Introduction and configuration of DHCP Snooping

Source: Internet
Author: User

Many may know about the DHCP Snooping technology. So many friends still don't know about this part of content. Here we will give a detailed explanation of DHCP Snooping.

1 Introduction

DHCP Snooping is a security feature of DHCP. It filters untrusted DHCP information by creating and maintaining a DHCP Snooping binding table. Such information refers to DHCP information from untrusted areas. The DHCP Snooping binding table contains the user MAC address, IP address, lease period, VLAN-ID interface and other information of untrusted areas.

When DHCP Snooping is enabled, the switch listens to the DHCP packet and can extract and record IP address and MAC address information from the received DHCP Request or DHCP Ack message. In addition, DHCP Snooping allows you to set a physical port to a trusted port or untrusted port. The trusted port can normally receive and forward DHCP Offer packets, but the untrusted port will discard the received DHCP Offer packets. In this way, the vswitch can shield the counterfeit DHCP Server and ensure that the client obtains the IP address from the valid DHCP Server.

Purpose:

1. The main function of DHCP Snooping is to isolate illegal dhcp servers by configuring untrusted ports.

2. Create and maintain a DHCP Snooping binding table. This table is generated through the ip address and mac address in the dhcp ack packet, and can be manually specified. This table is the basis for subsequent DAIdynamic arp inspect) and IP Source Guard. These two similar technologies use this table to determine whether the ip address or mac address is valid and restrict the user from connecting to the network.

2 Configuration

Switchconfig) # ip dhcp snooping

Switchconfig) # ip dhcp snooping vlan 10

Switchconfig-if) # ip dhcp snooping limit rate 10

/* The forwarding rate of the dhcp packet. If it exceeds the forwarding rate, the interface will be shut down, which is not limited by default.

Switchconfig-if) # ip dhcp snooping trust

/* In this way, the port becomes a trusted port. The trusted port can normally receive and forward DHCP Offer packets without recording the binding of ip addresses and mac addresses. The default port is a non-trusted port"

Switch # ip dhcp snooping binding 0009.3452.3ea4 vlan 7 192.168.10.5 interface gi1/0/10

/* You can bind a static IP address to a mac address;

Switchconfig) # ip dhcp snooping database tftp: // 10.1.1.1/dhcp_table

/* After power loss, the bound table disappears, so you need to select a storage location, ftp, tftp, and flash. In this example, dhcp_table is a file name, not a folder, and the file name must be manually created

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.