Configuration Guide Configuring DHCP Snooping
Working Principle
During snooping, check the receiving ports and the packet fields of packets to realize packet filtering, and modify the
destination ports of packets to realize control of transmit range of the packets.
 Checking Ports
In receipt of DHCP packets, a client first judges whether the packet receiving ports are DHCP Snooping trusted ports. If yes,
legality check and binding entry addition are skipped, and packets are transferred directly. For not, both the check and
addition are needed.
 Checking Packet Encapsulation and Length
A client checks whether packets are UDP packets and whether the destination port is 67 or 68. Check whether the packet
length match the length field defined in protocols.
 Checking Packet Fields and Types
According to the types of illegal packet introduced in the section "Basic Concepts", check the fields giaddr and chaddr in
packets and then check whether the restrictive conditions for the type of the packet are met.
Related Configuration
 Enabling Global DHCP Snooping
By default, DHCP Snooping is disabled.
It can be enabled on a device using the ip dhcp snooping command.
Global DHCP Snooping must be enabled before VLAN-based DHCP Snooping is applied.
 Configuring VLAN-based DHCP Snooping
By default, when global DHCP Snooping is effective, DHCP Snooping is effective to all VLANs.
Use the [ no ] ip dhcp snooping vlan command to enable DHCP Snooping on specified VLANs or delete VLANs from the
specified VLANs. The value range of the command parameter is the actual range of VLAN numbers.
 Configuring DHCP Snooping Source MAC Verification
By default, the layer-2 MAC addresses of packets and the chaddr fields of DHCP packets are not verified.
When the ip dhcp snooping verify mac-address command is used, the source MAC addresses and the chaddr fields of
the DHCP request packets sent from untrusted ports are verified. The DHCP request packets with different MAC addresses
will be discarded.
8.3.2 Building the Binding Database
DHCP Snooping detects the interactive packets between DHCP clients and the DHCP server, and generate entries of the
DHCP Snooping binding database according to the information of legal DHCP packets. All these legal entries are provided to
other security modules of a client as the basis of filtering packets from network.
To Next Page
Loading...
Need help?
General
