beautypg.com

LevelOne GTL-2691 User Manual

Page 398

background image

C

HAPTER

13

| Security Measures

DHCP Snooping

– 398 –

If a DHCP packet from a client passes the filtering criteria above, it

will only be forwarded to trusted ports in the same VLAN.

If a DHCP packet is from server is received on a trusted port, it will

be forwarded to both trusted and untrusted ports in the same VLAN.

If the DHCP snooping is globally disabled, all dynamic bindings are

removed from the binding table.

Additional considerations when the switch itself is a DHCP client

The port(s) through which the switch submits a client request to the

DHCP server must be configured as trusted. Note that the switch

will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the

switch sends out DHCP client packets for itself, no filtering takes

place. However, when the switch receives any messages from a

DHCP server, any packets received from untrusted ports are

dropped.

DHCP Snooping Option 82

DHCP provides a relay mechanism for sending information about its

DHCP clients or the relay agent itself to the DHCP server. Also known as

DHCP Option 82, it allows compatible DHCP servers to use the

information when assigning IP addresses, or to set other services or

policies for clients. It is also an effective tool in preventing malicious

network attacks from attached clients on DHCP services, such as IP

Spoofing, Client Identifier Spoofing, MAC Address Spoofing, and

Address Exhaustion.

DHCP Snooping must be enabled for Option 82 information to be

inserted into request packets.

When the DHCP Snooping Information Option 82 is enabled, the

requesting client (or an intermediate relay agent that has used the

information fields to describe itself) can be identified in the DHCP

request packets forwarded by the switch and in reply packets sent back

from the DHCP server. This information may specify the MAC address or

IP address of the requesting device (that is, the switch in this context).
By default, the switch also fills in the Option 82 circuit-id field with

information indicating the local interface over which the switch received

the DHCP client request, including the port and VLAN ID. This allows

DHCP client-server exchange messages to be forwarded between the

server and client without having to flood them to the entire VLAN.

If DHCP Snooping Information Option 82 is enabled on the switch,

information may be inserted into a DHCP request packet received over

any VLAN (depending on DHCP snooping filtering rules). The

information inserted into the relayed packets includes the circuit-id and

remote-id, as well as the gateway Internet address.

When the switch receives DHCP packets from clients that already

include DHCP Option 82 information, the switch can be configured to

set the action policy for these packets. The switch can either drop the

See also other documents in the category LevelOne Routers: