Chapter 12
| Security Measures
DHCP Snooping
– 381 –
â—† Filtering rules are implemented as follows:
â–
If the global DHCP snooping is disabled, all DHCP packets are forwarded.
â–
If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, all DHCP packets are forwarded for a trusted
port. If the received packet is a DHCP ACK message, a dynamic DHCP
snooping entry is also added to the binding table.
â–
If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, but the port is not trusted, it is processed as
follows:
â–
If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
â–
If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding
entry is found in the binding table.
â–
If the DHCP packet is from a client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
address verification is disabled. However, if MAC address verification is
enabled, then the packet will only be forwarded if the client’s hardware
address stored in the DHCP packet is the same as the source MAC
address in the Ethernet header.
â–
If the DHCP packet is not a recognizable type, it is dropped.
â–
If a DHCP packet from a client passes the filtering criteria above, it will only
be forwarded to trusted ports in the same VLAN.
â–
If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and untrusted ports in the same VLAN.
â–
If the DHCP snooping is globally disabled, all dynamic bindings are
removed from the binding table.
â–
Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must
be configured as trusted. Note that the switch will not add a dynamic entry
for itself to the binding table when it receives an ACK message from a DHCP
server. Also, when the switch sends out DHCP client packets for itself, no
filtering takes place. However, when the switch receives any messages from
a DHCP server, any packets received from untrusted ports are dropped.
To Next Page
Loading...
Need help?
General