Introduction To Ip Filtering; Configuring Dhcp Snooping - H3C S5100-SI Operation Manual
Ethernet switches
Hide thumbs
Also See for H3C S5100-SI:
- Operation manual (934 pages) ,
- Installation manual (104 pages) ,
- Quick start manual (78 pages)
Table of Contents
Advertisement
Introduction to IP Filtering
A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged
address requests with different source IP addresses to the server so that the network cannot work
normally. The specific effects are as follows:
The resources on the server are exhausted, so the server does not respond to other requests.
After receiving such type of packets, a switch needs to send them to the CPU for processing. Too
many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
The switch can filter invalid IP packets through the DHCP-snooping table and IP static binding
table.
DHCP-snooping table
After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to record
IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a
client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the
port belongs to. These records are saved as entries in the DHCP-snooping table.
IP static binding table
The DHCP-snooping table only records information about clients that obtains IP address dynamically
through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP
filtering of the DHCP-snooping table, thus it cannot access external networks.
To solve this problem, the switch supports the configuration of static binding table entries, that is, the
binding relationship between IP address, MAC address, and the port connecting to the client, so that
packets of the client can be correctly forwarded.
IP filtering
The switch can filter IP packets in the following two modes:
Filtering the source IP address in a packet. If the source IP address and the number of the port that
receives the packet are consistent with entries in the DHCP-snooping table or static binding table,
the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops it
directly.
Filtering the source IP address and the source MAC address in a packet. If the source IP address
and source MAC address in the packet, and the number of the port that receives the packet are
consistent with entries in the DHCP-snooping table or static binding table, the switch regards the
packet as a valid packet and forwards it; otherwise, the switch drops it directly.
Configuring DHCP Snooping
Configuring DHCP Snooping
Follow these steps to configure DHCP snooping:
To do...
Enter system view
Enable DHCP snooping
Use the command...
system-view
dhcp-snooping
3-5
Remarks
—
Required
By default, the DHCP snooping
function is disabled.
Advertisement
Chapters
Table of Contents
Troubleshooting
