Configuring Advanced Threat Protection

DHCP Snooping

DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped. Conditions for dropping packets are shown below.

Condition for Dropping a Packet

Packet Types

 

 

A packet from a DHCP server received on an untrusted port

DHCPOFFER, DHCPACK,

 

DHCPNACK

If the switch is configured with a list of authorized DHCP

DHCPOFFER, DHCPACK,

server addresses and a packet is received from a DHCP

DHCPNACK

server on a trusted port with a source IP address that is not

 

in the list of authorized DHCP server addresses.

 

Unless configured to not perform this check, a DHCP packet

N/A

received on an untrusted port where the DHCP client

 

hardware address field does not match the source MAC

 

address in the packet

 

Unless configured to not perform this check, a DHCP packet

N/A

containing DHCP relay information (option 82) received from

 

an untrusted port

 

A broadcast packet that has a MAC address in the DHCP

DHCPRELEASE,

binding database, but the port in the DHCP binding database

DHCPDECLINE

is different from the port on which the packet is received

 

 

 

Enabling DHCP Snooping

DHCP snooping is enabled globally by entering this command:

ProCurve(config)# dhcp-snooping

Use the no form of the command to disable DHCP snooping.

Syntax: [no] dhcp-snooping [authorized-server database option trust verify vlan]

authorized server: Enter the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid.

Maximum: 20 authorized servers

database: To configure a location for the lease database,

enter a URL in the format tftp://ip-addr/ascii-string. The

maximum number of characters for the URL is 63.

8-5