2 dhcp snooping configuration – CANOGA PERKINS CanogaOS Configuration Guide User Manual

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 299 of 350

DHCP relay packet statistics:

============================================================

Client relayed packets: 20

Server relayed packets: 20

Client error packets: 20

Server error packets: 0

Bogus GIADDR drops: 0

Bad circuit ID packets: 0

Corrupted agent options: 0

Missing agent options: 0

Missing circuit IDs: 0

35.2 DHCP Snooping Configuration

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted
DHCP servers. The DHCP snooping feature performs the following activities:
• Validate DHCP messages received from untrusted sources and filters out invalid messages
• Build and maintain the DHCP snooping binding database, which contains information about
untrusted hosts with leased IP addresses
• Utilize the DHCP snooping binding database to validate subsequent requests from untrusted
hosts
Other security features, such as dynamic ARP inspection (DAI), also use information stored in
the DHCP snooping binding database. DHCP snooping is enabled on a per-VLAN basis. By
default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a
range of VLANs. The DHCP snooping feature is implemented in software basis. All DHCP
messages are intercepted in the BAY and directed to the CPU for processing.

35.2.1 Topology

This figure is the networking topology for testing DHCP snooping functions. We need two Linux
boxes and one switch to construct the test bed.