No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Concepts of DHCP Snooping

Basic Concepts of DHCP Snooping

After DHCP snooping is configured on a device, interfaces can be classified as Trusted and Untrusted interfaces. DHCP snooping allows only DHCP request and response packets on Trusted interfaces to be sent to the CPU. DHCP snooping uses packet information on trusted interfaces to build and maintain a DHCP snooping binding table. DHCP snooping binding table is used for checking DHCP packets. Option 82, a field in a DHCP packet, specifies the forwarding paths of the DHCP packet. This field helps create DHCP snooping binding entries with accurate interface information. In addition, you can configure the whitelist function for DHCP snooping to implement whitelist-based filtering for packets to be sent to the CPU on the trusted client or server.

DHCP Snooping Trusted/Untrusted Interface

After DHCP snooping is enabled on a device, a device interface can be configured as trusted or untrusted. Generally, the interfaces connected to legitimate DHCP servers are configured as trusted, and all other interfaces are configured as untrusted. By default, all interfaces are untrusted.

DHCP Snooping Binding Table

A DHCP snooping binding table records hosts' media access control (MAC) addresses, IP addresses, IP address lease time, virtual local area network (VLAN) IDs, and interface information. DHCP snooping binding tables can be dynamic or static. Dynamic DHCP snooping binding tables are dynamically generated after DHCP snooping is enabled. Static DHCP snooping binding tables are manually configured.

  • Dynamic DHCP snooping binding table

    If hosts obtain IP addresses from a DHCP server, the device dynamically learns the host information by parsing the DHCP reply packets received from trusted interfaces and uses the information to generate a dynamic DHCP snooping binding table.

  • Static DHCP snooping binding table

    If hosts have statically configured IP addresses, you must use the hosts' MAC addresses, IP addresses, VLAN IDs, and interface information to configure a DHCP snooping binding table.

Dynamic and static DHCP snooping binding entries are deleted in different ways:
  • Dynamic binding entries are deleted after the corresponding IP address lease expires.
  • Static binding entries can only be deleted manually.

Option 82

Option 82 is a field in a DHCP packet. This field carries specific interface information and therefore specifies the forwarding paths of DHCP packets. A host (DHCP client) generates a DHCP request packet and broadcasts it on the network. If a device receives the DHCP request packet and the device has the option 82 insertion function enabled, the device inserts an option 82 field into the DHCP request packet and sends the packet to a DHCP server. After receiving the packet, the DHCP server echoes the option 82 field in the DHCP reply packet and sends it to the device. The device removes the option 82 field and forwards the packet to the DHCP client interface that sent the DHCP request packet.

  • Option 82 field format

    Option fields in a DHCP packet carry control information and parameters that are not defined in some protocols. Figure 5-1 shows the format of a DHCP packet. Figure 5-2 shows the format of an option field. The option 82 field code is 82. Devices use the option 82 field to determine the path along which DHCP packets are transmitted.

    Figure 5-1 DHCP packet format
    Figure 5-2 Option field format

    An option field consists of type, length, and value. The following table lists their meanings.

    Field

    Length

    Description

    Code

    1 byte

    Attribute of the message content

    Length

    1 byte

    Length of the message content

    Value

    Determined by the Length field

    Message content

    Figure 5-3 shows the option 82 field format. The option 82 field consists of one or more suboptions. Figure 5-4 shows the format of a suboption. At least one suboption must be defined in the option 82 field, and the suboption value can be null. Therefore, the minimum length of the option 82 field is 2.

    The initially assigned suboptions are as follows:
    • 1: agent circuit ID suboption
    • 2: agent remote ID suboption

    A DHCP server uses the agent circuit ID suboption for allocating IP addresses and other parameters.

    In addition to suboption 1, the NE40E supports suboption 9 for showing the vendor customization information.

