Configuring DHCP Relay Configuring UDP Port Relay
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 21-16
Using DHCP Snooping
Using DHCP Snooping improves network security by filtering DHCP messages received from devices
outside the network and building and maintaining a binding table (database) to track access information
for such devices.
In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes
ports as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such
as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer
switch or workstation.
Additional DHCP Snooping functionality provided includes the following:
• Layer 2 DHCP Snooping—Applies DHCP Snooping functionality to bridged DHCP client/server
broadcasts without using the relay agent or requiring an IP interface on the client/server VLAN. See
“Layer 2 DHCP Snooping” on page 21-22 for more information.
• IP Source Filtering (Dynamic ARP Inspection - (DAI)) —Restricts DHCP Snooping port traffic to
only packets that contain the proper client source information. The DHCP Snooping binding table is
used to verify the client information for the port that is enabled for IP source filtering. See “Using
DHCP Snooping” on page 21-16 for more information.
• Rate Limiting—Limits the rate of DHCP packets on the port. This functionality is achieved using the
QoS application to configure ACLs for the port. See Chapter 26, “Configuring QoS,” in the
OmniSwitch AOS Release 8 Network Configuration Guide for more information.
When DHCP Snooping is first enabled, all ports are considered untrusted. It is important to then configure
ports connected to a DHCP server inside the network as trusted ports. See “Configuring the Port Trust
Mode” on page 21-19 for more information.
If a DHCP packet is received on an untrusted port, then it is considered an untrusted packet. If a DHCP
packet is received on a trusted port, then it is considered a trusted packet. DHCP Snooping only filters
untrusted packets and will drop such packets if one or more of the following conditions are true:
• The packet received is a DHCP server packet, such as a DHCPOFFER, DHCPACK, or DHCPNAK
packet. When a server packet is received on an untrusted port, DHCP Snooping knows that it is not
from a trusted server and discards the packet.
• The source MAC address of the packet and the DHCP client hardware address contained in the packet
are not the same address.
• The packet is a DHCPRELEASE or DHCPDECLINE broadcast message that contains a source MAC
address found in the DHCP Snooping binding table, but the interface information in the binding table
does not match the interface on which the message was received.
• The packet includes a relay agent IP address that is a non-zero value.
• The packet already contains Option-82 data in the options field and the Option-82 check function is
enabled. See “Bypassing the Option-82 Check on Untrusted Ports” on page 21-19 for more
information.
If none of the above are true, then DHCP Snooping accepts and forwards the packet. When a DHCPACK
packet is received from a server, the following information is extracted from the packet to create an entry
in the DHCP Snooping binding table:
• MAC address of the DHCP client.
• IP address for the client that was assigned by the DHCP server.
To Next Page
Loading...
