Shulou(Shulou.com)06/02 Report--

This article mainly introduces the use of dhcp snooping, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

The function of DHCP Snooping: 1, cooperate with switch DAI to prevent the spread of ARP virus; 2, isolate the illegal DHCP server by establishing trust port and non-trust port, the trust port forwards DHCP packets normally, and the server response received by the non-trust port handles packet loss without forwarding.

DHCP Snooping is a security feature of DHCP, which is mainly used in switches to shield illegal DHCP servers in the access network. That is, when the DHCP Snooping function is enabled, the clients in the network can only obtain the IP address from the DHCP server specified by the administrator.

Due to the lack of authentication mechanism in DHCP messages, if there is an illegal DHCP server in the network, the administrator will not be able to guarantee that the client will obtain a legitimate address from the DHCP server designated by the administrator, and the client may obtain the wrong IP address and other configuration information from the illegal IP server, resulting in the client not being able to use the network normally.

After enabling the DHCP Snooping function, the port on the switch must be set to Trust and Untrust state. The switch only forwards the DHCP OFFER/ACK/NAK packet of the trusted port and discards the DHCP OFFER/ACK/NAK packet of the untrusted port, so as to achieve the purpose of blocking the illegal DHCP server.

It is recommended that you set the port to connect to the DHCP server as a trusted port and the other ports as an untrusted port. In addition, DHCP Snooping will also monitor DHCP packets passing through the machine, extract the key information and generate DHCP Binding Table records, a record including IP, MAC, lease time, port, VLAN, type and other information, combined with DAI (Dynamic ARP Inspection) and IPSG (IP Source Guard) can achieve ARP anti-spoofing and IP flow control functions.

The role of dhcp snooping

1. The main function of dhcp-snooping is to isolate illegal dhcp server by configuring untrusted ports.

2. Cooperate with switch DAI to prevent the spread of ARP virus.

3. Establish and maintain a dhcp-snooping binding table, which is generated by the ip and mac addresses in the dhcp ack package, and can be specified manually. This table is the basis for subsequent DAI (dynamic arp inspect) and IPSource Guard. These two similar technologies restrict users from connecting to the network by using this table to determine whether an ip or mac address is legal.

4. The illegal DHCP server is isolated by establishing the trust port and the untrust port. The trust port forwards the DHCP packet normally. After the DHCP offer and DHCPACK of the server response received by the untrust port, the packet loss is handled and no forwarding is carried out.

Thank you for reading this article carefully. I hope the article "what's the use of dhcp snooping" shared by the editor will be helpful to everyone? at the same time, I also hope that you will support and pay attention to the industry information channel, and more related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.