Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
31323334353637383940
39
OL-11615-01
Switch(config-if)# switchport block unicast
Switch(config-if)# end
For more information on port unicast and multicast flood blocking on the Catalyst 4500 running Cisco
IOS, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/uniflood.htm
DHCP Snooping
DHCP snooping is a security feature capable of intercepting DHCP messages crossing a switch and
blocking bogus DHCP offers. DHCP snooping is available on Catalyst 6500 Series switches running
Cisco IOS and Catalyst OS software, and on Catalyst 4500 Series switches running Cisco IOS software.
DHCP snooping is required by other security features such as IP Source Guard and Dynamic ARP
Inspection.
DHCP snooping uses the concept of trusted and untrusted ports. Typically, the trusted ports are used to
reach DHCP servers or relay agents, while untrusted ports connect to clients. All DHCP messages are
allowed on trusted ports, while only DHCP client messages are accepted on untrusted ports. Because
neither servers nor relay agents are supposed to connect to untrusted ports, server messages like
DHCPOFFER, DHCPACK, and DHCPNAK are dropped on untrusted ports. In addition, DHCP
snooping builds and maintains a MAC-to-IP binding table that is used to validate DHCP packets received
from untrusted ports. DHCP snooping discards all untrusted DHCP packets not consistent with the
information in the binding table.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
The DHCP-snooping binding table contains the MAC address, IP address, lease time in seconds, and
VLAN port information for the DHCP clients on the untrusted ports of a switch. The information that is
contained in a DHCP-snooping binding table is removed from the binding table when its lease expires
or DHCP snooping is disabled in the VLAN.
The switch drops DHCP packets when any of these situations occur:
The switch receives a packet from a DHCP server, such as a DHCPOFFER, DHCPACK,
DHCPNAK, or DHCPLEASEQUERY packet from an untrusted port.
The switch receives a packet on an untrusted port, and the source MAC address and the DHCP client
hardware address do not match (only on Catalyst 6500 with MAC address verification enabled).
The switch receives a DHCPRELEASE or DHCPDECLINE message that contains a MAC address
in the DHCP snooping binding table, but the port information in the binding table does not match
the port on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
The switch receives a packet that includes Option-82 information on an untrusted port.
Conceptually, DHCP snooping on Catalyst 6500 and Catalyst 4500 Series switches work the same way.
However, there are some differences that should be noted:
Catalyst 6500 supports MAC address verification. When this feature is enabled, every time the switch
receives a packet on an untrusted port, and if the port belongs to a VLAN in which DHCP snooping is
enabled, the switch compares the source MAC address and the DHCP client hardware address. If
addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the