Ip Dhcp Snooping; Ip Dhcp Snooping Trust; Ipv6 Dhcp Snooping; Ipv6 Dhcp Snooping Trust - Dell Force10 Z9000 Configuration Manual
Hide thumbs
Also See for Force10 Z9000:
- Reference manual (1483 pages) ,
- Configuration manual (984 pages) ,
- Manual (56 pages)
Table of Contents
Advertisement
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC
address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a
trusted port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against
the binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that
do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and
declining or releasing the real client's address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on
a not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a
man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or
DHCPDECLINE.
Dell Networking OS Behavior: Introduced in Dell Networking OS version 7.8.1.0, DHCP snooping was available for Layer 3 only and
dependent on DHCP relay agent (ip helper-address). Dell Networking OS version 8.2.1.0 extends DHCP snooping to Layer 2
and you do not have to enable relay agent to snoop on Layer 2 interfaces.
Dell Networking OS Behavior: Binding table entries are deleted when a lease expires or when the relay agent encounters a
DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on
snooped VLANs, while these packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP
address assignments are made. However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping table
can decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed.
NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for DHCP snooping. To
prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port.
Enabling DHCP Snooping
To enable DHCP snooping, use the following commands.
1.
Enable DHCP snooping globally.
CONFIGURATION mode
ip dhcp snooping
2.
Specify ports connected to DHCP servers as trusted.
INTERFACE mode
ip dhcp snooping trust
3.
Enable DHCP snooping on a VLAN.
CONFIGURATION mode
ip dhcp snooping vlan name
Enabling IPv6 DHCP Snooping
To enable IPv6 DHCP snooping, use the following commands.
1.
Enable IPv6 DHCP snooping globally.
CONFIGURATION mode
ipv6 dhcp snooping
2.
Specify ports connected to IPv6 DHCP servers as trusted.
INTERFACE mode
ipv6 dhcp snooping trust
3.
Enable IPv6 DHCP snooping on a VLAN or range of VLANs.
Dynamic Host Configuration Protocol (DHCP)
231
Advertisement
Table of Contents
Troubleshooting
