Chapter 27 dhcp snooping configuration, 1 introduction to dhcp snooping, Ntroduction to – QTECH QSW-8300 Инструкция по настройке User Manual

+7(495) 797-3311 www.qtech.ru

Москва, Новозаводская ул., 18, стр. 1

195

Chapter 27 DHCP Snooping Configuration

27.1 Introduction to DHCP Snooping

DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via

DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and

untrust ports. And the DHCP messages from trust ports can be forwarded without being

verified. In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY

Proxy, and untrust ports are used to connect DHCP CLINET. The switch will forward the DCHP

request messages from untrust ports, but not DHCP reply ones. If any DHCP reply messages

is received from a untrust port, besides giving an alarm, the switch will also implement
designated actions on the port according to settings, such as “shutdown”, or distributing a
“blackhole”. If DHCP Snooping binding is enabled, the switch will save binding information

(including its MAC address, IP address, IP lease, VLAN number and port number) of each

DHCP CLINET on untrust ports in DHCP snooping binding table With such information, DHCP

Snooping can combine modules like dot1x and ARP, or implement user-access-control

independently.

Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply

packets(including DHCPOFFER, DHCPACK, and DHCPNAK) , it will alarm and respond

according to the situation(shutdown the port or send Black hole) .

Defense against DHCP over load attacks: To avoid too many DHCP messages attacking

CPU, users should limit the DHCP speed of receiving packets on trusted and non-trusted ports.

Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated

by DHCP SERVER while forwarding DHCP messages, it can also upload the binding data to

the specified server to backup it. The binding data is mainly used to configure the dynamic
users of dot1x user based ports. Please refer to the chapter called“dot1x configuration” to find

more about the usage of dot1x use-based mode.

Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding

data after capturing binding data, thus to avoid ARP cheating.

Add trusted users: DHCP SNOOPING can add trusted user list entries according to the

parameters in binding data after capturing binding data; thus these users can access all

resources without DOT1X authentication.

Automatic Recovery: A while after the switch shut down the port or send blockhole, it should

automatically recover the communication of the port or source MAC and send information to

Log Server via syslog.

LOG Function: When the switch discovers abnormal received packets or automatically

recovers, it should send syslog information to Log Server.