Table of Contents
Advertisement
Raisecom
ISCOM2600G-HI (A) Series Configuration Guide
6.3 DHCP Snooping
6.3.1 Introduction
DHCP Snooping is a security feature of DHCP with the following functions:
If a false DHCP server exists on the network, the DHCP client may obtain incorrect IP address
and network configuration parameters, but cannot communicate normally. As shown in Figure
6-9, to make DHCP client obtain the IP address from a legal DHCP server, the DHCP
Snooping security system permits you to configure an interface as the trusted interface or
untrusted interface: the trusted interface forwards DHCP packets normally; the untrusted
interface discards reply packets from the DHCP server.
Figure 6-9 DHCP Snooping
DHCP Snooping records entries through monitor request and reply packets received by the
trusted interface, including client MAC address, obtained IP address, DHCP client connected
interface and VLAN of the interface. Then implement following by the record information:
The Option field in DHCP packet records position information of DHCP clients. The
Administrator can use this Option filed to locate DHCP clients and control client security and
accounting.
If the ISCOM2600G-HI series switch is configured with DHCP Snooping to support Option
function:
Make the DHCP client obtain the IP address from a legal DHCP server.
Record mapping between DHCP client IP address and MAC address.
ARP detection: judge legality of a user that sends ARP packet and avoid ARP attack
–
from illegal users.
IP Source Guard: filter packets forwarded by interfaces by dynamically getting
–
DHCP Snooping entries to avoid illegal packets to pass the interface.
VLAN mapping: modify mapped VLAN of packets sent to users to original VLAN
–
by searching IP address, MAC address, and original VLAN information in DHCP
Snooping entry corresponding to the mapped VLAN.
Raisecom Proprietary and Confidential
Copyright © Raisecom Technology Co., Ltd.
6 DHCP
265
Advertisement
Table of Contents
