Specifications

SecureStack B2 Configuration Guide 18-1

DHCP Snooping and

Dynamic ARP Inspection

Thischapterdescribestwosecurityfeatures:

•DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver

tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings

• DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping

featuretorejectinvalidand

maliciousARPpackets

DHCP Snooping Overview

DHCPsnoopingmonitorsDHCPmessagesbetweenDHCPclientsandDHCPserverstofilter

harmfulDHCPmessagesandtobuildabindingsdatabaseof{MACaddress,IPaddress,VLAN

ID,port}tuplesthatareconsideredauthorized.

DHCPsnoopingisdisabledgloballyandonallVLANsbydefault.Portsareuntrustedbydefault.



DHCPsnoopingmustbeenabledgloballyandonspecificVLANs.PortswithintheVLANsmust

beconfiguredastrustedoruntrusted.DHCPserversmustbereachedthroughtrustedports.

DHCPsnoopingenforcesthefollowingsecurityrules:

•DHCPpacketsfromaDHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedif

receivedonanuntrustedport.

•DHCPRELEASEandDHCPDECLINEmessagesaredroppediftheyareforaMACaddress

inthesnoopingdatabasebutthebindingʹsinterfaceinthedatabaseisdifferentfromthe

interfacewherethemessagewasreceived.

•Onuntrustedinterfaces,theswitchdropsDHCPpacketswhosesource

MACaddressdoesnot

matchtheclienthardwareaddress.Thisfeatureisaconfigurableoption.

DHCP Message Processing

ThehardwareidentifiesallincomingDHCPpacketsonportswhereDHCPsnoopingisenabled.

Onuntrustedports,thehardwaretrapsallincomingDHCPpacketstotheCPU.Ontrustedports,

For information about... Refer to page...

DHCP Snooping Overview 18-1

DHCP Snooping Commands 18-4

Dynamic ARP Inspection Overview 18-16

Dynamic ARP Inspection Commands 18-20