Overview, Trusted ports, Untrusted ports – Allied Telesis AT-GS950/24 User Manual

Chapter 16: DHCP Snooping

228

Overview

The DHCP Snooping feature provides security by inspecting ingress
packets for the correct IP and MAC address information. The DHCP
Snooping feature defines the AT-GS950/24 ports as either trusted or
untrusted. With DHCP Snooping enabled, two network security issues are
addressed:



All ingress DHCP packets are examined on the untrusted ports
and only authorized packets are passed through the switch.
Unwanted ingress DHCP packets are discarded. See
"Unauthorized DHCP Servers".



DHCP ingress packets on an untrusted port are inspected to insure
that the source IP Address and MAC Address combination in each
packet is valid when compared to the DHCP Snooping Binding
Table. If match is not found, the packet is discarded.

Trusted Ports

By definition, trusted ports inherently trust all ingress Ethernet traffic.
There is no checking or testing on ingress packets for this type of port. A
trusted port connects to a DHCP server in one of the following ways:



Directly to the legitimate trusted DHCP Server



A network device relaying DHCP messages to and from a trusted
server



Another trusted source such as a switch with DHCP Snooping
enabled.

Untrusted Ports

The Ethernet traffic on an untrusted port is inherently not trusted. The
ingress packets are consequently tested against specific criteria to
determine if they can be forwarded through the switch or should be
immediately discarded. Untrusted ports are connected to DHCP clients
and to traffic that originates outside of the LAN.

Unauthorized

DHCP Servers

Normally in a network, a single DHCP server exists in a local area network
(LAN). The DHCP server supplies network configuration information to
individual devices on the network including the assigned IP address for
each host. A trusted DHCP server is connected to a trusted port on the
switch.

It is possible that another unauthorized and unwanted DHCP server could
be connected to the network. This situation can occur if a client on the
network happens to enable a DHCP server application on his workstation
of if someone outside the network attempts to send DHCP packets to your
network. These situations pose a security risk.

A network device initially sends out a DHCPDISCOVER packet so that a
DHCP server will respond. It waits for and then accepts the