Dhcp-snooping table, Ip static binding table, Ip-to-mac mappings of authenticated 802.1x clients – H3C Technologies H3C S3600 Series Switches User Manual

4-5

z

After receiving such type of packets, a switch needs to send them to the CPU for processing. Too

many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.

The switch can filter invalid IP packets through the DHCP-snooping table and , IP static binding table, or

IP-to-MAC mappings of authenticated 802.1x clients.

DHCP-snooping table

After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to record

IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a

client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the

port belongs to. These records are saved as entries in the DHCP-snooping table.

IP static binding table

The DHCP-snooping table only records information about clients that obtains IP address dynamically

through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the

client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP

filtering of the DHCP-snooping table, thus it cannot access external networks.

To solve this problem, the switch supports the configuration of static binding table entries, that is, the

binding relationship between IP address, MAC address, and the port connecting to the client, so that

packets of the client can be correctly forwarded.

IP-to-MAC mappings of authenticated 802.1x clients

If most clients are assigned with static IP addresses, you need to configure an IP static binding for each

client. The configuration is a heavy workload and causes errors easily.

To ensure security, in actual networks, clients are usually connected to networks through 802.1x

authentication. With the authenticated 802.1x client-based IP filtering function enabled, the switch can

record and query the IP-to-MAC mappings of authenticated 802.1x clients to defend against IP attacks.

IP filtering

IP filtering can be implemented based on the DHCP-snooping table, IP static binding table, or

IP-to-MAC mappings of authenticated 802.1x clients, according to actual network requirements. The

switch can filter IP packets in the following modes:

z

Filtering packets based on their source IP addresses. If the source IP address in a packet and the

number of the port that receives the packet match an entry or mapping, the switch regards the

packet as a valid packet and forwards it; otherwise, the switch drops it directly.

z

Filtering packets based on their source IP and MAC addresses. If the source IP address and

source MAC address in the packet, and the number of the port that receives the packet match an

entry or mapping, the switch regards the packet as a valid packet and forwards it; otherwise, the

switch drops it directly.

z

Filtering packets based on their source IP and MAC addresses, and traffic limit defined in a QoS

profile. You can associate IP filtering with the traffic limit function on the switch for security filtering

and precise packet limit.

Configuring DHCP Snooping

Configuring DHCP Snooping

Follow these steps to configure DHCP snooping: