19-2
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 19 Configuring DHCP Features and IP Source Guard Features
Understanding DHCP Snooping
These sections contain this information:
•
•
•
•
Option-82 Data Insertion, page 19-4
•
DHCP Snooping Binding Database, page 19-7
For information about the DHCP client, see the “
Configuring DHCP
” section of the “
IP Addressing and
Services
” section of the
Cisco IOS IP Configuration Guide, Release 12.2
from the Cisco.com page under
Documentation
>
Cisco IOS Software
>
12.2 Mainline
>
Configuration Guides
.
DHCP Server
The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP
clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration
parameters from its database, it forwards the request to one or more secondary DHCP servers defined by
the network administrator.
DHCP Relay Agent
A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay
agents forward requests and replies between clients and servers when they are not on the same physical
subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams
are switched transparently between networks. Relay agents receive DHCP messages and generate new
DHCP messages to send on output interfaces.
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also referred to as a
DHCP snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping
to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected
to the DHCP server or another switch.
Note
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
An untrusted DHCP message is a message that is received from outside the network or firewall. When
you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device
that is not in the service-provider network, such as a customer’s switch. Messages from unknown devices
are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding
type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces
of a switch. It does not have information regarding hosts interconnected with a trusted interface.
Содержание Catalyst 2928
Страница 28: ...Contents xxviii Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...
Страница 32: ...xxx Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Preface ...
Страница 496: ...26 14 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 26 Configuring SPAN Displaying SPAN Status ...
Страница 534: ...29 18 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 Chapter 29 Configuring SNMP Displaying SNMP Status ...
Страница 700: ...Index IN 36 Catalyst 2928 Switch Software Configuration Guide OL 23389 01 ...