For those who work on networking, the dhcp snooping guy is certainly familiar to everyone. Here we will explain and explain this knowledge point. Here we will mainly explain the network topology.
I. Network Topology
Ii. Description
1. Topology Description: The aggregation layer switch is ipvst4506, the core switch is ipvst6506, And the access layer switch is ipvst2918. 4506 enable ip dhcp snooping, DAI, and IPSG. ports connected to and from 4506 are configured as TRUNKING; VLAN routing and DHCP server are configured on 6506; and port-based VLAN is configured on 2918.
2. dhcp snooping is like a firewall that works between a non-trusted port connecting to a host or network device) and a trusted port connecting to a dhcp server or network device, its dhcp snooping binding database stores the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information and other information, but do not save the information of the device connected to the trusted port; After ip dhcp snooping is enabled on the switch, the interface will work in the Layer 2 bridging status, intercept and protect DHCP messages to L2 VLANs. After ip dhcp snooping is enabled on a VLAN, the switch will work in the L2 bridging status within the same VLAN.
3. After the Cisco switch enables ip dhcp snooping in global configuration mode, all ports are in dhcp snooping untrusted mode by default, the dhcp offer, dhcp ack, dhcp nak, and dhcp leasequery packets received by the untrusted port are discarded. The trusted port receives and forwards the packets normally without monitoring.
4. The dhcp snooping binding database will be lost after the switch is reloaded or restarted. Therefore, you need to save the table in the FLASH of the switch or in a TFTP server, after RELOAD or restart, the switch can read information from it and reform the dhcp snooping binding database. For example, run the following command: renew ip dhcp snoop data tftp: // 192.169.200.1/snooping. dat.
5. After the Cisco switch enables ip dhcp snooping in global configuration mode, all dhcp relay information option functions are disabled.
6. According to Cisco's English documents, after a convergence layer switch enables dhcp snooping, when it is connected to an edge switch with an embedded DHCP option-82 information, when the downstream port is a non-trusted port, the aggregation layer switch discards the DHCP packet with option-82 information received from this port; however, when the ip dhcp snooping information option ALLOW-UNTRUSTED function is enabled on the aggregation layer switch, although the port connecting to the edge switch is still a non-trusted port, however, DHCP packets with option-82 information can be normally received from this port.
According to the above analysis, I understand the following: I do not know if it is correct: After the Cisco switch enables IP DHCP SNOOPING in global configuration mode, all ports are in DHCP SNOOPING UNTRUSTED mode by default, however, the dhcp snooping information option function is enabled by default. DHCP packets are discarded when they reach a snooping untrusted port. Therefore, the ip dhcp snooping information option ALLOW-UNTRUSTED command must be configured in 4506 by default off) to allow 4506 to receive dhcp request packets with OPTION 82 from the dhcp snooping untrusted port. We recommend that you disable dhcp information option on the vswitch, that is, no ip dhcp snooping information option in global configuration mode.
7. For clients that allow manual configuration of parameters such as IP addresses, You can manually add BINDING entries to the dhcp snooping binding database. Ip dhcp snooping binding 00d0. 2bd0. d80a vlan 100 222.25.77.100 interface gig1/1 expiry 600 indicates that a MAC address is manually added to 00d0. 2bd0. d80a: a binding entry with the IP address 222.25.77.100, the access port GIG1/1, and the lease period of 600 seconds.
8. IPSG (ip source guard) forms an ip source binding table based on the dhcp snooping function and only applies to layer-2 ports. When IPSG is enabled, all IP packets are received and only the IP packets that match the entries in the bound table are forwarded. By default, IPSG only filters IP packets based on the source IP address. If the source MAC address is used as the filter condition, dhcp snooping informaiton option 82 must be enabled.
9. DAI, that is, dynamic arp inspection, is also based on dhcp snooping binding database and is also divided into trust and untrusted ports. DAI only checks ARP packets of untrusted ports, you can intercept, record, and discard ARP packets that do not match the IP address-MAC address ing relationship entries in the snooping binding. If dhcp snooping is not used, you must manually configure the arp acl.