Cisco Systems ME3400G2CSA DHCP Server, DHCP Relay Agent, DHCP Snooping

18-2

Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide

78-17058-01

Chapter18 Configuring DHCP Features and IP Source Guard

Understanding DHCP Features

DHCP Server

The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP

clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration

parameters from its database, it can forward the request to one or mo re secondary DHCP servers defined

by the network administrator. The Cisco ME switch cannot be a DHCP server.

DHCP Relay Agent

A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clien ts and serv ers. Relay

agents forward requests and replies between clients and servers when they are n ot on the same physical

subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams

are switched transparently between networks. Relay agents receive DHCP messages and generate new

DHCP messages to send on egress interfaces.

DHCP Snooping

DHCP snooping is a DHCP security feature that provides network security by filtering unt rusted D HCP

messages and by building and maintaining a DHCP snooping binding database, also referred to as a

DHCP snooping binding table. For more information about this database, see the “Displaying DHCP

Snooping Information” section on page 18-13.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping

to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected

to the DHCP server or another switch.

Note For DHCP snooping to function properly, all DHCP servers must be connected to th e sw itc h t hro ugh

trusted interfaces.

An untrusted DHCP message is a message that is received from outside the network or firewall. When

you use DHCP snooping in a service-provider environment, an untrusted message is sent f rom a device

that is not in the service-provider network, such as a customer’s switch. Messages f rom unknown devices

are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding

type, the VLAN number, and the interface information that correspon ds to the local untrusted interfaces

of a switch. It does not have information regarding hosts interconnected with a trusted interface.

In a service-provider network, a trusted interface is connect ed to a p ort on a de v ice in the sam e netw ork.

An untrusted interface is connected to an untrusted interface in the netwo rk or to a n interfac e on a de vice

that is not in the network.

When a switch receives a packet on an untrusted i nterface and the interface belongs to a VLAN in which

DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware

address. If the addresses match (the default), the switch forwards the packet. If the addresses do not

match, the switch drops the packet.