CONFIGURING DHCP SNOOPING
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
•Validates DHCP messages received from untrusted sources and filters out invalid messages.
Validates DHCP messages received from untrusted sources and filters out invalid messages.
•Rate-limits DHCP traffic from trusted and untrusted sources.
Rate-limits DHCP traffic from trusted and untrusted sources.
•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
•Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the RP for processing.
PACKET VALIDATION
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
•The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
•The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
DHCP SNOOPING OPTION-82 DATA INSERTION
When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs:
•The host (DHCP client) generates a DHCP request and broadcasts it on the network.
The host (DHCP client) generates a DHCP request and broadcasts it on the network.
•When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).
When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).
•If IEEE 802.1X port-based authentication is enabled, the switch will also add the host's 802.1X authenticated user identity information (the RADIUS attributes suboption) to the packet. See the "Understanding 802.1X Authentication with DHCP Snooping" section.
If IEEE 802.1X port-based authentication is enabled, the switch will also add the host's 802.1X authenticated user identity information (the RADIUS attributes suboption) to the packet. See the "Understanding 802.1X Authentication with DHCP Snooping" section.
•If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet.
If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet.
•The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
•The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.
The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.
•The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.
No comments:
Post a Comment