A10E/A28E/A28F Configuration Guide
3.6 DHCP Snooping
3.6.1 Introduction
DHCP Snooping is a security feature of DHCP with the below functions:
Guarantee the DHCP client gets IP address from a legal DHCP server.
If a false DHCP server exists in the network, the DHCP client may obtain incorrect IP address
and network configuration parameters, but cannot communicate normally. As shown below, to
make DHCP client get IP address from the legal DHCP server, DHCP Snooping security
system permits to set interface as trusted interface and untrusted interface: the trusted
interface forwards DHCP packets normally; the untrusted interface discard the reply packets
from the DHCP server.
Figure 3-8 DHCP Snooping networking
Record corresponding relationship between DHCP client IP address and MAC address.
The DHCP Snooping device records entries through monitor request and reply packets
received by the trusted interface, including client MAC address, obtained IP address, DHCP
client connected interface and VLAN of the interface, etc. Then implement following by the
record information:
– ARP inspection: judge legality of user that sends ARP packet and avoid ARP attack
from illegal user.
– IP Source Guard: filter interface forwarded packets by dynamically getting DHCP
Snooping entry to avoid illegal packets pass the interface.
– VLAN mapping: packets sent to user modify mapped VLAN to original VLAN by
searching mapped VLAN related DHCP client IP address, MAC address and original
VLAN information in DHCP Snooping entry.
Option field in DHCP packet records position information of DHCP client. Administrator can
use this option to locate DHCP client and control client security and accounting.
If the A10E/A28E configures DHCP Snooping to support Option function:
When the A10E/A28E receives a DHCP request packet, deal with packets according to
Option field included or not and filling mode as well as processing policy configured by
user, then forwards the processed packet to DHCP server.
To Next Page
Loading...