Enterasys SecureStack C2 C2G170-24

Enterasys SecureStack C2 C2G170-24

698 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

SecureStack C2 Configuration Guide 17-1

17

DHCP Snooping and

Dynamic ARP Inspection

Thischapterdescribestwosecurityfeatures:

•DHCPsnooping,whichmonitorsDHCPmessagesbetweenaDHCPclientandDHCPserver

tofilterharmfulDHCPmessagesandtobuildadatabaseofauthorizedaddressbindings

• DynamicARPinspection,whichusesthebindingsdatabasecreatedbytheDHCPsnooping

featuretorejectinvalidand

maliciousARPpackets

DHCP Snooping Overview

DHCPsnoopingmonitorsDHCPmessagesbetweenDHCPclientsandDHCPserverstofilter

harmfulDHCPmessagesandtobuildabindingsdatabaseof{MACaddress,IPaddress,VLAN

ID,port}tuplesthatareconsideredauthorized.

DHCPsnoopingisdisabledgloballyandonallVLANsbydefault.Portsareuntrustedbydefault.



DHCPsnoopingmustbeenabledgloballyandonspecificVLANs.PortswithintheVLANsmust

beconfiguredastrustedoruntrusted.DHCPserversmustbereachedthroughtrustedports.

DHCPsnoopingenforcesthefollowingsecurityrules:

•DHCPpacketsfromaDHCPserver(DHCPOFFER,DHCPACK,DHCPNAK)aredroppedif

receivedonanuntrustedport.

•DHCPRELEASEandDHCPDECLINEmessagesaredroppediftheyareforaMACaddress

inthesnoopingdatabasebutthebindingʹsinterfaceinthedatabaseisdifferentfromthe

interfacewherethemessagewasreceived.

•Onuntrustedinterfaces,theswitchdropsDHCPpacketswhosesource

MACaddressdoesnot

matchtheclienthardwareaddress.Thisfeatureisaconfigurableoption.

DHCP Message Processing

ThehardwareidentifiesallincomingDHCPpacketsonportswhereDHCPsnoopingisenabled.

Onuntrustedports,thehardwaretrapsallincomingDHCPpacketstotheCPU.Ontrustedports,

For information about... Refer to page...

DHCP Snooping Overview 17-1

DHCP Snooping Commands 17-4

Dynamic ARP Inspection Overview 17-16

Dynamic ARP Inspection Commands 17-20

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Hardware Installation Guide74 pages

Related product manuals

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack A2 A2H124-24

SecureStack A2 A2H124-24

Preview: SecureStack B3 B3G124-48

SecureStack B3 B3G124-48

SecureStack A2 A2H254-16

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P

Enterasys SSA-G1018-0652

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Preview: Enterasys 08H20G4-24

Enterasys 08H20G4-24

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24