132
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP packet is received
on a routing VLAN, the DHCP snooping application applies its filtering rules and updates the bindings database.
If a client message passes filtering rules, the message is placed into the software forwarding path where it
may be processed by the DHCP relay agent, the local DHCP server, or forwarded as an IP packet.
4.2.1.3. DHCP Snooping Logging and Rate Limits
The DHCP snooping application processes incoming DHCP messages. For DHCPRELEASE and DHCPDECLINE
messages, the application compares the receive interface and VLAN with the client interface and VLAN in
the bindings database. If the interfaces do not match, the application logs the event and drops the message.
For valid client messages, DHCP snooping compares the source MAC address to the DHCP client hardware
address. When there is a mismatch, DHCP snooping drops the packet and generates a log message if logging
of invalid packets is enabled.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are sent to DHCP relay for further
processing.
To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping
application enforces a rate limit for DHCP packets received on interfaces. DHCP snooping monitors the
receive rate on each interface separately. If the receive rate exceeds a configurable limit, DHCP snooping
brings down the interface. Administrative intervention is necessary to enable the port, either by using the
no shutdown command in Interface Config mode.
4.2.2. IP Source Guard Overview
IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network
from attacks that use IP address spoofing to compromise or overwhelm the network.
The source ID may be either the source IP address or a {source IP address, source MAC address} pair. You can
configure:
ï‚·
Whether enforcement includes the source MAC address
ï‚·
Static authorized source IDs
The DHCP snooping bindings database and static IPSG entries identify authorized source IDs. IPSG can be
enabled on physical and Port-channel ports.
If you enable IPSG on a port where DHCP snooping is disabled or where DHCP snooping is enabled but the
port is trusted, all IP traffic received on that port is dropped depending on the admin-configured IPSG
entries.
4.2.2.1. IPSG and Port Security
IPSG interacts with port security, also known as port MAC locking to enforce the source MAC address. Port
security controls source MAC address learning in the layer 2 forwarding database (MAC address table).
When a frame is received with a previously unlearned source MAC address, port security queries the IPSG
feature to determine whether the MAC address belongs to a valid binding.
To Next Page
Loading...
Need help?
General