Reference Guide
CONFIGURATION mode
ipv6 dhcp snooping verify mac-address
Drop DHCP Packets on Snooped VLANs Only
Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE.
Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs,
while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address
assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease
in size. After the table usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed.
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the
snooping binding table created using the ACK packets from the trusted port.
Dell#show ip dhcp snooping binding
Codes : S - Static D - Dynamic
IP Address MAC Address Expires(Sec) Type VLAN Interface
================================================================
10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 0/2
10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 0/1
10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Te 0/3
10.1.1.254 00:00:4d:69:e8:f2 172740 D Vl 10 Te 0/50
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been
validated against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from
any device. ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant
entry already exists in its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP-
to-MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-
service (DoS) attacks, among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in the sender
protocol field are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP
message containing the attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the
gateway, and sends all internet-bound packets to it. Likewise, the attacker sends the gateway an ARP message containing the
attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all
packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the client.
Other attacks using ARP spoofing include:
Broadcast
An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address,
resulting in all clients broadcasting all internet-bound packets.
MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after
which, traffic from the gateway is broadcast.
Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the
gateway address, which would blackhole all internet-bound packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM
entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the default
CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by
allocating more CAM space to the L2SysFlow region before enabling DAI.
SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol and L2SystemFlow.
L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries are used by Layer 2 protocols, leaving
278 Dynamic Host Configuration Protocol (DHCP)