Table of Contents
Advertisement
| Security Measures
C
13
HAPTER
DHCP Snooping
If the DHCP packet is from a client, such as a DECLINE or
■
RELEASE message, the switch forwards the packet only if the
corresponding entry is found in the binding table.
If the DHCP packet is from a client, such as a DISCOVER,
■
REQUEST, INFORM, DECLINE or RELEASE message, the packet
is forwarded if MAC address verification is disabled. However, if
MAC address verification is enabled, then the packet will only be
forwarded if the client's hardware address stored in the DHCP
packet is the same as the source MAC address in the Ethernet
header.
If the DHCP packet is not a recognizable type, it is dropped.
■
If a DHCP packet from a client passes the filtering criteria above, it
■
will only be forwarded to trusted ports in the same VLAN.
If a DHCP packet is from server is received on a trusted port, it will
■
be forwarded to both trusted and untrusted ports in the same VLAN.
If the DHCP snooping is globally disabled, all dynamic bindings are
■
removed from the binding table.
Additional considerations when the switch itself is a DHCP client –
■
The port(s) through which the switch submits a client request to the
DHCP server must be configured as trusted. Note that the switch
will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the
switch sends out DHCP client packets for itself, no filtering takes
place. However, when the switch receives any messages from a
DHCP server, any packets received from untrusted ports are
dropped.
DHCP Snooping Option 82
DHCP provides a relay mechanism for sending information about its
◆
DHCP clients or the relay agent itself to the DHCP server. Also known as
DHCP Option 82, it allows compatible DHCP servers to use the
information when assigning IP addresses, or to set other services or
policies for clients. It is also an effective tool in preventing malicious
network attacks from attached clients on DHCP services, such as IP
Spoofing, Client Identifier Spoofing, MAC Address Spoofing, and
Address Exhaustion.
DHCP Snooping must be enabled for Option 82 information to be
◆
inserted into request packets.
When the DHCP Snooping Information Option 82 is enabled, the
◆
requesting client (or an intermediate relay agent that has used the
information fields to describe itself) can be identified in the DHCP
request packets forwarded by the switch and in reply packets sent back
from the DHCP server. This information may specify the MAC address or
IP address of the requesting device (that is, the switch in this context).
By default, the switch also fills in the Option 82 circuit-id field with
information indicating the local interface over which the switch received
– 410 –
- Quick Links:
- Connecting to the Switch
- Console Connection
Hide quick links:
Advertisement
Chapters
Table of Contents
