Dhcp snooping commands, Commands in this chapter, Dhcp snooping – Dell POWEREDGE M1000E User Manual

Page 325: Commands

Advertising
background image

DHCP Snooping Commands

325

12

DHCP Snooping Commands

DHCP Snooping is a security feature that monitors DHCP messages between

DHCP clients and DHCP server to filter harmful DHCP messages and build

a bindings database of {MAC address, IP address, VLAN ID, interface} tuples

that are considered authorized.
The DHCP snooping application processes incoming DHCP messages. For

DHCPRELEASE and DHCPDECLINE messages, the application compares

the receive interface and VLAN with the client's interface and VLAN in the

bindings database. If the interfaces do not match, the application logs the

event and drops the message. For valid client messages, DHCP snooping

compares the source MAC address to the DHCP client hardware address.

When there is a mismatch, DHCP snooping logs and drops the packet.

DHCP Snooping forwards valid client messages on trusted members within

the VLAN. If DHCP Relay and/or DHCP Server coexist with DHCP

Snooping, the DHCP client message is sent to the DHCP Relay or/and

DHCP Server for further processing.
The DHCP Snooping application uses DHCP messages to build and

maintain the binding's database. The binding's database only includes data

for clients on untrusted ports. DHCP Snooping creates a tentative binding

from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a

client to a port (the port where the DHCP client message was received).

Tentative bindings are completed when DHCP Snooping learns the client's IP

address from a DHCP ACK message on a trusted port. DHCP Snooping

removes bindings in response to DECLINE, RELEASE, and NACK messages.

The DHCP Snooping application ignores the ACK messages as a reply to the

DHCP Inform messages received on trusted ports. The network administrator

can enter static bindings into the binding database.
IP Source Guard and Dynamic ARP Inspection use the DHCP Snooping

bindings database for the validation of IP and ARP packets.

Commands in this Chapter

This chapter explains the following commands:

2CSPC4.XModular-SWUM200.book Page 325 Thursday, March 10, 2011 11:18 AM

Advertising
Popular Brands
Popular manuals