Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6010-ON

311

312

313

314

315

316

317

318

319

320

• Manually reset the remote ID for Option 82.

CONFIGURATION mode

ip dhcp relay information-option remote-id

DHCP Snooping

DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted

or not trusted.

By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually

configure ports connected to legitimate servers and relay agents as trusted.

When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages —

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every

time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.

The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and

DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the

packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for

validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real

client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not

trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP

server to facilitate a man-in-the-middle attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,

DHCPNACK, or DHCPDECLINE.

DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does

require a relay agent.

Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE.

Line cards maintain a list of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped

on snooped VLANs, while these packets are forwarded across non-snooped VLANs. Because DHCP packets

are dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE packets

are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the

maximum limit of 4000 entries, new IP address assignments are allowed.

NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for DHCP

snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the

server-connected port.

Enabling DHCP Snooping

To enable DHCP snooping, use the following commands.

1 Enable DHCP snooping globally.

CONFIGURATION mode

ip dhcp snooping

2 Specify ports connected to DHCP servers as trusted.

Dynamic Host Configuration Protocol (DHCP) 320