Chapter 33 dhcp snooping configuration, 1 introduction to dhcp snooping, Chapter 33 dhcp snooping configuration -1 – PLANET XGS3-24042 User Manual

33-1

Chapter 33 DHCP Snooping Configuration

33.1 Introduction to DHCP Snooping

DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol.

It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP

messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to

connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET. The

switch will forward the DCHP request messages from untrust ports, but not DHCP reply ones. If any DHCP

reply messages is received from a untrust port, besides giving an alarm, the switch will also implement

designated actions on the port according to settings, such as “shutdown”, or distributing a “blackhole”. If

DHCP Snooping binding is enabled, the switch will save binding information (including its MAC address, IP

address, IP lease, VLAN number and port number) of each DHCP CLINET on untrust ports in DHCP snooping

binding table With such information, DHCP Snooping can combine modules like dot1x and ARP, or implement

user-access-control independently.

Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply packets（including

DHCPOFFER, DHCPACK, and DHCPNAK）, it will alarm and respond according to the situation（shutdown

the port or send Black hole）

。

Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users

should limit the DHCP speed of receiving packets on trusted and non-trusted ports.

Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated by DHCP

SERVER while forwarding DHCP messages, it can also upload the binding data to the specified server to

backup it. The binding data is mainly used to configure the dynamic users of dot1x user based ports. Please

refer to the chapter called“dot1x configuration” to find more about the usage of dot1x use-based mode.

Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding data after

capturing binding data, thus to avoid ARP cheating.

Add trusted users: DHCP SNOOPING can add trusted user list entries according to the parameters in

binding data after capturing binding data; thus these users can access all resources without DOT1X

authentication.

Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically

recover the communication of the port or source MAC and send information to Log Server via syslog.

LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should

send syslog information to Log Server.

The Encryption of Private Messages: The communication between the switch and the inner network

security management system TrustView uses private messages. And the users can encrypt those messages

of version 2.

Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different

option 82 will be added in DHCP messages according to user’s authentication status.