Chapter 13 Dhcp Snooping Configuration; Introduction To Dhcp Snooping; Dhcp Snooping Configuration; Dhcp Snooping Configuration Task Sequence - Edge-Core ES4624-SFP Manual

Chapter 13 DHCP snooping
Configuration

13.1 Introduction to DHCP Snooping

DHCP Snooping can effectively block attacks of fake DHCP Servers.
Defense against Fake DHCP Server：once the switch intercepts the DHCP Server reply
packets （including DHCPOFFER, DHCPACK, and DHCPNAK） , it will alarm and respond
according to the situation（shutdown the port or send Blackhole） 。
Defense against DHCP over load attacks：To avoid too many DHCP messages
attacking CPU, users should limit the DHCP speed of receiving packets on trusted and
non-trusted ports.
Record the binding data of DHCP：DHCP SNOOPING will record the binding data
allocated by DHCP SERVER while forwarding DHCP messages, it can also upload the
binding data to the specified server to backup it. The binding data is mainly used to
configure the dynamic users of dot1x userbased ports. Please refer to the chapter
called"dot1x configuration" to find more about the usage of dot1x use-based mode.
Add binding ARP: DHCP SNOOPING can add static binding ARP according to the
binding data after capturing binding data, thus to avoid ARP cheating.
Add trusted users：DHCP SNOOPING can add trusted user list entries according to the
parameters in binding data after capturing binding data; thus these users can access all
resources without DOT1X authentication.
Automatic Recovery：A while after the switch shut down the port or send blockhole, it
should automatically recover the communication of the port or source MAC and send
information to Log Server via syslog.
LOG Function：When the switch discovers abnormal received packets or automatically
recovers, it should send syslog information to Log Server.

13.2 DHCP Snooping Configuration

13.2.1 DHCP Snooping Configuration Task Sequence

1. Enable DHCP Snooping
2. Enable DHCP Snooping binding function
3. Enable DHCP Snooping binding ARP function
4. Set helper server address
367