A, Introduction to DHCP Relay
can remove the need to have a DHCP server on each physical network segment with the DHCP Relay Agent, it can not deliver the message to the same physical subnet DHCP server, the message can be sent back to the server not in the same physical subnet as DHCP clients.
Two, DHCP Relay Principle
1 when dhcp dhcp client starts up and initialized, it will request packets in the local network broadcast configuration.
If the local network 2 dhcp Server exists, it may be dhcp configuration, no direct dhcp relay.
If the local network does not have 3 dhcp server, the network device having a function dhcprelay connected to the local network receives the broadcast packet will be forwarded to the appropriate treatment, and on other networks dhcp server specified.
4 dhcp server configuration corresponding dhcp client based on the information provided by the dhcp relay dhcp client configuration information to, complete dynamic configuration of the dhcp client.
In fact, from the beginning to the end of the configuration requires a plurality of such interaction.
1 dhcp relay apparatus corresponding field dhcp modify message, the dhcp broadcast packets into unicast packets, and responsible for conversion between the server and the client.
2 netcore router (2x05) as dhcp relay agent.
Three, DHCP Snooping
Plot: When the switch is turned on the DHCP-Snooping, DHCP packets have listener, and can be extracted from the received DHCP Request message or DHCP and the Ack records the IP address and MAC address information. In addition, DHCP-Snooping allows a physical port to port trusted or untrusted port. Trust ports can normally receive and forward the DHCP Offer packet, the port will not trust received DHCP Offer packet discarding. In this way, you can complete the shielding effect of the switch to fake DHCP Server, ensure that clients obtain IP addresses from valid DHCP Server.
Role: 1 cut off illegal dhcp server, configure the untrusted port.
2. DAI fit the switch to prevent the spread of the virus ARP.
3. Establish and maintain a dhcp-snooping binding table, this table first, through dhcp ack packet ip and mac address generation, and second, you can manually specified. This table is a follow-DAI (dynamic arp inspect) and IPSource Guard base. Both similar technology, this table is determined by ip or mac address is legitimate, to limit the users connected to the network.
4. the illegal DHCP server port by building trust and non-trust port isolation, trusted port forwards DHCP packets normal, after DHCPACK DHCP offer and untrusted server port to receive a response, do deal with loss, no forwarding.
DHCP snooping can also track the physical location of the host, thereby Defense (ARP) cache pollution ***. It plays an important role in the defense of these ***, since you can use DHCP snooping technology discarding some of the source and destination MAC address of the DHCP message does not meet the defined rules. Management will receive irregularities by DHCP snooping alert notification. When DHCP snooping service detects a violation, it logs a message "DHCP Snooping" on the syslog server.
DHCP snooping is a first step towards security layer 2 protocol traffic. Not only malicious DHCP server can cause network problems, they can also be used to forward sensitive traffic *** person and initiate middleman ***. If these measures do not, then we must consider implementing these defensive measures to ensure the security of the network infrastructure.
Configuration: