Table of Contents
Advertisement
Chapter 31 DHCP Snooping Configuration
31.1 Introduction to DHCP Snooping
DHCP Snooping means that the switch monitors the IP-getting proc ess of DHCP CLIE NT via DHCP protocol.
It prevents DHCP attacks and illegal DHCP SE RVER by setting trust ports and untrust ports. And the DHCP
messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to
connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to c onnect DHCP CLINE T. The
switch will forward the DCHP request messages from untrust ports, but not DHCP reply ones. If any DHCP
reply messages is received from a untrust port, besides giving an alarm, the switch will also implement
designated actions on the port according to settings, such as "shutdown", or distributing a "blackhole". If
DHCP Snooping binding is enabled, the switch will save binding information (including its MAC address, IP
address, IP lease, VLAN number and port number) of each DHCP CLINE T on untrust ports in DHCP snooping
binding table With such information, DHCP Snooping can combine modules like dot1x and ARP, or implement
user-access-control independently.
Defense against Fake DHCP Server: onc e the switch intercepts the DHCP Server reply packets(including
DHCPOFFE R, DHCPACK, and DHCPNAK), it will alarm and respond according to t he situation(shutdown
the port or send Black hole) 。
Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users
should limit the DHCP speed of receiving packets on trusted and non-trusted ports.
Record the binding data of DHCP : DHCP SNOOP ING will record the binding data allocated by DHCP
SERVER while forwarding DHCP messages, it can also upload the binding data to the specified s erver to
backup it. The binding data is mainly us ed to configure the dynamic users of dot 1x user based ports. Please
refer to the chapter called"dot1x configuration" to find more about the us age of dot1x use-based mode.
Add binding ARP: DHCP SNOOP ING can add static binding ARP according to the binding data after
capturing binding data, thus to avoid A RP cheating.
Add trusted users: DHCP SNOOP ING can add trusted user list ent ries according t o the parameters in
binding data after capturing binding data; thus these users can access all resources without DOT1X
authentication.
Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically
recover the communication of the port or source MA C and send information to Log Server via syslog.
LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should
send syslog information to Log Server.
The Encryption of Private Messages: The communication between the switch and the inner network
security management system TrustView uses private messages. And the users can encrypt those messages
of version 2.
Add option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different option 82 will be
added in DHCP messages according to us er's aut hentication status.
31-1
Advertisement
Table of Contents
Troubleshooting
