130
enableNetList : enable deny
4.2. Configuring DHCP Snooping, DAI, and IPSG
Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection
(DAI) are layer 2 security features that examine traffic to help prevent accidental and malicious attacks on
the switch or network.
DHCP Snooping monitors DHCP messages between a DHCP client and DHCP server to filter harmful DHCP
messages and to build a bindings database. The IPSG and DAI features use the DHCP Snooping bindings
database to help enforce switch and network security.
IP Source Guard allows the switch to drop incoming packets that do not match a binding in the bindings
database. Dynamic ARP Inspection allows the switch to drop ARP packets whose sender MAC address and
sender IP address do not match an entry in the DHCP snooping bindings database.
4.2.1. DHCP Snooping Overview
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages
between a DHCP client and DHCP server to accomplish the following tasks:
ï‚·
Filter harmful DHCP messages
ï‚·
Build a bindings database with entries that consist of the following information:
– MAC address
– IP address
– VLAN ID
– Client port
Entries in the bindings database are considered to be authorized network clients.
DHCP snooping can be enabled on VLANs, and the trust status (trusted or untrusted) is specified on
individual physical ports or Port-channels that are members of a VLAN. When a port or Port-channel is
configured as untrusted, it could potentially be used to launch a network attack. DHCP servers must be
reached through trusted ports.
DHCP snooping enforces the following security rules:
ï‚·
DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK,
DHCPLEASEQUERY)
are
dropped if they are received on an untrusted port.
To Next Page
Loading...
Need help?
General