Download Print this page

Dhcp Snooping; Overview - HP 2530 Manual Supplement

Hide thumbs Also See for 2530:

Installation and getting started manual (93 pages)

,

Quick setup manual (9 pages)

,

Installation and getting started manual (101 pages)

Table Of Contents

Table of Contents

Advertisement

Attempts...

to deny switch service by filling the forwarding table

to exhaust available CPU resources

DHCP snooping

Command

dhcp-snooping

authorized-server

database

option

trust

verify

vlan

show dhcp-snooping

show dhcp-snooping stats

show dhcp-snooping binding

debug dhcp-snooping

Overview

You use DHCP snooping to help avoid Denial of Service attacks caused by unauthorized users

adding a DHCP server to the network that then provides invalid configuration data to other DHCP

network clients. DHCP snooping accomplishes this by letting you distinguish between trusted ports

connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets

are forwarded between trusted ports without inspection. DHCP packets received on other switch

ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions

for dropping packets are shown below.

Condition for Dropping a Packet

A packet from a DHCP server received on an untrusted port.

If the switch is configured with a list of authorized DHCP server

addresses and a packet is received from a DHCP server on a

trusted port with a source IP address that is not in the list of

authorized DHCP server addresses.

Unless configured to not perform this check, a DHCP packet

received on an untrusted port where the DHCP client hardware

address field does not match the source MAC address in the

packet.

Unless configured to not perform this check, a DHCP packet

containing DHCP relay information (option 82) received from an

untrusted port.

A broadcast packet that has a MAC address in the DHCP binding

database, but the port in the DHCP binding database is different

from the port on which the packet is received.

Indicated by...

an increased number of learned MAC addresses or a

high number of MAC address moves from one port to

another

the discard of an increased number of learned MAC

address events

Packet Types

DHCPOFFER, DHCPACK, DHCPNACK

DHCPOFFER, DHCPACK, DHCPNACK

N/A

N/A

DHCPRELEASE, DHCPDECLINE

Configuring advanced threat protection

7

Table of Contents

Show Quick Links

Hide quick links:

Advertisement

Table of Contents