Dhcp snooping – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual
Page 953
Brocade 6910 Ethernet Access Switch Configuration Guide
903
53-1002581-01
DHCP Snooping
41
DHCP Snooping
The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the
dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP
Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or
other devices which send port-related information to a DHCP server. This information can be useful
in tracking an IP address back to a physical port.
Command Usage
DHCP Snooping Process
•
Network traffic may be disrupted when malicious DHCP messages are received from an
outside source. DHCP snooping is used to filter DHCP messages received on a non-secure
interface from outside the network or fire wall. When DHCP snooping is enabled globally and
enabled on a VLAN interface, DHCP messages received on an untrusted interface from a
device not listed in the DHCP snooping table will be dropped.
•
Table entries are only learned for trusted interfaces. An entry is added or removed dynamically
to the DHCP snooping table when a client receives or releases an IP address from a DHCP
server. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port
identifier.
•
The rate limit for the number of DHCP messages that can be processed by the switch is 100
packets per second. Any DHCP packets in excess of this limit are dropped.
•
When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered
based upon dynamic entries learned via DHCP snooping.
•
Filtering rules are implemented as follows:
•
If the global DHCP snooping is disabled, all DHCP packets are forwarded.
•
If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP
packet is received, all DHCP packets are forwarded for a trusted port. If the received
packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the
binding table.
•
If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP
packet is received, but the port is not trusted, it is processed as follows:
•
If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK
messages), the packet is dropped.
•
If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the
switch forwards the packet only if the corresponding entry is found in the binding
table.
•
If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE
or RELEASE message, the packet is forwarded if MAC address verification is disabled.
However, if MAC address verification is enabled, then the packet will only be forwarded
if the client’s hardware address stored in the DHCP packet is the same as the source
MAC address in the Ethernet header.
•
If the DHCP packet is not a recognizable type, it is dropped.
•
If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded
to trusted ports in the same VLAN.
•
If a DHCP packet is from server is received on a trusted port, it will be forwarded to both
trusted and untrusted ports in the same VLAN.