3-2
z Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards
DHCP messages to guarantee that DHCP clients can obtain valid IP addresses.
z Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or
DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from
receiving invalid IP addresses.
Introduction to Unauthorized DHCP Server Detection
S3100-SI series Ethernet switches do not support the DHCP snooping trusted port function due to
limited ACL resources; however, they provide the unauthorized DHCP server detection feature to guard
against network troubles caused by unauthorized DHCP servers, or prevent an attacker from assigning
IP addresses to clients as a valid DHCP server.
After you enable this feature on a downstream port (which is connected to DHCP clients directly or
indirectly) of a DHCP snooping enabled switch, the switch sends a DHCP-DISCOVER message. If a
DHCP-OFFER message is received from the downstream port, an unauthorized DHCP server is
considered present, and the switch either sends a trap, or sends a trap and administratively shuts down
the port as configured.
The port that is shut down administratively is in the closed state and cannot receive or forward packets;
however, using the display current-configuration command cannot display the port state. You can
use the undo shutdown command in port view to enable this port.
To prevent any unauthorized DHCP server from filtering DHCP-DISCOVER messages sent by the
DHCP snooping device, you can specify a source MAC address for such messages.
Overview of DHCP-Snooping Option 82
Introduction to Option 82
Option 82 is the relay agent information option in the DHCP message. It records the location information
of the DHCP client.
When a DHCP relay agent (or a device enabled with DHCP snooping) receives a client’s request, it
adds the Option 82 to the request message and sends it to the server.
The administrator can locate the DHCP client to further implement security control and accounting. The
Option 82 supporting server can also use such information to define individual assignment policies of IP
address and other parameters for the clients.
Option 82 involves at most 255 sub-options. If Option 82 is defined, at least one sub-option must be
defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (circuit ID sub-option)
and sub-option 2 (remote ID sub-option).
To Next Page
Loading...
Need help?
General