What is dhcp snooping – Dell POWEREDGE M1000E User Manual

792

Snooping and Inspecting Traffic

What Is DHCP Snooping?

Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature

that monitors DHCP messages between a DHCP client and DHCP server to

accomplish the following tasks:

• Filter harmful DHCP messages
• Build a bindings database with entries that consist of the following

information:
• MAC address
• IP address
• VLAN ID
• Client port

Entries in the bindings database are considered to be authorized network

clients.
DHCP snooping can be enabled on VLANs, and the trust status (trusted or

untrusted) is specified on individual physical ports or LAGS that are

members of a VLAN. When a port or LAG is configured as untrusted, it could

potentially be used to launch a network attack. DHCP servers must be

reached through trusted ports.
DHCP snooping enforces the following security rules:

• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK,

DHCPNAK, DHCPRELEASEQUERY) are dropped if they are received on

an untrusted port.

• DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC

addresses in the snooping database, but the binding's interface is other

than the interface where the message was received.

• On untrusted interfaces, the switch drops DHCP packets with a source

MAC address that does not match the client hardware address. This is a

configurable option.