DELL N3000 User Manual
880
Snooping and Inspecting Traffic
What Is DHCP Snooping?
Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature
that monitors DHCP messages between a DHCP client and DHCP server to
accomplish the following tasks:
• Filter harmful DHCP messages
• Build a bindings database with entries that consist of the following
• Build a bindings database with entries that consist of the following
information:
• MAC address
• IP address
• VLAN ID
• Client port
• MAC address
• IP address
• VLAN ID
• Client port
Entries in the bindings database are considered to be authorized network
clients.
DHCP snooping can be enabled on VLANs, and the trust status (trusted or
DHCP snooping can be enabled on VLANs, and the trust status (trusted or
untrusted) is specified on individual physical ports or LAGS that are
members of a VLAN. When a port or LAG is configured as untrusted, it could
potentially be used to launch a network attack. DHCP servers must be
reached through trusted ports.
DHCP snooping enforces the following security rules:
DHCP snooping enforces the following security rules:
• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK,
DHCPNAK, DHCPRELEASEQUERY) are dropped if they are received on
an untrusted port.
• DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC
addresses in the snooping database, but the binding's interface is other
than the interface where the message was received.
• On untrusted interfaces, the switch drops DHCP packets with a source
MAC address that does not match the client hardware address. This is a
configurable option.