Support User Manuals

Dell M8024 Network Card User Manual

Open as PDF

of 737

Configuring Switching Information 395

•

Dropped

— The number of not valid ARP packets dropped by DAI.

Configuring Dynamic ARP Inspection With CLI Commands

For information about the CLI commands that perform this function, refer to the following chapter in

the

CLI Reference Guide

:

• Dynamic ARP Inspection Commands

DHCP Snooping

DHCP snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP

servers to filter harmful DHCP messages and to build a bindings database of MAC address, IP address,

VLAN ID, and port tuples that are considered authorized. You can enable DHCP snooping globally, per-

interface, and on specific VLANs, and configure ports within the VLAN to be trusted or untrusted.

DHCP servers must be reached through trusted ports.

DHCP snooping enforces the following security rules:

• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK,

DHCPRELEASEQUERY) are dropped if received on an untrusted port.

• DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC address in the snooping

database, but the binding’s interface is other than the interface where the message was received.

• On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not match

the client hardware address. This feature is a configurable option.

The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. DHCP

snooping is enabled on a port if (a) DHCP snooping is enabled globally, and (b) the port is a member of

a VLAN where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP

packets to the CPU. On trusted ports, the hardware forwards client messages and copies server messages

to the CPU so that DHCP snooping can learn the binding.

To displ ay t he DHCP Snooping page, click Switching > DHCP Snooping in the tree view.

The DHCP Snooping

menu page contains links to the following features:

• DHCP Snooping Configuration

• DHCP Snooping Interface Configuration

• DHCP Snooping VLAN Configuration

Table 7-3. DHCP Snooping

Destination UDP Port 67 (from client) Destination UDP Port 68 (from server)

Trusted Port Forward in hardware Copy to CPU (Complete the tentative binding for a

given DHCP client, based on the MAC address.)

Untrusted Port Trap to CPU (enforcement) Trap to CPU (error logging)

previous next