Allied Telesis AT-S111 User Manual
Chapter 23: DHCP Snooping
290
Overview
The DHCP Snooping feature provides security by inspecting ingress
packets for the correct IP and MAC address information. The DHCP
Snooping feature defines the AT-GS950/48PS ports as either trusted or
untrusted. With DHCP Snooping enabled, two network security issues are
addressed:
packets for the correct IP and MAC address information. The DHCP
Snooping feature defines the AT-GS950/48PS ports as either trusted or
untrusted. With DHCP Snooping enabled, two network security issues are
addressed:
All ingress DHCP packets are examined on the
untrusted ports and only authorized packets are
passed through the switch. Unwanted ingress DHCP
packets are discarded. See "Unauthorized DHCP
Servers" below.
untrusted ports and only authorized packets are
passed through the switch. Unwanted ingress DHCP
packets are discarded. See "Unauthorized DHCP
Servers" below.
DHCP ingress packets on an untrusted port are
inspected to insure that the source IP Address and
MAC Address combination in each packet is valid
when compared to the DHCP Snooping Binding Table.
If match is not found, the packet is discarded.
inspected to insure that the source IP Address and
MAC Address combination in each packet is valid
when compared to the DHCP Snooping Binding Table.
If match is not found, the packet is discarded.
Trusted Ports
By definition, trusted ports inherently trust all ingress Ethernet traffic.
There is no checking or testing on ingress packets for this type of port. A
trusted port connects to a DHCP server in one of the following ways:
There is no checking or testing on ingress packets for this type of port. A
trusted port connects to a DHCP server in one of the following ways:
Directly to the legitimate trusted DHCP Server
A network device relaying DHCP messages to and
from a trusted server
from a trusted server
Another trusted source such as a switch with DHCP
Snooping enabled.
Snooping enabled.
Untrusted Ports
The Ethernet traffic on an untrusted port is inherently not trusted. The
ingress packets are consequently tested against specific criteria to
determine if they can be forwarded through the switch or should be
immediately discarded. Untrusted ports are connected to DHCP clients
and to traffic that originates outside of the LAN.
ingress packets are consequently tested against specific criteria to
determine if they can be forwarded through the switch or should be
immediately discarded. Untrusted ports are connected to DHCP clients
and to traffic that originates outside of the LAN.
Unauthorized
DHCP Servers
Normally in a network, a single DHCP server exists in a local area network
(LAN). The DHCP server supplies network configuration information to
individual devices on the network including the assigned IP address for
each host. A trusted DHCP server is connected to a trusted port on the
switch.
(LAN). The DHCP server supplies network configuration information to
individual devices on the network including the assigned IP address for
each host. A trusted DHCP server is connected to a trusted port on the
switch.
It is possible that another unauthorized and unwanted DHCP server could
be connected to the network. This situation can occur if a client on the
network happens to enable a DHCP server application on his workstation
of if someone outside the network attempts to send DHCP packets to your
network. These situations pose a security risk.
be connected to the network. This situation can occur if a client on the
network happens to enable a DHCP server application on his workstation
of if someone outside the network attempts to send DHCP packets to your
network. These situations pose a security risk.