DELL S6000-ON User Manual
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been
validated against the DHCP binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.
For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic
addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel
interface on which the requesting client is attached and the VLAN the client belongs to. When you enable
IP source address validation on a port, the system verifies that the source IP address is one that is
associated with the incoming port and optionally that the client belongs to the permissible VLAN. If an
attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and
the system drops the packet. If the IP address is fake, the address is not on the list of permissible
addresses for the port and the packet is dropped. Similarly, if the IP address does not belong to the
permissible VLAN, the packet is dropped.
validated against the DHCP binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker.
For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic
addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel
interface on which the requesting client is attached and the VLAN the client belongs to. When you enable
IP source address validation on a port, the system verifies that the source IP address is one that is
associated with the incoming port and optionally that the client belongs to the permissible VLAN. If an
attacker is impostering as a legitimate client, the source address appears on the wrong ingress port and
the system drops the packet. If the IP address is fake, the address is not on the list of permissible
addresses for the port and the packet is dropped. Similarly, if the IP address does not belong to the
permissible VLAN, the packet is dropped.
To enable IP source address validation, use the following command.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation
command and if there are more entries in the current DHCP snooping binding table than the
available CAM space, SAV may not be applied to all entries. To ensure that SAV is applied correctly
available CAM space, SAV may not be applied to all entries. To ensure that SAV is applied correctly
to all entries, enable the ip dhcp source-address-validation command before adding
entries to the binding table.
• Enable IP source address validation.
INTERFACE mode
INTERFACE PORT EXTENDER
ip dhcp source-address-validation
• Enable IP source address validation with VLAN option.
INTERFACE mode
ip dhcp source-address-validation vlan vlan-id
NOTE:
Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM
region.
Before enabling SAV With VLAN option, allocate at least one FP block to the ipmacacl CAM
region.
DHCP MAC Source Address Validation
DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against
the client hardware address field (CHADDR) in the payload.
Dell Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field
in the DHCP header only for packets from snooped VLANs.
the client hardware address field (CHADDR) in the payload.
Dell Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field
in the DHCP header only for packets from snooped VLANs.
• Enable DHCP MAC SAV.
CONFIGURATION mode
ip dhcp snooping verify mac-address
316
Dynamic Host Configuration Protocol (DHCP)