is a non-zero value.
•
The packet already contains Option-82 data in the options field and the Option-82 check function is
enabled. See
"Bypassing the Option-82 Check on Untrusted Ports" on page 31-21
tion.
If none of the above are true, then DHCP Snooping accepts and forwards the packet. When a DHCPACK
packet is received from a server, the following information is extracted from the packet to create an entry
in the DHCP Snooping binding table:
•
MAC address of the DHCP client.
•
IP address for the client that was assigned by the DHCP server.
page 31-18
for more information.
for more information.
for more information.
OmniSwitch AOS Release 6 Network Configuration Guide
"Configuring Port IP Source Filter-
Chapter 40, "Configuring QoS,"
"Configuring the Port Trust
Configuring DHCP Relay
in the
for more informa-
September 2009
Hide quick links:
Advertisement
Table of Contents
