Dhcp Snooping; How Dhcp Snooping Works - Dell PowerConnect B-RX Configuration Manual

35

DHCP snooping

TABLE 166
This field...
Type
Status
DHCP snooping
NOTE
This feature is only supported on Layer 3 code.
Dynamic Host Configuration Protocol (DHCP) snooping enables the Brocade device to filter
untrusted DHCP packets in a subnet. DHCP snooping can ward off MiM attacks, such as a
malicious user posing as a DHCP server sending false DHCP server reply packets with the intention
of misdirecting other users. DHCP snooping can also stop unauthorized DHCP servers and prevent
errors due to user mis-configuration of DHCP servers.
Often DHCP snooping is used together with Dynamic ARP Inspection and IP Source Guard.

How DHCP snooping works

When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to
host ports) and trusted ports (those connected to DHCP servers). A VLAN with DHCP snooping
enabled forwards DHCP request packets from clients and discards DHCP server reply packets on
untrusted ports, and it forwards DHCP server reply packets on trusted ports to DHCP clients, as
shown in the following figures.
1006
show arp command (Continued)
Displays....
The ARP type, which can be one of the following:
•
Dynamic – The Layer 3 Switch learned the entry
from an incoming packet on a trusted port.
•
Inspect (Inspection ARP) – The entry from a
statically configured IP/MAC mapping, where the
port was initially unspecified.
•
Dhcp (DHCP-Snooping ARP) – The Layer 3 Switch
learned the entry from DHCP.
The status, which can be one of the following:
•
Valid – The ARP entry was resolved with the
correct IP/MAC mapping. Static ARP entries are
always valid.
•
Pending – The ARP entry is not yet resolved.
BigIron RX Series Configuration Guide
53-1002253-01