3-4
Sub-option configuration The DHCP-Snooping device will …
Circuit ID sub-option is
configured.
Forward the packet after adding Option 82 with the configured circuit
ID sub-option in ASCII format.
Remote ID sub-option is
configured.
Forward the packet after adding Option 82 with the configured remote
ID sub-option in ASCII format.
The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously or
separately, are independent of each other in terms of configuration sequence.
When the DHCP snooping device receives a DHCP response packet from the DHCP server, the DHCP
snooping device will delete the Option 82 field, if contained, before forwarding the packet, or will directly
forward the packet if the packet does not contain the Option 82 field.
Overview of IP Filtering
A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged
address requests with different source IP addresses to the server so that the network cannot work
normally. The specific effects are as follows:
z The resources on the server are exhausted, so the server does not respond to other requests.
z After receiving such type of packets, a switch needs to send them to the CPU for processing. Too
many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
z The switch can filter invalid IP packets through the DHCP-snooping table and IP static binding
table.
DHCP-snooping table
After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to record
IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a
client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the
port belongs to. These records are saved as entries in the DHCP-snooping table.
IP static binding table
The DHCP-snooping table only records information about clients that obtains IP address dynamically
through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP
filtering of the DHCP-snooping table, thus it cannot access external networks.
To solve this problem, the switch supports the configuration of static binding table entries, that is, the
binding relationship between IP address, MAC address, and the port connecting to the client, so that
packets of the client can be correctly forwarded.
IP filtering
The switch can filter IP packets in the following two modes:
To Next Page
Loading...