Reference Guide
318 | Dynamic Host Configuration Protocol (DHCP)
www.dell.com | support.dell.com
Source Address Validation
Using the DHCP binding table, FTOS can perform three types of source address validation (SAV):
• Enabling IP Source Address Validation: prevents IP spoofing by forwarding only IP packets that have
been validated against the DHCP binding table.
• DHCP MAC Source Address Validation: verifies a DHCP packet’s source hardware address matches
the client hardware address field (CHADDR) in the payload.
• Enabling IP+MAC Source Address Validation: verifies that the IP source address and MAC source
address are a legitimate pair.
Enabling IP Source Address Validation
IP source address validation prevents IP spoofing by forwarding only IP packets that have been validated
against the DHCP binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.
For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic
addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
The DHCP binding table associates addresses assigned by the DHCP servers, with the port on which the
requesting client is attached. When you enable IP source address validation on a port, the system verifies
that the source IP address is one that is associated with the incoming port. If an attacker is impostering as a
legitimate client, the source address appears on the wrong ingress port and the system drops the packet.
Likewise, if the IP address is fake, the address will not be on the list of permissible addresses for the port,
and the packet is dropped.
To enable IP source address validation, follow this step:
DHCP MAC Source Address Validation
DHCP MAC source address validation validates a DHCP packet’s source hardware address against the
client hardware address field (CHADDR) in the payload.
FTOS Release 8.2.1.1 ensures that the packet’s source MAC address is checked against the CHADDR
field in the DHCP header only for packets from snooped VLANs.
To enable DHCP MAC source address validation, follow this step:
Task Command Syntax Command Mode
Enable IP Source Address Validation
ip dhcp source-address-validation
INTERFACE
Task Command Syntax Command Mode
Enable DHCP MAC Source Address
Validation.
ip dhcp snooping verify mac-address
CONFIGURATION