Dhcp Server; Dhcp Relay Agent; Dhcp Snooping; Chapter 20 Configuring Dhcp Feature - Cisco 2950 - Catalyst Switch Configuration Manual
Software configuration guide
Hide thumbs
Also See for 2950 - Catalyst Switch:
- Command reference manual (686 pages) ,
- Software configuration manual (674 pages) ,
- Software manual (376 pages)
Table of Contents
Advertisement
Understanding DHCP Features
DHCP Server
The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP
clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration
parameters from its database, it can forward the request to one or more secondary DHCP servers defined
by the network administrator.
Note
The DHCP server feature is only available on Catalyst 2955 switches.
DHCP Relay Agent
A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay
agents forward requests and replies between clients and servers when they are not on the same physical
subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams
are switched transparently between networks. Relay agents receive DHCP messages and generate new
DHCP messages to send on egress interfaces.
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, which is also referred to
as a DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You can use DHCP
snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces
connected to the DHCP server or another switch.
Note
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
An untrusted message is a message that is received from outside the network or firewall. When you use
DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is
not in the service-provider network, such as a customer's switch. Messages from unknown devices are
untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database contains the MAC address, the IP address, the lease time, the
binding type, the VLAN number, and the interface information that corresponds to the local untrusted
interfaces of a switch. It does not contain information regarding hosts interconnected with a trusted
interface.
In a service-provider network, a trusted interface is connected to a port on a device in the same network.
An untrusted interface is connected to an untrusted interface in the network or to an interface on a device
that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware
address. If addresses match (the default), the switch forwards the packet. If the addresses do not match,
the switch drops the packet.
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
20-2
Chapter 20
Configuring DHCP Features
78-11380-10
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
