3-5The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously orseparately, are independent of each other in terms of configuration sequence.When the DHCP snooping device receives a DHCP response packet from the DHCP server, the DHCPsnooping device will delete the Option 82 field, if contained, before forwarding the packet, or will directlyforward the packet if the packet does not contain the Option 82 field.Overview of IP FilteringA denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forgedaddress requests with different source IP addresses to the server so that the network cannot worknormally. The specific effects are as follows:z The resources on the server are exhausted, so the server does not respond to other requests.z After receiving such type of packets, a switch needs to send them to the CPU for processing. Toomany request packets cause high CPU usage rate. As a result, the CPU cannot work normally.z The switch can filter invalid IP packets through the DHCP-snooping table and IP static bindingtable.DHCP-snooping tableAfter DHCP snooping is enabled on a switch, a DHCP-snooping table is generated. It is used to recordIP addresses obtained from the DHCP server, MAC addresses, the number of the port through which aclient is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which theport belongs to. These records are saved as entries in the DHCP-snooping table.IP static binding tableThe DHCP-snooping table only records information about clients that obtains IP address dynamicallythrough DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of theclient cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IPfiltering of the DHCP-snooping table, thus it cannot access external networks.To solve this problem, the switch supports the configuration of static binding table entries, that is, thebinding relationship between IP address, MAC address, and the port connecting to the client, so thatpackets of the client can be correctly forwarded.IP filteringThe switch can filter IP packets in the following two modes:z Filtering the source IP address in a packet. If the source IP address and the number of the port thatreceives the packet are consistent with entries in the DHCP-snooping table or static binding table,the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops itdirectly.z Filtering the source IP address and the source MAC address in a packet. If the source IP addressand source MAC address in the packet, and the number of the port that receives the packet areconsistent with entries in the DHCP-snooping table or static binding table, the switch regards thepacket as a valid packet and forwards it; otherwise, the switch drops it directly.