Dell M8024 Network Card User Manual


 
Configuring Switching Information 395
Dropped
— The number of not valid ARP packets dropped by DAI.
Configuring Dynamic ARP Inspection With CLI Commands
For information about the CLI commands that perform this function, refer to the following chapter in
the
CLI Reference Guide
:
Dynamic ARP Inspection Commands
DHCP Snooping
DHCP snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP
servers to filter harmful DHCP messages and to build a bindings database of MAC address, IP address,
VLAN ID, and port tuples that are considered authorized. You can enable DHCP snooping globally, per-
interface, and on specific VLANs, and configure ports within the VLAN to be trusted or untrusted.
DHCP servers must be reached through trusted ports.
DHCP snooping enforces the following security rules:
DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK,
DHCPRELEASEQUERY) are dropped if received on an untrusted port.
DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC address in the snooping
database, but the binding’s interface is other than the interface where the message was received.
On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not match
the client hardware address. This feature is a configurable option.
The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. DHCP
snooping is enabled on a port if (a) DHCP snooping is enabled globally, and (b) the port is a member of
a VLAN where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP
packets to the CPU. On trusted ports, the hardware forwards client messages and copies server messages
to the CPU so that DHCP snooping can learn the binding.
To displ ay t he DHCP Snooping page, click Switching > DHCP Snooping in the tree view.
The DHCP Snooping
menu page contains links to the following features:
DHCP Snooping Configuration
DHCP Snooping Interface Configuration
DHCP Snooping VLAN Configuration
Table 7-3. DHCP Snooping
Destination UDP Port 67 (from client) Destination UDP Port 68 (from server)
Trusted Port Forward in hardware Copy to CPU (Complete the tentative binding for a
given DHCP client, based on the MAC address.)
Untrusted Port Trap to CPU (enforcement) Trap to CPU (error logging)