The functions of DHCP Snooping: 1. Cooperate with switch DAI to prevent the spread of ARP viruses; 2. Isolate illegal DHCP servers by establishing trusted ports and untrusted ports, and trust ports can forward DHCP packets normally. , the server response received by the untrusted port is discarded and not forwarded.
DHCP Snooping is a security feature of DHCP. It is mainly used on switches. Its function is to shield illegal DHCP servers in the access network. That is, after the DHCP Snooping function is turned on, clients on the network can only obtain IP addresses from the DHCP server specified by the administrator.
Due to the lack of authentication mechanism in DHCP messages, if there is an illegal DHCP server in the network, the administrator will not be able to ensure that the client obtains a legal address from the DHCP server specified by the administrator, and the client may obtain errors from the illegal DHCP server. IP address and other configuration information, causing the client to be unable to use the network normally.
After enabling the DHCP Snooping function, the ports on the switch must be set to trust (Trust) and untrusted (Untrust) states. The switch only forwards DHCP OFFER/ACK/NAK messages for trusted ports and discards untrusted ports. DHCP OFFER/ACK/NAK messages on the port, thereby achieving the purpose of blocking illegal DHCP servers.
It is recommended to set the port connected to the DHCP server as a trusted port and set other ports as untrusted ports. In addition, DHCP Snooping will also monitor the DHCP packets passing through the machine, extract the key information and generate a DHCP Binding Table record table. A record includes IP, MAC, lease time, port, VLAN, type and other information, combined with DAI (Dynamic ARP Inspection) and IPSG (IP Source Guard) can realize ARP anti-spoofing and IP flow control functions.
The role of dhcp snooping
1. The main function of dhcp-snooping is to isolate illegal dhcp servers by configuring untrusted ports.
2. Cooperate with switch DAI to prevent the spread of ARP virus.
3. Establish and maintain a dhcp-snooping binding table. This table is generated through the ip and mac addresses in the dhcp ack package. Second, it can be specified manually. This table is the basis for subsequent DAI (dynamic arp inspect) and IPSource Guard. These two similar technologies use this table to determine whether the IP or mac address is legal to restrict users from connecting to the network.
4. Isolate illegal DHCP servers by establishing trusted ports and untrusted ports. The trusted ports forward DHCP packets normally, and the untrusted ports discard the packets after receiving the DHCP offer and DHCPACK responses from the server. Processed and not forwarded.
The above is the detailed content of What is the function of dhcp snooping?. For more information, please follow other related articles on the PHP Chinese website!