HP (Hewlett-Packard) 2610 Switch User Manual


 
18
Enhancements
Release R.11.12 Enhancements
DHCP Snooping
Overview
You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized
users adding a DHCP server to the network that then provides invalid configuration data to other
DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish
between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-
users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets
received on other switch ports are inspected before being forwarded. Packets from untrusted sources
are dropped. Conditions for dropping packets are shown below.
Enabling DHCP Snooping
DHCP snooping is enabled globally by entering this command:
ProCurve(config)# dhcp-snooping
Use the no form of the command to disable DHCP snooping.
Condition for Dropping a Packet Packet Types
A packet from a DHCP server received on an untrusted port DHCPOFFER, DHCPACK, DH-
CPNACK
If the switch is configured with a list of authorized DHCP
server addresses and a packet is received from a DHCP
server on a trusted port with a source IP address that is not
in the list of authorized DHCP server addresses.
DHCPOFFER, DHCPACK, DH-
CPNACK
Unless configured to not perform this check, a DHCP packet
received on an untrusted port where the DHCP client hard-
ware address field does not match the source MAC address
in the packet
N/A
Unless configured to not perform this check, a DHCP packet
containing DHCP relay information (option 82) received from
an untrusted port
N/A
A broadcast packet that has a MAC address in the DHCP
binding database, but the port in the DHCP binding database
is different from the port on which the packet is received
DHCPRELEASE, DHCPDE-
CLINE
Syntax: [no] dhcp-snooping [authorized-server | database | option | trust | verify |
vlan]
authorized server: Enter the IP address of a trusted DHCP
server. If no authorized servers are configured, all DHCP
server addresses are considered valid.
Maximum: 20 authorized servers