transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages
to send on output interfaces.
DHCP Snooping
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP
snooping binding table.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the
DHCP server or another switch.
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
Note
An untrusted DHCP message is a message that is received through an untrusted interface. By default, the
switch considers all interfaces untrusted. So, the switch must be configured to trust some interfaces to use
DHCP Snooping. When you use DHCP snooping in a service-provider environment, an untrusted message
is sent from a device that is not in the service-provider network, such as a customer
’
s switch. Messages from
unknown devices are untrusted because they can be sources of traffic attacks.
The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type,
the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch.
It does not have information regarding hosts interconnected with a trusted interface.
In a service-provider network, an example of an interface you might configure as trusted is one connected to
a port on a device in the same network. An example of an untrusted interface is one that is connected to an
untrusted interface in the network or to an interface on a device that is not in the network.
When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which
DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware
address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match,
the switch drops the packet.
The switch drops a DHCP packet when one of these situations occurs:
•
A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
•
A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
•
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address
in the DHCP snooping binding database, but the interface information in the binding database does not
match the interface on which the message was received.
•
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0,
or the relay agent forwards a packet that includes option-82 information to an untrusted port.
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is
inserting DHCP option-82 information, the switch drops packets with option-82 information when packets
are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1266
Information About DHCP
Содержание Catalyst 2960 Series
Страница 78: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches lxxviii Contents ...
Страница 96: ......
Страница 184: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 102 Additional References ...
Страница 195: ...P A R T II IP Multicast Routing Configuring IGMP Snooping and Multicast VLAN Registration page 115 ...
Страница 196: ......
Страница 250: ......
Страница 292: ......
Страница 488: ......
Страница 589: ...P A R T VI Cisco Flexible NetFlow Configuring NetFlow Lite page 509 ...
Страница 590: ......
Страница 619: ...P A R T VII QoS Configuring QoS page 539 Configuring Auto QoS page 645 ...
Страница 620: ......
Страница 749: ...P A R T VIII Routing Configuring IP Unicast Routing page 669 Configuring IPv6 First Hop Security page 677 ...
Страница 750: ......
Страница 796: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 714 Additional References ...
Страница 856: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 774 Additional References ...
Страница 1400: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1318 Additional References ...
Страница 1546: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1464 Auto Identity ...
Страница 1596: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1514 Additional References ...
Страница 1604: ......
Страница 1740: ......
Страница 1764: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1682 Additional References ...
Страница 1942: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1860 cli_write ...
Страница 1950: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1868 context_save ...
Страница 2058: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1976 event_register_wdsysmon ...
Страница 2076: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 1994 smtp_subst ...
Страница 2090: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2008 sys_reqinfo_syslog_history ...
Страница 2104: ...Consolidated Platform Configuration Guide Cisco IOS Release 15 2 4 E Catalyst 2960 X Switches 2022 unregister_counter ...
Страница 2105: ...P A R T XII Configuring Cisco IOS IP SLAs Configuring Cisco IP SLAs page 2025 ...
Страница 2106: ......
Страница 2118: ......
Страница 2164: ......