14.1.2 Understanding DHCP Snooping
DHCP Snooping monitors users by snooping the packets between the client and the server.
DHCP Snooping can also be used to filter DHCP packets. It can be configured properly to
filter illegal servers. Some terms and functions used in DHCP Snooping are explained
below:
DHCP Snooping TRUST port: Because the packets for obtaining IP using DHCP are
broadcast, some illegal servers may prevent users from obtaining the IP, or even illegal
servers are used to cheat and steal user information. In order to avoid the problem of illegal
server, DHCP Snooping classified the ports into two types: TRUST port and UNTRUST port.
The device only forwards the DHCP Reply packets received through the TRUST port, while
discarding all the DHCP Reply packets from the UNTRUST port. This way, the illegal DHCP
Server can be shielded by setting the port connected to the legal DHCP Server as a TURST
port and other ports as UNTRUST ports.
DHCP Snooping binding database: It‘s usually that the users in the network set the IP
addresses by themselves in the DHCP networks.. This makes it difficult to maintain the
network and makes users who obtains IP addresses using DHCP unable to normally use the
network due to conflict. DHCP Snooping snoops the packets between the Client and the
Server, and combines the IP information that the user obtains, user MAC, VID, PORT and
lease into a record entry. This creates a user database of DHCP Snooping, which is used
with the ARP inspection function to control users' access to the network.
DHCP Snooping checks the validity of DHCP packets that pass the device, discard illegal
DHCP packets, and records user information to create a DHCP Snooping binding database
for ARP to inspecte and query. The following DHCP packets are considered illegal:
1. The DHCP reply packets received through UNTRUST ports, including DHCPACK,
DHCPNACK, DHCPOFFER, etc.
2. Packets with different DHCP Client field values in the source MAC and DHCP packets
when MAC check is enabled.
3. DHCPRELEASE packets with user information in the DHCP Snooping binding
database but the port information inconsistent with the port information in the device
information stored in the DHCP binding database.
14.1.3 Understanding DHCP Snooping
information option
Part of network administrators hope to assign the IP to users according to their position
when they carry out the IP management for current users. Namely, they hope to carry out the
IP assignment according to the information of the network device that connects with users,
so that the switch can add the device information related to some users into the DHCP
request message in the DHCP option way, according to RFC3046 when they carry out the
DHCP snooping. The used option number is 82, and the content server that is uploaded by
To Next Page
Loading...
Need help?
General