Chapter 22: DHCP Snooping
304
Overview
The DHCP Snooping feature provides security by inspecting ingress
packets for the correct IP and MAC address information. The DHCP
Snooping feature defines the AT-GS950/48 ports as either trusted or
untrusted. With DHCP Snooping enabled, two network security issues are
addressed:
All ingress DHCP packets are examined on the
untrusted ports and only authorized packets are
passed through the switch. Unwanted ingress DHCP
packets are discarded. See "Unauthorized DHCP
Servers" below.
DHCP ingress packets on an untrusted port are
inspected to insure that the source IP Address and
MAC Address combination in each packet is valid
when compared to the DHCP Snooping Binding Table.
If a match is not found, the packet is discarded.
Trusted Ports
By definition, trusted ports inherently trust all ingress Ethernet traffic.
There is no checking or testing on ingress packets for this type of port. A
trusted port connects to a DHCP server in one of the following ways:
Directly to the legitimate trusted DHCP Server
A network device relaying DHCP messages to and
from a trusted server
Another trusted source such as a switch with DHCP
Snooping enabled
Untrusted Ports
The Ethernet traffic on an untrusted port is inherently not trusted. The
ingress packets are consequently tested against specific criteria to
determine if they can be forwarded through the switch or should be
immediately discarded. Untrusted ports are connected to DHCP clients
and to traffic that originates outside of the LAN.
Unauthorized
DHCP Servers
Normally in a network, a single DHCP server exists in a local area network
(LAN). The DHCP server supplies network configuration information to
individual devices on the network, including the assigned IP address for
each host. A trusted DHCP server is connected to a trusted port on the
switch.
It is possible that another unauthorized and unwanted DHCP server could
be connected to the network. This situation can occur if a client on the
network happens to enable a DHCP server application on his workstation
or if someone outside the network attempts to send DHCP packets to your
network. These situations pose a security risk.
Содержание AT-GS950/48
Страница 10: ...Contents 10...
Страница 14: ...Figures 14...
Страница 16: ...List of Tables 16...
Страница 20: ...Preface 20...
Страница 22: ...22...
Страница 62: ...Chapter 2 System Configuration 62...
Страница 64: ...64...
Страница 108: ...Chapter 6 Static Port Trunking 108...
Страница 124: ...Chapter 8 Port Mirroring 124...
Страница 186: ...Chapter 13 Virtual LANs 186...
Страница 194: ...Chapter 14 GVRP 194...
Страница 210: ...210...
Страница 224: ...Chapter 16 SNMPv1 and v2c 224...
Страница 242: ...Chapter 17 SNMPv3 242...
Страница 258: ...Chapter 18 Access Control Configuration 258...
Страница 272: ...Chapter 19 RMON 272...
Страница 302: ...Chapter 21 Security 302...
Страница 324: ...Chapter 23 LLDP 324...
Страница 338: ...338...
Страница 356: ...Chapter 27 LED ECO Mode 356...
Страница 360: ...Chapter 28 Energy Efficient Ethernet 360...
Страница 370: ...Chapter 29 Rebooting the AT GS950 48 370...
Страница 392: ...Appendix A MSTP Overview 392...