DHCP and Dynamic ARP Inspection Technology

 

DHCP (Dynamic Host Configuration Protocol) is a TCP/IP standard that simplifies Host IP Address Configuration Management. This standard provides an effective way for DHCP servers to use: to manage the Dynamic Allocation of Client IP addresses in the network and to enable other configurations of DHCP clients on the network.

 

In a TCP/IP-based network, each computer must have a unique IP address to access resources on the network. Communication between computers in the network is achieved through IP addresses, the IP address and subnet mask are used to identify the master computer and its connected subnets. If the number of computers in the LAN is relatively small, you can manually set the IP address. However, if the number of computers is large and multiple subnets are divided, the workload and complexity of the Administrator involved in configuring IP addresses for the computer are heavy and error-prone, for example, in actual use, we often encounter problems such as IP address conflict, incorrect gateway or DNS server address settings, which leads to the inability to access the network, frequent machine location change, and frequent IP address replacement.

 

DHCP is a good solution to the above problems, by installing and configuring the DHCP server on the network, DHCP-enabled clients can automatically obtain the IP addresses and related configuration parameters required for accessing the Internet each time they start and join the network. This reduces configuration management and provides secure and reliable configuration.

 

The server configured with the DHCP service can provide each network customer with an IP address, subnet mask, default gateway, and DNS server address. DHCP avoids errors caused by manual IP addresses and subnet masks, and avoids address conflicts caused by assigning an IP address to multiple hosts. This reduces the burden on IP address administrators and greatly reduces the time spent on configuring hosts in the network by using DHCP servers.

 

However, with the wide application of the DHCP service, some problems have also occurred. First, the DHCP service allows Multiple DHCP servers to exist in one subnet. This means that the administrator cannot guarantee that the client can only obtain valid IP addresses from the DHCP server set by the Administrator, instead of obtaining IP addresses from some user-created illegal DHCP servers. Second, in the subnet where the DHCP service is deployed, A host with a valid IP address, mask, and gateway can also access the network normally, but the DHCP server may still allocate the address to other hosts, resulting in address conflict, affects the normal allocation of IP addresses.

 

In view of the above problems, this article provides a solution, that is, through the DHCP Snooping technology provided by Cisco and Dynamic ARP Inspection technology, can effectively prevent the occurrence of the above problems.

 

Here we will give a brief introduction to the two technologies, and then describe an application example.

 

Ii. DHCP Snooping Technology

DHCP Snooping is a security feature that filters untrusted DHCP messages by establishing a DHCP Snooping Binding database. DHCP Snooping is like a firewall between untrusted hosts and DHCP servers. DHCP Snooping is used to distinguish between untrusted interfaces connected to end customers and trusted interfaces connected to DHCP servers or other switches.

 

The DHCP Snooping Binding database includes the following information: MAC address, IP address, lease time, binding type, vlan id, and interface information from the local untrusted port, but it does not contain information about interfaces connected through trusted ports. In a VLAN with DHCP Snooping enabled, if the switch receives a DHCP packet from an untrusted port, the switch compares the destination MAC address with the IP address of the DHCP client, if yes, the package can pass. Otherwise, the package will be discarded.

 

DHCP packets will also be discarded in the following cases:

 

L DHCP servers from the Internet or firewall, including DHCPOFFER, DHCPACK, DHCPNAK, and DHCPLEASEQUERY.

 

L The Destination MAC address does not match the hardware address of the DHCP client.

 

L The switch receives the broadcast information of DHCPRELEASE or DHCPDECLINE. Its MAC address is included in the DHCP snooping binding database, but does not match the interface information in the database.

 

L packets forwarded through DHCP relay proxy are not included

 

Iii. Dynamic ARP Inspection Technology

Dynamic ARP inspection is a security feature used to verify ARP packets in a network. It can block, record, and discard ARP packets bound to illegal IP addresses and MAC addresses.

 

Dynamic ARP inspection ensures that only valid ARP requests and responses can be transmitted. The switch intercepts all ARP requests and responses from untrusted ports and verifies that the intercepted packet IP-MAC Address binding is valid before updating the ARP cache or transmitting packets, discard an invalid ARP packet.

 

As mentioned above, DHCP Snooping creates a database containing valid IP-MAC Address binding information, Dynamic ARP inspection is based on the legitimacy of the ARP packet intercepted by the database inspection. If the ARP packet comes from an untrusted interface, only valid packets can be passed. If it comes from a trusted port, you can directly pass through.