Table of Contents
Advertisement
This chapter describes two security features:
•
DHCP snooping, which monitors DHCP messages between a DHCP client and DHCP server
to filter harmful DHCP messages and to build a database of authorized address bindings
•
Dynamic ARP inspection, which uses the bindings database created by the DHCP snooping
feature to reject invalid and malicious ARP packets
For information about...
DHCP Snooping Overview
DHCP Snooping Commands
Dynamic ARP Inspection Overview
Dynamic ARP Inspection Commands
DHCP Snooping Overview
DHCP snooping monitors DHCP messages between DHCP clients and DHCP servers to filter
harmful DHCP messages and to build a bindings database of {MAC address, IP address, VLAN
ID, port} tuples that are considered authorized.
DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default.
DHCP snooping must be enabled globally and on specific VLANs. Ports within the VLANs must
be configured as trusted or untrusted. DHCP servers must be reached through trusted ports.
DHCP snooping enforces the following security rules:
•
DHCP packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if
received on an untrusted port.
•
DHCP RELEASE and DHCP DECLINE messages are dropped if they are for a MAC address
in the snooping database but the bindingʹs interface in the database is different from the
interface where the message was received.
•
On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not
match the client hardware address. This feature is a configurable option.
DHCP Message Processing
The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled.
On untrusted ports, the hardware traps all incoming DHCP packets to the CPU. On trusted ports,
DHCP Snooping and
Dynamic ARP Inspection
SecureStack C3 Configuration Guide 17-1
17
Refer to page...
17-1
17-4
17-15
17-20
- Quick Links:
- Set Ip Address
Hide quick links:
Advertisement
Table of Contents
