Operation Manual – DHCPH3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration2-6forwarding the packet, or will directly forward the packet if the packet does not containthe Option 82 field.2.1.5 Overview of IP FilteringA denial-of-service (DoS) attack means an attempt of an attacker sending a largenumber of forged address requests with different source IP addresses to the server sothat the network cannot work normally. The specific effects are as follows:z The resources on the server are exhausted, so the server does not respond toother requests.z After receiving such type of packets, a switch needs to send them to the CPU forprocessing. Too many request packets cause high CPU usage rate. As a result,the CPU cannot work normally.z The switch can filter invalid IP packets through the DHCP-snooping table and IPstatic binding table.I. DHCP-snooping tableAfter DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It isused to record IP addresses obtained from the DHCP server, MAC addresses, thenumber of the port through which a client is connected to the DHCP-snooping-enableddevice, and the number of the VLAN to which the port belongs to. These records aresaved as entries in the DHCP-snooping table.II. IP static binding tableThe DHCP-snooping table only records information about clients that obtains IPaddress dynamically through DHCP. If a fixed IP address is configured for a client, theIP address and MAC address of the client cannot be recorded in the DHCP-snoopingtable. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table,thus it cannot access external networks.To solve this problem, the switch supports the configuration of static binding tableentries, that is, the binding relationship between IP address, MAC address, and the portconnecting to the client, so that packets of the client can be correctly forwarded.III. IP filteringThe switch can filter IP packets in the following two modes:z Filtering the source IP address in a packet. If the source IP address and thenumber of the port that receives the packet are consistent with entries in theDHCP-snooping table or static binding table, the switch regards the packet as avalid packet and forwards it; otherwise, the switch drops it directly.z Filtering the source IP address and the source MAC address in a packet. If thesource IP address and source MAC address in the packet, and the number of theport that receives the packet are consistent with entries in the DHCP-snooping
