![]() The device then generates DHCP snooping binding entries according to the DHCP ACK messages it receives from the DHCP server. This section uses DHCPv4 snooping as an example.Ī DHCP snooping-enabled device forwards DHCP Request messages of users (DHCP clients) to an authorized DHCP server through the trusted interface. How Does DHCP Snooping Work?ĭHCP snooping has two modes: DHCPv4 snooping and DHCPv6 snooping. The differentiated policies for IP address allocation, accounting, and access control are configured on the DHCPv6 server. The LDRA function records only the client location information and forwards the information to the DHCPv6 server through Relay-Forward messages. The server assigns IP addresses and security policies to clients based on the client location information. ![]() The Switch can then obtain the location information of clients and forward the information to the DHCPv6 server. ![]() To solve this issue, the administrator enables DHCP snooping and LDRA on the Switch. Therefore, the server cannot assign specified IP addresses or policies to users on a certain interface. In the traditional process of allocating IPv6 addresses, the DHCPv6 server cannot obtain the physical locations of clients. The device implements Layer 2 forwarding based on MAC address entries. A MAC address entry includes the MAC address, VLAN ID, and interface number of the DHCP client. The device learns and generates dynamic MAC address entries, whereas static MAC address entries are configured using the CLI. ![]() To allow messages from non-DHCP users to pass through the interface, manually configure static MAC address entries for these users. Only the messages whose source MAC addresses match the static MAC address entries can pass through the user-side interface on the device, and other messages are discarded. To prevent attacks from non-DHCP users, enable the device to generate static MAC address entries based on the DHCP snooping binding table, and disable the interface from learning dynamic MAC address entries. This brings security risks for authorized DHCP users. On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. ![]() Defense Against Attacks from Non-DHCP Users ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |