Introduction to unauthorized dhcp server detection, Overview of dhcp-snooping option 82, Introduction to option 82 – H3C Technologies H3C S3100 Series Switches User Manual

3-2

z

Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards

DHCP messages to guarantee that DHCP clients can obtain valid IP addresses.

z

Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or

DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from

receiving invalid IP addresses.

Introduction to Unauthorized DHCP Server Detection

S3100-SI series Ethernet switches do not support the DHCP snooping trusted port function due to

limited ACL resources; however, they provide the unauthorized DHCP server detection feature to guard

against network troubles caused by unauthorized DHCP servers, or prevent an attacker from assigning

IP addresses to clients as a valid DHCP server.

After you enable this feature on a downstream port (which is connected to DHCP clients directly or

indirectly) of a DHCP snooping enabled switch, the switch sends a DHCP-DISCOVER message. If a

DHCP-OFFER message is received from the downstream port, an unauthorized DHCP server is

considered present, and the switch either sends a trap, or sends a trap and administratively shuts down

the port as configured.

The port that is shut down administratively is in the closed state and cannot receive or forward packets;

however, using the display current-configuration command cannot display the port state. You can

use the undo shutdown command in port view to enable this port.

To prevent any unauthorized DHCP server from filtering DHCP-DISCOVER messages sent by the

DHCP snooping device, you can specify a source MAC address for such messages.

Overview of DHCP-Snooping Option 82

Introduction to Option 82

Option 82 is the relay agent information option in the DHCP message. It records the location information

of the DHCP client.

When a DHCP relay agent (or a device enabled with DHCP snooping) receives a client’s request, it

adds the Option 82 to the request message and sends it to the server.

The administrator can locate the DHCP client to further implement security control and accounting. The

Option 82 supporting server can also use such information to define individual assignment policies of IP

address and other parameters for the clients.

Option 82 involves at most 255 sub-options. If Option 82 is defined, at least one sub-option must be

defined. Currently the DHCP relay agent supports two sub-options: sub-option 1 (circuit ID sub-option)

and sub-option 2 (remote ID sub-option).