Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4820T

281

282

283

284

285

286

287

288

289

290

When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the

client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent

receives a DHCPACK on a trusted port, it adds an entry to the table.

The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and

DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the packet

arrived on the correct port. Packets that do not pass this check are forwarded to the server for validation. This

checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address. Server-

originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also dropped. This

checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or

DHCPDECLINE.

FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP snooping was available for Layer 3 only and dependent on

DHCP relay agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP snooping to Layer 2 and you do not

have to enable relay agent to snoop on Layer 2 interfaces.

FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent encounters a

DHCPRELEASE. Starting with FTOS version 8.2.1.2, line cards maintain a list of snooped VLANs. When the binding table is

exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded across non-snooped

VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE and

DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls

below the maximum limit of 4000 entries, new IP address assignments are allowed.

NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for DHCP snooping.

To prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected

port.

Enabling DCHP Snooping

To enable DCHP snooping, use the following commands.

1. Enable DHCP snooping globally.

CONFIGURATION mode

ip dhcp snooping

2. Specify ports connected to DHCP servers as trusted.

INTERFACE mode

ip dhcp snooping trust

3. Enable DHCP snooping on a VLAN.

CONFIGURATION mode

ip dhcp snooping vlan name

Adding a Static Entry in the Binding Table

To add a static entry in the binding table, use the following command.

• Add a static entry in the binding table.

EXEC Privilege mode

ip dhcp snooping binding mac

Clearing the Binding Table

To clear the binding table, use the following command.

• Delete all of the entries in the binding table.

EXEC Privilege mode

287