DHCP filtering
DHCP filtering
The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’. This guarantees that customers cannot avoid detection by spoofing an IP address that was not actually allocated to them.
DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are configured with DHCP snooping placeholders for the source IP address (and possibly source MAC address), to match on.
The dynamic classifiers are attached to filters, which are applied to a port. Only those packets with a source IP address that matches one of the IP addresses allocated to the devices connected to that port are allowed through.
Client B
DHCP Server
Access Device
Trusted Ports |
Client A
Configuring filtering
The switch can be configured to block all packets arriving from clients, unless their source addresses are those known by the switch to have been allocated to the clients by DHCP.
Note: The filtering does not, of course, block DHCP packets. In fact, the DHCP snooping process creates a filter which forces DHCP packets to the CPU before any other filters can process the packet.
XTo configure how many times the filters or flowgroups will be replicated:
set dhcpsnooping
When DHCP snooping is enabled, one blocking filter rule is set up on each port. Then, a permit rule for each client is set up in the switch’s hardware filtering table after a DHCP exchange is successfully completed. These dynamic filtering rules are added for each unique DHCP client until there are maxlease number of entries on that port, or the switch has run out of filter resources.
Page 11 AlliedWare™ OS How To Note: DHCP Snooping on
