What is a DHCP listener?

We have introduced a lot of DHCP content. Here we will mainly explain the content about DHCP listening. So what is DHCP listening? What should I pay attention to when setting this listener and related configurations and operations?

DHCP listener:

Through DHCP listening, the switch can restrict the non-trusted port on the end user port. Only DHCP requests can be sent and all other DHCP packets from the user port can be discarded. For example, DHCP is provided (OFFER) corresponding packets. The trusted port can send or receive all DHCP packets.

The switch has an IP Source Binding Table) as the detection standard for the packets received by each port. in only two cases, the switch forwards the data:

1. The received IP package satisfies the Port/IP/MAC correspondence in the IP source binding table.

2. Received DHCP packets

The remaining data packets will be discarded by the switch.

1. The IP source binding table can be statically added by the user on the vswitch.

2. Alternatively, the vswitch automatically learns from the DHCP listener Binding Table DHCP Snooping Binding Table.

The vswitch extracts key information from the DHCP packet, including the IP address, MAC address, vlan number, port number, and lease period, and saves the information to the DHCP listener binding table. The above process is completed by DHCP Snooping ). IP source protection only supports layer 2nd Ports, including access ports and trunk interfaces. The trusted port/untrusted port protected by the IP source is the trusted port/untrusted port of the DHCP listener. There are two levels of IP traffic security Filtering for untrusted ports:

Source IP address filtering: by default, if the port does not have an IP source binding entry, IP source protection is enabled, by default, the PACL rejects all traffic of the port, which is actually all IP traffic except the DHCP packet ). Configuration:

SW2 (config) # int g0/9

SW2 (config-if) # ip verify source

Source IP address and source MAC address filtering: when using IP address and MAC address as the filter, to ensure that the DHCP protocol works properly, you must also enable DHCP listening option 82. For data without option 82, the switch cannot determine the client host port used to forward the DHCP server response. On the contrary, the DHCP server response will be discarded, and the client cannot obtain the IP address.

Note: The switch uses port security SW2 (config-if) # switchport port-security) to filter the source MAC address.

When a vswitch only uses "IP source address filtering", the IP source protection function and the port security function are independent of each other. Whether port security is enabled is not required for IP source protection. If both are enabled, the two are also a loose relationship. IP source protection prevents IP Address Spoofing and port security prevents MAC address spoofing. When the vswitch uses "source IP address and source MAC address filtering", the IP source protection function and port security function become an "integration" relationship, specifically, the port security function is integrated into the IP source protection function, which is an essential part of IP source protection. In this mode, the port security violation handling violation function will be disabled. For illegal layer-2 packets, they will be simply discarded without any port security violation. The IP source protection function cannot prevent ARP attacks on the client PC. ARP attacks must be solved by the DAI function. If you want to support the IP source protection function, it must be a 35 series or above switch. 2960 currently, this function is not supported.

Switch # show ip dhcp snooping binding

Switch # show ip source binding

Switch # show ip verify source

Ip dhcp snooping information option allow-untrusted

IP source protection only works for untrusted ports and does not work for trusted ports. Therefore, you do not need to bind a static IP address source to the host connected to the trusted port. The host can still communicate normally. The IP source binding prevents clients on untrusted ports from accessing the network by statically specifying IP addresses. These clients cannot communicate unless they manually add static IP source binding entries.

Note: In this example, the "source IP address and source MAC address filtering" mode is used. Note the following three points when using this mode:

1) The switch must insert option 82 information to the client's DHCP request, that is, the ip dhcp snooping information option command must be configured to enable it by default ). For DHCP requests without option 82 inserted, the switch cannot determine the client host port used to forward the DHCP server response. On the contrary, the DHCP server response will be discarded, and the client cannot obtain the IP address. The DHCP reply packet is discarded by the switch because the target port cannot be found.

2) The used DHCP server must support IP Address Allocation using DHCP option 82, otherwise the client will not be able to obtain the IP address debug information as described in section 1st ). IP addresses such as Win2003 and Cisco IOS 12.2 cannot be allocated using DHCP option 82 when used as DHCP servers. In this example, If IOS 12.2 is used, the client cannot obtain the IP address. Cisco IOS 12.34) T supports IP Address Allocation with option 82. The simplest way is to check whether IOS supports the command ip dhcp use class.

3) The switchport port-security command must be configured simultaneously under the port. If this command is not run, the final effect of this mode is the same as that of the source IP address filtering mode.

Apply IP source protection to the trunk interface that is in the 3560 downlink. This interface is a non-trusted interface. Because 2960 does not provide IP source protection, IP spoofing attacks may occur on data packets from 2960. The Application of IP source protection on the trunk port of 3560 can isolate the attack and minimize the attack scope. However, because 2960 does not provide this function, attacks may still exist between hosts connected to 2960. For a vswitch with protection capabilities, the cascade time cascade port can be selected as ip dhcp snooping trust.