Enable Dchp Snooping - Dell Force10 C150 Configuration Manual
Ftos configuration guide ftos 8.4.2.7 e-series terascale, c-series, s-series (s50/s25)
Hide thumbs
Also See for Force10 C150:
- Manual (57 pages) ,
- Manual (66 pages) ,
- Quick start manual (33 pages)
Table of Contents
Advertisement
When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.
The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,
DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is
legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded
to the the server for validation. This check-point prevents an attacker from spoofing a client and declining
or releasing the real client's address. Server-originated packets (DHCPOFFER, DHCPACK,
DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker
from impostering as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, DHCPDECLINE.
FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP Snooping was available for Layer 3 only
and dependent on DHCP Relay Agent (
Snooping to Layer 2, and you do not have to enable relay agent to snoop on Layer 2 interfaces.
FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent
encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.2, line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped
VLANs, while these packets are forwarded across non-snooped VLANs. Since DHCP packets are
dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE
packets are allowed so that the DHCP snooping table can decrease in size. Once the table usage falls
below the maximum limit of 4000 entries, new IP address assignments are allowed.
FTOS Behavior: In 8.2.1 releases,
as well as on channel members. In subsequent releases, it is no longer necessary nor permitted to
configure port-channel members as trusted; configuring the port-channel interface alone as trusted is
sufficient, and ports must have the default configuration to be a channel members. When upgrading
q
from 8.2.1 releases, the channel-member configurations are applied first, so when the port-channel is
configured, its membership configuration is rejected, since the member ports no longer have the
default configuration. In this case, you must manually remove
members add the ports to the port-channel.
Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP
snooping. To prevent these packets from being dropped, configure
server-connected port.
Enable DCHP snooping
Step
Task
1
Enable DHCP Snooping globally.
2
Specify ports connected to DHCP servers as trusted.
3
Enable DHCP Snooping on a VLAN.
). FTOS version 8.2.1.0 extends DHCP
ip helper-address
was required on the port-channel interface
ip dhcp snooping trust
Command Syntax
ip dhcp snooping
ip dhcp snooping trust
ip dhcp snooping vlan
on the channel
ip dhcp snooping trust
ip dhcp snooping trust
Command Mode
CONFIGURATION
INTERFACE
CONFIGURATION
Dynamic Host Configuration Protocol | 323
on the
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
