SGS-6341-Series User Manual
Table Of Contents
- Chapter 1 INTRODUCTION
- Chapter 2 INSTALLATION
- Chapter 3 Switch Management
- Chapter 4 Basic Switch Configuration
- Chapter 5 File System Operations
- Chapter 6 Cluster Configuration
- Chapter 7 Port Configuration
- Chapter 8 Port Isolation Function Configuration
- Chapter 9 Port Loopback Detection Function Configuration
- Chapter 10 ULDP Function Configuration
- Chapter 11 LLDP Function Operation Configuration
- Chapter 12 Port Channel Configuration
- Chapter 13 MTU Configuration
- Chapter 14 EFM OAM Configuration
- Chapter 15 PORT SECURITY
- Chapter 16 DDM Configuration
- Chapter 17 LLDP-MED
- Chapter 18 bpdu-tunnel Configuration
- Chapter 19 EEE Energy-saving Configuration
- Chapter 20 VLAN Configuration
- Chapter 21 MAC Table Configuration
- Chapter 22 MSTP Configuration
- Chapter 23 QoS Configuration
- Chapter 24 Flow-based Redirection
- Chapter 25 Flexible Q-in-Q Configuration
- Chapter 26 Layer 3 Management Configuration
- Chapter 27 ARP Scanning Prevention Function Configuration
- Chapter 28 Prevent ARP Spoofing Configuration
- Chapter 29 ARP GUARD Configuration
- Chapter 30 Gratuitous ARP Configuration
- Chapter 31 DHCP Configuration
- Chapter 32 DHCPv6 Configuration
- Chapter 33 DHCP Option 82 Configuration
- Chapter 34 DHCP Option 60 and option 43
- Chapter 35 DHCPv6 Options 37, 38
- Chapter 36 DHCP Snooping Configuration
- Chapter 37 DHCP Snooping Option 82 Configuration
- Chapter 38 IPv4 Multicast Protocol
- Chapter 39 IPv6 Multicast Protocol
- Chapter 40 Multicast VLAN
- Chapter 41 ACL Configuration
- Chapter 42 802.1x Configuration
- 42.1 Introduction to 802.1x
- 42.2 802.1x Configuration Task List
- 42.3 802.1x Application Example
- 42.4 802.1x Troubleshooting
- Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration
- Chapter 44 Operational Configuration of AM Function
- Chapter 45 Security Feature Configuration
- 45.1 Introduction to Security Feature
- 45.2 Security Feature Configuration
- 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence
- 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence
- 45.2.3 Anti Port Cheat Function Configuration Task Sequence
- 45.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence
- 45.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence
- 45.3 Security Feature Example
- Chapter 46 TACACS+ Configuration
- Chapter 47 RADIUS Configuration
- Chapter 48 SSL Configuration
- Chapter 49 IPv6 Security RA Configuration
- Chapter 50 MAB Configuration
- Chapter 51 PPPoE Intermediate Agent Configuration
- Chapter 52 Web Portal Configuration
- Chapter 53 VLAN-ACL Configuration
- Chapter 54 SAVI Configuration
- Chapter 55 MRPP Configuration
- Chapter 56 ULPP Configuration
- Chapter 57 ULSM Configuration
- Chapter 58 Mirror Configuration
- Chapter 59 sFlow Configuration
- Chapter 60 RSPAN Configuration
- Chapter 61 ERSPAN
- Chapter 62 SNTP Configuration
- Chapter 63 NTP Function Configuration
- Chapter 64 Summer Time Configuration
- Chapter 65 DNSv4/v6 Configuration
- Chapter 66 Monitor and Debug
- Chapter 67 Reload Switch after Specified Time
- Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU
- Chapter 69 Dying Gasp Configuration
- Chapter 70 PoE Configuration
Chapter 36 DHCP Snooping
Configuration
36.1 Introduction to DHCP Snooping
DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via
DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trusted ports
and untrusted ports. And the DHCP messages from trusted ports can be forwarded without
being verified. In typical settings, trusted ports are used to connect DHCP SERVER or DHCP
RELAY Proxy, and untrusted ports are used to connect DHCP CLINET. The switch will forward
the DCHP request messages from untrusted ports, but not DHCP reply ones. If any DHCP
reply messages is received from a untrusted port, besides giving an alarm, the switch will also
implement designated actions on the port according to settings, such as “shutdown”, or
distributing a “blackhole”. If DHCP Snooping binding is enabled, the switch will save binding
information (including its MAC address, IP address, IP lease, VLAN number and port number)
of each DHCP CLINET on untrusted ports in DHCP snooping binding table With such
information, DHCP Snooping can combine modules like dot1x and ARP, or implement
user-access-control independently.
Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply
packets(including DHCPOFFER, DHCPACK, and DHCPNAK), it will alarm and respond
according to the situation(shutdown the port or send Black hole)。
Defense against DHCP over load attacks: To avoid too many DHCP messages attacking
CPU, users should limit the DHCP speed of receiving packets on trusted and non-trusted
ports.
Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated
by DHCP SERVER while forwarding DHCP messages, it can also upload the binding data to
the specified server to backup it. The binding data is mainly used to configure the dynamic
users of dot1x user based ports. Please refer to the chapter called“dot1x configuration” to find
more about the usage of dot1x use-based mode.
Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding
data after capturing binding data, thus to avoid ARP cheating.
Add trusted users: DHCP SNOOPING can add trusted user list entries according to the
parameters in binding data after capturing binding data; thus these users can access all
resources without DOT1X authentication.
Automatic Recovery: A while after the switch shut down the port or send blockhole, it should
automatically recover the communication of the port or source MAC and send information to
Log Server via syslog.
36-12
User’s Manual of SGS-6341 series