Configuring DHCP Filtering
|
This chapter describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature and how to configure DHCP filtering.
This chapter contains the following topics:
Understanding Dynamic Host Configuration Protocol (DHCP) Filtering
DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network or firewall, and that can cause traffic attacks within network.
You can use DHCP Filtering as a security measure against unauthorized DHCP servers. A known attack can occur when an unauthorized DHCP server responds to a client that is requesting an IP address. The unauthorized server can configure the gateway for the client to be equal to the IP address of the server. At that point, the client sends all of its IP traffic destined to other networks to the unauthorized machine, giving the attacker the possibility of filtering traffic for passwords or employing a ‘man-in-the-middle’ attack.
DHCP filtering works by allowing the administrator to configure each port as a trusted or untrusted port. The port that has the authorized DHCP server should be configured as a trusted port. Any DHCP responses received on a trusted port will be forwarded. All other ports should be configured as untrusted. Any DHCP (or BootP) responses received on the ingress side will be discarded.
The following limitations exist:
- Port Channels (LAGs)--If an interface becomes a member of a LAG, DHCP filtering is no longer become operationally enabled on the interface. Instead, the interface follows the configuration of the LAG port. End user configuration for the interface remains unchanged. When an interface is no longer a member of a LAG, the current end user configuration for that interface automatically becomes effective.
- Mirroring--If an interface becomes a probe port, DHCP filtering can no longer become operationally enabled on the interface. Instead, the interface follows the configuration of the LAG port. End user configuration for the interface remains unchanged. When an interface no longer acts as a probe port, the current end user configuration for that interface automatically becomes effective.
- Operation without DHCP Relay--On platforms in which the DHCP relay feature is not included, hardware support must be available for the DHCP Filtering feature to operate.
- DHCP Relay--When DHCP Filtering is administratively enabled, the DHCP relay function must check whether a port is trusted before a DHCP (or BootP) response is forwarded on the port. If the port is untrusted, the response is dropped. The forwarding of DHCP or BootP request is unaffected.
- If DHCP Filtering is administratively disabled, the operation of the DHCP relay function is unaffected.
- If Hardware support is available for DHCP Filtering, DHCP Filtering may be enabled both routing and non-routing interfaces.
- If Hardware support is unavailable, DHCP Filtering may be enabled only on routed interfaces and only on interfaces enabled for DHCP relay.
Configuring DHCP Filtering
The following CLI commands show examples of configuring DHCP Filtering for the switch and for individual interfaces.
Example 1: Enable DHCP Filtering for the Switch
config
ip dhcp filtering
exit
exit
|
Example 2: Enable DHCP Filtering for an Interface
config
interface 0/11
ip dhcp filtering trust
exit
exit
|
Example 3: Show DHCP Filtering Configuration
show ip dhcp filtering
Switch DHCP Filtering is Enabled
Interface Trusted
----------- ----------
1/0/1 No
1/0/2 No
1/0/3 No
1/0/4 No
1/0/5 No
1/0/6 No
1/0/7 No
1/0/8 No
1/0/9 No
1/0/10 No
1/0/11 Yes
1/0/12 No
1/0/13 No
1/0/14 No
1/0/15 No
|
| Sun Netra CP3240 Switch User’s Guide
|
820-3252-11
|
   
|
© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.