User's Manual
36JadeOSUserManual
00:50:ba:50:77:06 13.0.7.20 300 D Gi 6/10
00:50:ba:50:76:DA 13.0.6.242 300 D Gi 6/10
00:50:ba:50:76:D8 13.0.6.237 300 D Gi 6/10
00:50:ba:50:76:D4 13.0.6.227 300 D Gi 6/10
Security Check
Through binding table, DHCP snooping module determine whether the DHCP mes-
sage sent by user is legal or not, and then reject illegal DHCP request if illegal.
Enabling MAC address detection, DHCP snooping can avoid attack by checking
whether the MAC address of DHCP protocol match with the source MAC address of
Ethernet.
To enable MAC address detection of DHCP snooping, use the following command in
config mode:
ip dhcp snooping verify mac-address enable
Broadcast Suppression
JadeOS can automatically record DHCP request information into DHCP snooping
session table by enabling DHCP snooping. When received broadcast message from
DHCP server, JadeOS can look up the corresponding host and exit port in the DHCP
snooping table, then change the broadcast into unicast. Therefore, JadeOS achieves
broadcast suppression.
To configure the broadcast suppression in QinQ interface, use the following com-
mand:
ip dhcp snooping enable
To display the DHCP snooping session table, use the following command:
show ip dhcp snooping session
6.6.5 ARP With DHCP
Enabling ARP with DHCP, DHCP will issue ARP table that combined distributed IP
address and MAC address in client to the system, at the same time, disable the func-
tion of ARP learning in the specified interface. Therefore, ARP table is strictly
checked by DHCP snooping, which ensures the legality and avoid the ARP cheat and
interfere to the user online and communication.
For example:
¾ Enable ARP with DHCP function:
Step 1 Configure update arp in address pool
(JadeOS) (config)#ip dhcp pool ABC
(JadeOS) (config-dhcp)#update arp
Step 2 Configure ARP authorized in the interface of distributed IP, disable ARP
learning function:
(JadeOS) (config)#interface vlan 6