AT-GS950/16PS Switch Web Interface User’s Guide

Overview

Trusted Ports

Untrusted Ports

Unauthorized DHCP Servers

The DHCP Snooping feature provides security by inspecting ingress packets for the correct IP and MAC address information. The DHCP Snooping feature defines the AT-GS950/16PS ports as either trusted or untrusted. With DHCP Snooping enabled, two network security issues are addressed:

All ingress DHCP packets are examined on the untrusted ports and only authorized packets are passed through the switch. Unwanted ingress DHCP packets are discarded. See "Unauthorized DHCP Servers" below.

DHCP ingress packets on an untrusted port are inspected to insure that the source IP Address and MAC Address combination in each packet is valid when compared to the DHCP Snooping Binding Table. If match is not found, the packet is discarded.

By definition, trusted ports inherently trust all ingress Ethernet traffic. There is no checking or testing on ingress packets for this type of port. A trusted port connects to a DHCP server in one of the following ways:

Directly to the legitimate trusted DHCP Server

A network device relaying DHCP messages to and from a trusted server

Another trusted source such as a switch with DHCP Snooping enabled.

The Ethernet traffic on an untrusted port is inherently not trusted. The ingress packets are consequently tested against specific criteria to determine if they can be forwarded through the switch or should be immediately discarded. Untrusted ports are connected to DHCP clients and to traffic that originates outside of the LAN.

Normally in a network, a single DHCP server exists in a local area network (LAN). The DHCP server supplies network configuration information to individual devices on the network including the assigned IP address for each host. A trusted DHCP server is connected to a trusted port on the switch.

It is possible that another unauthorized and unwanted DHCP server could be connected to the network. This situation can occur if a client on the network happens to enable a DHCP server application on his workstation of if someone outside the network attempts to send DHCP packets to your network. These situations pose a security risk.

291

Page 291
Image 291
Allied Telesis AT-GS950/16PS, AT-S112 manual Trusted Ports Untrusted Ports, Unauthorized Dhcp Servers