Switch User Manual

SecureStack C3 Configuration Guide 17-1

DHCP Snooping and

Dynamic ARP Inspection

Thischapterdescribestwosecurityfeatures:

•DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver

tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings

• DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping

featuretorejectinvalidand

maliciousARPpackets

DHCP Snooping Overview

DHCPsnoopingmonitorsDHCPmessagesbetweenDHCPclientsandDHCPserverstofilter

harmfulDHCPmessagesandtobuildabindingsdatabaseof{MACaddress,IPaddress,VLAN

ID,port}tuplesthatareconsideredauthorized.

DHCPsnoopingisdisabledgloballyandonallVLANsbydefault.Portsareuntrustedbydefault.



DHCPsnoopingmustbeenabledgloballyandonspecificVLANs.PortswithintheVLANsmust

beconfiguredastrustedoruntrusted.DHCPserversmustbereachedthroughtrustedports.

DHCPsnoopingenforcesthefollowingsecurityrules:

•DHCPpacketsfromaDHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedif

receivedonanuntrustedport.

•DHCPRELEASEandDHCPDECLINEmessagesaredroppediftheyareforaMACaddress

inthesnoopingdatabasebutthebindingʹsinterfaceinthedatabaseisdifferentfromthe

interfacewherethemessagewasreceived.

•Onuntrustedinterfaces,theswitchdropsDHCPpacketswhosesource

MACaddressdoesnot

matchtheclienthardwareaddress.Thisfeatureisaconfigurableoption.

DHCP Message Processing

ThehardwareidentifiesallincomingDHCPpacketsonportswhereDHCPsnoopingisenabled.

Onuntrustedports,thehardwaretrapsallincomingDHCPpacketstotheCPU.Ontrustedports,

For information about... Refer to page...

DHCP Snooping Overview 17-1

DHCP Snooping Commands 17-4

Dynamic ARP Inspection Overview 17-15

Dynamic ARP Inspection Commands 17-20