3Com Switch 7750 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

621

622

623

624

625

626

627

628

629

630

Configuring DHCP Snooping 627

There are two types of DHCP requests from DHCP clients, namely,

DHCP_DISCOVER and DHCP_REQUEST messages. Since some DHCP servers

process Option 82 in DHCP_DISCOVER messages while others process Option 82

in DHCP_DISCOVER messages, the DHCP snooping device will add Option 82 in

both types of DHCP requests.

Introduction to IP

Filtering

A denial-of-service (DoS) attack means an attempt of an attacker sending a large

number of forged address requests with different source IP addresses to the server

so that the network cannot work normally. The specific effects are as follows:

■ The resources on the server are exhausted, so the server does not respond to

other requests.

■ After receiving such type of packets, a switch needs to send them to the CPU

for processing. Too many request packets cause high CPU usage rate. As a

result, the CPU cannot work normally.

The switch can filter invalid IP packets through the DHCP-snooping table and IP

static binding table.

DHCP-snooping table

After DHCP snooping is enabled on a switch, a DHCP-snooping table is generated.

It is used to record IP addresses obtained from the DHCP server, MAC addresses,

the number of the port through which a client is connected to the

DHCP-snooping-enabled device, and the number of the VLAN to which the port

belongs to. These records are saved as entries in the DHCP-snooping table.

IP static binding table

The DHCP-snooping table only records information about clients that obtains IP

address dynamically through DHCP. If a fixed IP address is configured for a client,

the IP address and MAC address of the client cannot be recorded in the

DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the

DHCP-snooping table, thus it cannot access external networks.

To solve this problem, the switch supports the configuration of static binding table

entries, that is, the binding relationship between IP address, MAC address, and the

port connecting to the client, so that packets of the client can be correctly

forwarded.

IP filtering

The switch can filter IP packets in the following two modes:

■ Filtering the source IP address in a packet. If the source IP address and the

number of the port that receives the packet are consistent with entries in the

DHCP-snooping table or static binding table, the switch regards the packet as a

valid packet and forwards it; otherwise, the switch drops it directly.

■ Filtering the source IP address and the source MAC address in a packet. If the

source IP address and source MAC address in the packet, and the number of

the port that receives the packet are consistent with entries in the

DHCP-snooping table or static binding table, the switch regards the packet as a

valid packet and forwards it; otherwise, the switch drops it directly.