    Suboption 9 has the following functions:
    • If the option 82 field in a DHCP reply packet forwarded by an interface contains suboption 9 with the Huawei Device Identifier field, the device can parse the option 82 field and obtain interface information. The device then removes the Huawei Device Identifier field from suboption 9 and forwards the DHCP reply packet.
    • After receiving a DHCP reply packet with the option 82 field, the device determines whether suboption 9 exists. If suboption 9 exists, the device generates a binding entry based on suboption 9. If suboption 9 does not exist, the switch generates a binding entry based on suboption 1.
    Figure 5-3 Option 82 field format
    A suboption consists of code, length, and agent information field. The following table lists their meanings.

    Field

    Description

    Code Attribute of the message content
    Length Length of the message content
    Agent Information Field Message content
    Figure 5-4 Option 82 suboption format
    A suboption consists of subOpt, length, and sub-option value. The following table lists their meanings.

    Field

    Description

    SubOpt Attribute of the message content
    Length Length of the message content
    Sub-Option Value Message content

    The option 82 field can be applied to Layer 2 or Layer 3 devices. When the option 82 field is applied to a Layer 2 device, the device determines to which interface a DHCP packet is sent by parsing the option 82 field, and creates a corresponding entry in the DHCP snooping binding table. When the option 82 field is applied to a DHCP server at Layer 3, the server performs the IP address allocation policy by identifying the option 82 field.

  • Inserting the Option 82 field to packets at Layer 2

    As shown in Figure 5-5, the DHCP client connects to the switch, and the switch connects to the DHCP relay agent or the DHCP server through a Layer 2 network.

    The switch is enabled with DHCP snooping globally. After receiving a DHCP discover or request packet, the switch records the option 82 field carried in the packet and reconstructs the option 82 field based on the insertion policy. Then, the switch sends the packet with the modified option 82 field to the DHCP server. After receiving the packet, the DHCP server echoes the option 82 field in the DHCP reply packet and sends it to the switch. The switch replaces the option 82 field in the DHCP reply packet with the recorded option 82 field (which is carried in the DHCP discover or request packet), determines the interface to which the DHCP reply packet is to be sent, creates a corresponding entry in the DHCP snooping binding table, and then sends the packet to the DHCP client.

    Figure 5-5 Inserting the option 82 field to packets at Layer 2
  • Inserting the option 82 field to packets at Layer 3

    On a Layer 3 network shown in Figure 5-6, the switch functions as a DHCP relay agent.

    With the option 82 function enabled, the switch inserts the option 82 field to the DHCP discover packet and request packet. The DHCP server then implements IP address assignment policies and other policies based on the option 82 field.

    After receiving the DHCP reply packet from the DHCP server, the switch replaces the option 82 field in the DHCP reply packet with the recorded option 82 field (which is carried in the DHCP discover or request packet) and sends the packet to the DHCP client.

    Figure 5-6 Inserting the option 82 field to packets at Layer 3
  • Option 82 implementation

    With the option 82 function enabled, the switch checks whether the DHCP request packet sent by a DHCP client carries the option 82 field.
    • If the option 82 field exists, the switch checks the option 82 inserting mode. The mode is either Insert or Rebuild.

      • If the rebuild mode is configured, the switch inserts an option 82 field to replace the option 82 field carried in the received packet.
      • If the insert mode is configured, the switch considers the option 82 field carried in the received packet trusted. The device inserts the option 82 field into a DHCP packet if no Option 82 field exists in the packet. If the Option 82 field exists in a DHCP packet, the device checks whether the Option 82 field contains suboptions. If the Option 82 field contains suboptions, the device does not change the suboptions. If the Option 82 field does not contain suboptions and the suboption format is configured, the device inserts suboptions into the Option 82 field.
    • If the option 82 field does not exist:

      The switch inserts option 82 field with suboption 1 to the message, regardless of the appending configuration.

Whitelist for DHCP Snooping

After a whitelist is configured for DHCP snooping, only DHCP packets listed in the whitelist are sent to the CPU, and the DHCP packets not listed in the whitelist are simply forwarded, without being sent to the CPU. This protects the device against attacks.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12907

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next