Chapter 19 dhcp snooping configuration, 1 dhcp snooping introduction, 2 dhcp snooping configuration – Amer Networks SS2R48G4i V2 User Manual

SS2R24G4i/SS2R48G4i

164

Chapter 19 DHCP snooping Configuration

19.1 DHCP Snooping Introduction

DHCP Snooping can effectively block attacks from fake DHCP servers.

Defense against Fake DHCP Server

once the switch intercepts the DHCP server reply packets from

un-trusted ports(including DHCPOFFER, DHCPACK, and DHCPNAK), it will alarm the users and
respond according to the situation(shutdown the port or send BlackHole)。

Defense against DHCP over load attacks

To avoid too many DHCP messages attacking CPU, users

should limit the speed of DHCP to receive packets on trusted and un-trusted ports.

Record the binding data of DHCP

DHCP SNOOPING will record the binding data of DHCP SERVER

while forwarding DHCP messages, it can also upload the binding data to the specified server to
backup it. The binding data is mainly used to configure the dynamic users of dot1x userbased ports.
Please refer to the chapter named “dot1x configuration” to find more about the usage of dot1x
userbased mode.

Automatic Recovery

A while after the switch shut down the port or sent blockhole , it should

automatically recover the communication of the port or source MAC and send information to Log
Server via syslog

LOGF Function

When the switch discovers abnormal received packets or automatically recovers, it

should send syslog information to Log Server

19.2 DHCP Snooping Configuration

19.2.1 DHCP Snooping Configuration Task Sequenc

1. Enable DHCP Snooping
2. Enable the binding function of DHCP Snooping
3. Configure helper server address
4. Configure trusted ports
5. Configure defense action
6. Set log record

1.Enable DHCP Snooping

Command Explanation
Global configuration mode