No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Fundamentals

DHCP Snooping Fundamentals

DHCP snooping provides the trusted interface and listening functions.

Trusted Interface

DHCP snooping involves two interface roles: trusted interface and untrusted interfaces, through which DHCP snooping ensures that DHCP clients obtain IP addresses from a valid DHCP server.

If a bogus DHCP server exists on a network, DHCP clients may obtain incorrect IP addresses and network configuration parameters from it, leading to communication failures. The trusted interface controls the source of DHCP Reply messages to prevent bogus DHCP servers from assigning IP addresses and other configurations to other DHCP clients.

Trusted interface and untrusted interfaces process DHCP messages as follows:
  • The device receives DHCP ACK messages, NAK messages, and Offer messages through the trusted interface.
  • The device discards DHCP ACK messages, NAK messages, and Offer messages on untrusted interfaces.

The administrator configures the interface directly or indirectly connected to an authorized DHCP server as the trusted interface, and other interfaces as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

Listening

After DHCP snooping is enabled, the device generates a DHCP snooping binding table by listening to DHCP Request messages and Reply messages. A binding entry contains the MAC address, IP address, interface number, and Virtual Local Area Network (VLAN) ID of the DHCP client.

The DHCP snooping binding entries are aged out when the DHCP release expires, or the entries are deleted when users send DHCP Release packets to release IP addresses.

The administrator needs to record IP addresses of DHCP clients and identify the mappings between the IP addresses and MAC addresses of the DHCP clients. The DHCP snooping binding table helps the administrator conveniently record the mappings.

The DHCP snooping binding table records the mapping between IP addresses and MAC addresses of DHCP clients. The device can check DHCP messages against the DHCP snooping binding table to prevent attacks initiated by unauthorized users.

To ensure that the device obtains parameters such as MAC addresses for generating a DHCP snooping binding table, configure DHCP snooping on the Layer 2 access devices or the first DHCP relay agent from the device to the DHCP server.

Translation
简体中文
Download
Updated: 2021-09-17

Document ID: EDOC1100075347

Views: 233021

Downloads: 99

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :