Raisecom
ISCOM2600G-HI (A) Series Configuration Guide
6 DHCP
Raisecom Proprietary and Confidential
Copyright © Raisecom Technology Co., Ltd.
265
6.3 DHCP Snooping
6.3.1 Introduction
DHCP Snooping is a security feature of DHCP with the following functions:
Make the DHCP client obtain the IP address from a legal DHCP server.
If a false DHCP server exists on the network, the DHCP client may obtain incorrect IP address
and network configuration parameters, but cannot communicate normally. As shown in Figure
6-9, to make DHCP client obtain the IP address from a legal DHCP server, the DHCP
Snooping security system permits you to configure an interface as the trusted interface or
untrusted interface: the trusted interface forwards DHCP packets normally; the untrusted
interface discards reply packets from the DHCP server.
Figure 6-9
DHCP Snooping
Record mapping between DHCP client IP address and MAC address.
DHCP Snooping records entries through monitor request and reply packets received by the
trusted interface, including client MAC address, obtained IP address, DHCP client connected
interface and VLAN of the interface. Then implement following by the record information:
–
ARP detection: judge legality of a user that sends ARP packet and avoid ARP attack
from illegal users.
–
IP Source Guard: filter packets forwarded by interfaces by dynamically getting
DHCP Snooping entries to avoid illegal packets to pass the interface.
–
VLAN mapping: modify mapped VLAN of packets sent to users to original VLAN
by searching IP address, MAC address, and original VLAN information in DHCP
Snooping entry corresponding to the mapped VLAN.
The Option field in DHCP packet records position information of DHCP clients. The
Administrator can use this Option filed to locate DHCP clients and control client security and
accounting.
If the ISCOM2600G-HI series switch is configured with DHCP Snooping to support Option
function:
