Configuration Guide Configuring DHCP Snooping
8 Configuring DHCP Snooping
8.1 Overview
DHCP Snooping: DHCP Snooping snoops DHCP interactive packets between clients and servers to record and monitor
users' IP addresses and filter out illegal DHCP packets, including client request packets and server response packets. The
legal user database generated from DHCP Snooping records may serve security applications like IP Source Guard.
Protocols and Standards
RFC 2131: Dynamic Host Configuration Protocol
RFC 2132: DHCP Options and BOOTP Vendor Extensions
8.2 Applications
Guarding against DHCP service
spoofing
In a network with multiple DHCP servers, DHCP clients are allowed to obtain network
configurations only from legal DHCP servers.
Guarding against DHCP packet
flooding
Malicious network users may frequently send DHCP request packets.
Guarding against forged DHCP
packets
Malicious network users may send forged DHCP request packets, for example,
DHCP-RELEASE packets.
Guarding against IP/MAC spoofing
Malicious network users may send forged IP packets, for example, tampered source
address fields of packets.
Preventing Lease of IP Addresses
Network users may lease IP addresses rather than obtaining them from a DHCP
server.
Malicious users forge ARP response packets to intercept packets during normal
users' communication.
8.2.1 Guarding Against DHCP Service Spoofing
Scenario
Multiple DHCP servers may exist in a network. It is essential to ensure that user PCs obtain network configurations only from
the DHCP servers within a controlled area.
Take the following figure as an example. The DHCP client can only communicate with trusted DHCP servers.
Request packets from the DHCP client can be transmitted only to trusted DHCP servers.
Only the response packets from trusted DHCP servers can be transmitted to the client.
To Next Page
Loading...
Need help?
General
