User's Manual
Table Of Contents
- Chapter 1 INTRODUCTION
- Chapter 2 INSTALLATION
- Chapter 3 Switch Management
- Chapter 4 Basic Switch Configuration
- Chapter 5 File System Operations
- Chapter 6 Cluster Configuration
- Chapter 7 Port Configuration
- Chapter 8 Port Isolation Function Configuration
- Chapter 9 Port Loopback Detection Function Configuration
- Chapter 10 ULDP Function Configuration
- Chapter 11 LLDP Function Operation Configuration
- Chapter 12 Port Channel Configuration
- Chapter 13 Jumbo Configuration
- Chapter 14 EFM OAM Configuration
- Chapter 15 VLAN Configuration
- Chapter 16 MAC Table Configuration
- Chapter 17 MSTP Configuration
- Chapter 18 QoS Configuration
- Chapter 19 Flow-based Redirection
- Chapter 20 Egress QoS Configuration
- Chapter 21 Flexible Q-in-Q Configuration
- Chapter 22 Layer 3 Forward Configuration
- Chapter 23 ARP Scanning Prevention Function Configuration
- Chapter 24 Prevent ARP, ND Spoofing Configuration
- Chapter 25 ARP GUARD Configuration
- Chapter 26 ARP Local Proxy Configuration
- Chapter 27 Gratuitous ARP Configuration
- Chapter 28 Keepalive Gateway Configuration
- Chapter 29 DHCP Configuration
- Chapter 30 DHCPv6 Configuration
- Chapter 31 DHCP option 82 Configuration
- Chapter 32 DHCPv6 option37, 38
- Chapter 33 DHCP Snooping Configuration
- Chapter 34 Routing Protocol Overview
- Chapter 35 Static Route
- Chapter 36 RIP
- Chapter 37 RIPng
- Chapter 38 OSPF
- Chapter 39 OSPFv3
- Chapter 40 BGP
- 40.1 Introduction to BGP
- 40.2 BGP Configuration Task List
- 40.3 Configuration Examples of BGP
- 40.3.1 Examples 1: configure BGP neighbor
- 40.3.2 Examples 2: configure BGP aggregation
- 40.3.3 Examples 3: configure BGP community attributes
- 40.3.4 Examples 4: configure BGP confederation
- 40.3.5 Examples 5: configure BGP route reflector
- 40.3.6 Examples 6: configure MED of BGP
- 40.3.7 Examples 7: example of BGP VPN
- 40.4 BGP Troubleshooting
- Chapter 41 MBGP4+
- Chapter 42 Black Hole Routing Manual
- Chapter 43 GRE Tunnel Configuration
- Chapter 44 ECMP Configuration
- Chapter 45 BFD
- Chapter 46 BGP GR
- Chapter 47 OSPF GR
- Chapter 48 IPv4 Multicast Protocol
- 48.1 IPv4 Multicast Protocol Overview
- 48.2 PIM-DM
- 48.3 PIM-SM
- 48.4 MSDP Configuration
- 48.4.1 Introduction to MSDP
- 48.4.2 Brief Introduction to MSDP Configuration Tasks
- 48.4.3 Configuration of MSDP Basic Function
- 48.4.4 Configuration of MSDP Entities
- 48.4.5 Configuration of Delivery of MSDP Packet
- 48.4.6 Configuration of Parameters of SA-cache
- 48.4.7 MSDP Configuration Examples
- 48.4.8 MSDP Troubleshooting
- 48.5 ANYCAST RP Configuration
- 48.6 PIM-SSM
- 48.7 DVMRP
- 48.8 DCSCM
- 48.9 IGMP
- 48.10 IGMP Snooping
- 48.11 IGMP Proxy Configuration
- Chapter 49 IPv6 Multicast Protocol
- Chapter 50 Multicast VLAN
- Chapter 51 ACL Configuration
- Chapter 52 802.1x Configuration
- 52.1 Introduction to 802.1x
- 52.2 802.1x Configuration Task List
- 52.3 802.1x Application Example
- 52.4 802.1x Troubleshooting
- Chapter 53 The Number Limitation Function of Port, MAC in VLAN and IP Configuration
- 53.1 Introduction to the Number Limitation Function of Port, MAC in VLAN and IP
- 53.2 The Number Limitation Function of Port, MAC in VLAN and IP Configuration Task Sequence
- 53.3 The Number Limitation Function of Port, MAC in VLAN and IP Typical Examples
- 53.4 The Number Limitation Function of Port, MAC in VLAN and IP Troubleshooting Help
- Chapter 54 Operational Configuration of AM Function
- Chapter 55 TACACS+ Configuration
- Chapter 56 RADIUS Configuration
- Chapter 57 SSL Configuration
- Chapter 58 IPv6 Security RA Configuration
- Chapter 59 VLAN-ACL Configuration
- Chapter 60 MAB Configuration
