Administrator Guide
DHCP MAC Source Address Validation
DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address eld
(CHADDR) in the payload.
The system ensures that the packet’s source MAC address is checked against the CHADDR eld in the DHCP header only for packets
from snooped VLANs.
• Enable DHCP MAC SAV.
CONFIGURATION mode
ip dhcp snooping verify mac-address
Enabling IP+MAC Source Address Validation
IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP
+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute
individually. You cannot congure IP+MAC SAV with IP SAV.
1 Allocate at least one FP block to the ipmacacl CAM region.
CONFIGURATION mode
cam-acl l2acl
2 Save the running-cong to the startup-cong.
EXEC Privilege mode
copy running-config startup-config
3 Reload the system.
EXEC Privilege
reload
4 Enable IP+MAC SAV.
INTERFACE mode
ip dhcp source-address-validation ipmac
5 Enable IP source address validation with VLAN option.
INTERFACE mode
ip dhcp source-address-validation ipmac vlan vlan-id
The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface.
To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-address-
validation [interface] command in EXEC Privilege mode.
Viewing the Number of SAV Dropped Packets
The following output of the show ip dhcp snooping source-address-validation discard-counters command displays
the number of SAV dropped packets.
Dell>show ip dhcp snooping source-address-validation discard-counters
deny access-list on TenGigabitEthernet 0/0
Total cam count 1
Dynamic Host
Conguration Protocol (DHCP) 359