LevelOne GTL-2691 User Manual

C

HAPTER

13

| Security Measures

DHCP Snooping

– 397 –

C

OMMAND

U

SAGE

DHCP Snooping Process

◆

Network traffic may be disrupted when malicious DHCP messages are

received from an outside source. DHCP snooping is used to filter DHCP

messages received on a non-secure interface from outside the network

or fire wall. When DHCP snooping is enabled globally and enabled on a

VLAN interface, DHCP messages received on an untrusted interface

from a device not listed in the DHCP snooping table will be dropped.

◆

Table entries are only learned for trusted interfaces. An entry is added

or removed dynamically to the DHCP snooping table when a client

receives or releases an IP address from a DHCP server. Each entry

includes a MAC address, IP address, lease time, VLAN identifier, and

port identifier.

◆

The rate limit for the number of DHCP messages that can be processed

by the switch is 100 packets per second. Any DHCP packets in excess of

this limit are dropped.

◆

When DHCP snooping is enabled, DHCP messages entering an

untrusted interface are filtered based upon dynamic entries learned via

DHCP snooping.

◆

Filtering rules are implemented as follows:

■

If the global DHCP snooping is disabled, all DHCP packets are

forwarded.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN

where the DHCP packet is received, all DHCP packets are forwarded

for a trusted port. If the received packet is a DHCP ACK message, a

dynamic DHCP snooping entry is also added to the binding table.

■

If DHCP snooping is enabled globally, and also enabled on the VLAN

where the DHCP packet is received, but the port is not trusted, it is

processed as follows:

■

If the DHCP packet is a reply packet from a DHCP server

(including OFFER, ACK or NAK messages), the packet is

dropped.

■

If the DHCP packet is from a client, such as a DECLINE or

RELEASE message, the switch forwards the packet only if the

corresponding entry is found in the binding table.

■

If the DHCP packet is from a client, such as a DISCOVER,

REQUEST, INFORM, DECLINE or RELEASE message, the packet

is forwarded if MAC address verification is disabled. However, if

MAC address verification is enabled, then the packet will only be

forwarded if the client’s hardware address stored in the DHCP

packet is the same as the source MAC address in the Ethernet

header.

■

If the DHCP packet is not a recognizable type, it is dropped.