Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2000 Series
971972973974975976977978979980
974 Snooping and Inspecting Traffic
What Is DHCP Snooping?
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature
that monitors DHCP messages between a DHCP client and DHCP server to
accomplish the following tasks:
Ensure that only authorized DHCP clients are able to utilize the network.
Designate which ports are connected to trusted DHCP servers and drop
DHCP messages from servers connected to untrusted ports
Build an authorized DHCP client bindings database with entries that
consist of the following information:
MAC address
IP address
VLAN ID
Client port
Type (static or dynamic)
Lease time
Entries in the bindings database are considered to be authorized network
clients. DHCP clients can exchange messages with DHCP servers connected
via trusted ports. DHCP client messages are never forwarded to untrusted
ports.
DHCP snooping can be enabled on VLANs, and the trust status (trusted or
untrusted) is specified on individual physical ports or LAGS that are
members of the VLAN. When a port or LAG is configured as untrusted, it
could potentially be used to launch a network attack. DHCP snooping
protects against attacks on untrusted ports. DHCP servers must be reached
through trusted ports. DHCP clients are configured on untrusted ports.
DHCP snooping enforces the following security rules:
DHCP packets from a DHCP server (DHCPOFFER, DHCPACK,
DHCPNAK, DHCPRELEASEQUERY) are dropped if they are received on
an untrusted port and a warning level message is logged if invalid DHCP
packet logging is enabled. DHCP client originated messages are never
forwarded over untrusted ports.
DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC
addresses are found in the snooping database, but the binding's interface is
other than the interface where the message was received.