Table of Contents
Advertisement
Overview
You can use DHCP snooping to help avoid the Denial of Service attacks that
result from unauthorized users adding a DHCP server to the network that then
provides invalid configuration data to other DHCP clients on the network.
DHCP snooping accomplishes this by allowing you to distinguish between
trusted ports connected to a DHCP server or switch and untrusted ports
connected to end-users. DHCP packets are forwarded between trusted ports
without inspection. DHCP packets received on other switch ports are
inspected before being forwarded. Packets from untrusted sources are
dropped. Conditions for dropping packets are shown below.
Condition for Dropping a Packet
A packet from a DHCP server received on an untrusted port DHCPOFFER, DHCPACK,
If the switch is configured with a list of authorized DHCP
server addresses and a packet is received from a DHCP
server on a trusted port with a source IP address that is not
in the list of authorized DHCP server addresses.
Unless configured to not perform this check, a DHCP packet
received on an untrusted port where the DHCP client
hardware address field does not match the source MAC
address in the packet
Unless configured to not perform this check, a DHCP packet
containing DHCP relay information (option 82) received from
an untrusted port
A broadcast packet that has a MAC address in the DHCP
binding database, but the port in the DHCP binding database
is different from the port on which the packet is received
Configuring Advanced Threat Protection
DHCP Snooping
Packet Types
DHCPNACK
DHCPOFFER, DHCPACK,
DHCPNACK
N/A
N/A
DHCPRELEASE,
DHCPDECLINE
11-3
Hide quick links:
Advertisement
Table of Contents