- Chapter 61 PPPoE Intermediate Agent Configuration
- Chapter 62 SAVI Configuration
- Chapter 63 Web Portal Configuration
- Chapter 64 VRRP Configuration
- Chapter 65 IPv6 VRRPv3 Configuration
- Chapter 66 MRPP Configuration
- Chapter 67 ULPP Configuration
- Chapter 68 ULSM Configuration
- Chapter 69 Mirror Configuration
- Chapter 70 RSPAN Configuration
- Chapter 71 sFlow Configuration
- Chapter 72 SNTP Configuration
- Chapter 73 NTP Function Configuration
- Chapter 74 DNSv4/v6 Configuration
- Chapter 75 Summer Time Configuration
- Chapter 76 Monitor and Debug
- Chapter 77 Reload Switch after Specified Time
- Chapter 78 Debugging and Diagnosis for Packets Received and Sent by CPU
- Chapter 79 VSF
- Chapter 80 PoE Configuration
- Chapter 81 SWITCH OPERATION
- Chapter 82 TROUBLESHOOTING
- Chapter 83 APPENDIX A
- Chapter 84 GLOSSARY
33-1
Chapter 33 DHCP Snooping Configuration
33.1 Introduction to DHCP Snooping
DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol.
It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports. And the DHCP
messages from trust ports can be forwarded without being verified. In typical settings, trust ports are used to
connect DHCP SERVER or DHCP RELAY Proxy, and untrust ports are used to connect DHCP CLINET. The
switch will forward the DCHP request messages from untrust ports, but not DHCP reply ones. If any DHCP
reply messages is received from a untrust port, besides giving an alarm, the switch will also implement
designated actions on the port according to settings, such as “shutdown”, or distributing a “blackhole”. If
DHCP Snooping binding is enabled, the switch will save binding information (including its MAC address, IP
address, IP lease, VLAN number and port number) of each DHCP CLINET on untrust ports in DHCP
snooping binding table With such information, DHCP Snooping can combine modules like dot1x and ARP, or
implement user-access-control independently.
Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply packets(including
DHCPOFFER, DHCPACK, and DHCPNAK), it will alarm and respond according to the situation(shutdown
the port or send Black hole)。
Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users
should limit the DHCP speed of receiving packets on trusted and non-trusted ports.
Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated by DHCP
SERVER while forwarding DHCP messages, it can also upload the binding data to the specified server to
backup it. The binding data is mainly used to configure the dynamic users of dot1x user based ports. Please
refer to the chapter called“dot1x configuration” to find more about the usage of dot1x use-based mode.
Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding data after
capturing binding data, thus to avoid ARP cheating.
Add trusted users: DHCP SNOOPING can add trusted user list entries according to the parameters in
binding data after capturing binding data; thus these users can access all resources without DOT1X
authentication.
Automatic Recovery: A while after the switch shut down the port or send blockhole, it should automatically
recover the communication of the port or source MAC and send information to Log Server via syslog.
LOG Function: When the switch discovers abnormal received packets or automatically recovers, it should
send syslog information to Log Server.
The Encryption of Private Messages: The communication between the switch and the inner network
security management system TrustView uses private messages. And the users can encrypt those messages
of version 2.
Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode. Different
option 82 will be added in DHCP messages according to user’s authentication status.