Security Measures
178
Instruction Manual - NXA-ENET8-POE+
Filtering rules are implemented as follows:
If the global DHCP snooping is disabled, all DHCP packets are forwarded.
If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets
are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also
added to the binding table.
If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not
trusted, it is processed as follows:
If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is
dropped.
If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the
corresponding entry is found in the binding table.
If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet
is forwarded if MAC address verification is disabled. However, if MAC address verification is enabled, then the packet will
only be forwarded if the client's hardware address stored in the DHCP packet is the same as the source MAC address in
the Ethernet header.
If the DHCP packet is not a recognizable type, it is dropped.
If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same
VLAN.
If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in
the same VLAN.
If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
Additional considerations when the switch itself is a DHCP client
- The port(s) through which the switch submits a client
request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to
the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client
packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any
packets received from untrusted ports are dropped.
DHCP Snooping Option 82
DHCP provides a relay mechanism for sending information about its DHCP clients or the relay agent itself to the DHCP
server. Also known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP
addresses, or to set other services or policies for clients. It is also an effective tool in preventing malicious network attacks
from attached clients on DHCP services, such as IP Spoofing, Client Identifier Spoofing, MAC Address Spoofing, and
Address Exhaustion.
DHCP Snooping must be enabled for Option 82 information to be inserted into request packets.
When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has
used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in
reply packets sent back from the DHCP server. This information may specify the MAC address or IP address of the
requesting device (that is, the switch in this context).
By default, the switch also fills in the Option 82 circuit-id field with information indicating the local interface over which the
switch received the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange
messages to be forwarded between the server and client without having to flood them to the entire VLAN.
If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet
received over any VLAN (depending on DHCP snooping filtering rules). The information inserted into the relayed packets
includes the circuit-id and remote-id, as well as the gateway Internet address.
When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be
configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing
information, or replace it with the switch's relay information.
DHCP Snooping Global Configuration
Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Snooping globally on the switch, or to configure MAC
Address Verification.
The following table lists the options on this page:
Security - DHCP Snooping Options
General
DHCP Snooping Status
Enables DHCP snooping globally. (Default: Disabled)
SHCP Snooping MAC-Address
Verification
Enables or disables MAC address verification. If the source MAC address in the Ethernet header of
the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped.
(Default: Enabled)
Information
DHCP Snooping Information Option
Status
Enables or disables DHCP Option 82 information relay. (Default: Disabled)
DHCP Snooping Information Option
Sub-option Format
Enables or disables use of sub-type and sub-length fields in circuit-ID (CID) and remote-ID (RID) in
Option 82 information. (Default: Enabled)