Technical Manual
Additional features in the Catalyst family of switches, such as the DHCP snooping, can be used to
help guard against a DHCP starvation attack. DHCP snooping is a security feature that filters
untrusted DHCP messages and builds and maintains a DHCP snooping binding table. The binding
table contains information such as the MAC address, IP address, lease time, binding type, VLAN
number and the interface information that corresponds to the local untrusted interfaces of a switch.
Untrusted messages are those received from outside the network or firewall. Untrusted switch
interfaces are ones that are configured to receive such messages from outside the network or firewall.
Other Catalyst switch features, such as IP source guard, can provide additional defense against attacks
such as DHCP starvation and IP spoofing. Similar to DHCP snooping, IP source guard is enabled on
untrusted Layer 2 ports. All IP traffic is initially blocked, except for DHCP packets captured by the
DHCP snooping process. Once a client receives a valid IP address from the DHCP server, a PACL is
applied to the port. This restricts the client IP traffic to those source IP addresses configured in the
binding. Any other IP traffic with a source address other than the addresses in the binding is filtered.
Configure
In this section, you are presented with the information to configure the Port Security, DHCP Snooping,
Dynamic ARP Inspection and IP Source Guard security features.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the
commands used in this section.
The configurations of the Catalyst 3750 Switch contain these:
Port Security•
DHCP Snooping•
Dynamic ARP Inspection•
IP Source Guard•
Network Diagram
This document uses this network setup:
PC 1 and PC 3 are clients connected to the switch.•
PC 2 is a DHCP server connected to the switch.•
All ports of the switch are in the same VLAN (VLAN 1).•
DHCP server is configured to assign IP addresses to the clients based on their MAC addresses.•