Dhcp snooping configuration, Dhcp snooping, Configuration – Brocade Communications Systems Brocate Ethernet Access Switch 6910 User Manual
Page 954
904
Brocade 6910 Ethernet Access Switch Configuration Guide
53-1002581-01
DHCP Snooping
41
•
If the DHCP snooping is globally disabled, all dynamic bindings are removed from the
binding table.
•
Additional considerations when the switch itself is a DHCP client – The port(s) through
which the switch submits a client request to the DHCP server must be configured as
trusted. Note that the switch will not add a dynamic entry for itself to the binding table
when it receives an ACK message from a DHCP server. Also, when the switch sends out
DHCP client packets for itself, no filtering takes place. However, when the switch receives
any messages from a DHCP server, any packets received from untrusted ports are
dropped.
DHCP Snooping Option 82
•
DHCP provides a relay mechanism for sending information about its DHCP clients or the relay
agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP
servers to use the information when assigning IP addresses, or to set other services or policies
for clients. It is also an effective tool in preventing malicious network attacks from attached
clients on DHCP services, such as IP Spoofing, Client Identifier Spoofing, MAC Address
Spoofing, and Address Exhaustion.
•
DHCP Snooping must be enabled for Option 82 information to be inserted into request
packets.
•
When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an
intermediate relay agent that has used the information fields to describe itself) can be
identified in the DHCP request packets forwarded by the switch and in reply packets sent back
from the DHCP server. This information may specify the MAC address or IP address of the
requesting device (that is, the switch in this context).
By default, the switch also fills in the Option 82 circuit-id field with information indicating the
local interface over which the switch received the DHCP client request, including the port and
VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the
server and client without having to flood them to the entire VLAN.
•
If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted
into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering
rules). The information inserted into the relayed packets includes the circuit-id and remote-id,
as well as the gateway Internet address.
•
When the switch receives DHCP packets from clients that already include DHCP Option 82
information, the switch can be configured to set the action policy for these packets. The switch
can either drop the DHCP packets, keep the existing information, or replace it with the switch’s
relay information.
DHCP Snooping Configuration
Use the IP Service > DHCP > Snooping (Configure Global) page to enable DHCP Snooping globally
on the switch, or to configure MAC Address Verification.
CLI References
•
Parameters
These parameters are displayed:
•
DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled)