Configuration manual

ManualsBrandsDell ManualsSoftwareForce10

321

322

323

324

325

326

327

328

329

330

Enabling IP Source Address Validation

IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been

validated against the DHCP binding table.

A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.

For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic

addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.

The DHCP binding table associates addresses the DHCP servers assign, with the port on which the

requesting client is attached. When you enable IP source address validation on a port, the system verifies

that the source IP address is one that is associated with the incoming port. If an attacker is impostering as

a legitimate client, the source address appears on the wrong ingress port and the system drops the

packet. Likewise, if the IP address is fake, the address is not on the list of permissible addresses for the

port and the packet is dropped.

To enable IP source address validation, use the following command.

• Enable IP source address validation.

INTERFACE mode

ip dhcp source-address-validation

DHCP MAC Source Address Validation

DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against

the client hardware address field (CHADDR) in the payload.

The Dell Networking OS version 8.2.1.1 ensures that the packet’s source MAC address is checked against

the CHADDR field in the DHCP header only for packets from snooped VLANs.

• Enable DHCP MAC SAV.

CONFIGURATION mode

ip dhcp snooping verify mac-address

Enabling IP+MAC Source Address Validation

IP source address validation (SAV) validates the IP source address of an incoming packet against the

DHCP snooping binding table.

IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than

validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV.

1. Allocate at least one FP block to the ipmacacl CAM region.

CONFIGURATION mode

cam-acl l2acl

2. Save the running-config to the startup-config.

EXEC Privilege mode

copy running-config startup-config

3. Reload the system.

EXEC Privilege

reload

330

Dynamic Host Configuration Protocol (DHCP)