Configuration Guide Configuring DHCP Snooping
8.2.4 Guarding Against IP/MAC Spoofing
Scenario
Check IP packets from untrusted ports to filter out forged IP packets based on IP or IP-MAC fields.
For example, in the following figure, the IP packets sent by DHCP clients are validated.
The source IP address fields of IP packets must match the IP addresses assigned by DHCP.
The source MAC address fields of layer-2 packets must match the chaddr fields in DHCP request packets from clients.
Figure 8-3
S is an access device.
A and C are user PCs.
B is a DHCP server within the controlled area.
Deployment
Enable DHCP Snooping on S to realize DHCP monitoring.
Set all downlink ports on the S as DHCP Snooping untrusted.
Enable IP Source Guard on S to filter IP packets.
Enable IP Source Guard in IP-MAC based mode to check the source MAC and IP address fields of IP packets.
8.2.5 Preventing Lease of IP Addresses
Scenario
Validate the source addresses of IP packets from untrusted ports compared with DHCP-assigned addresses.
If the source addresses, connected ports, and layer-2 source MAC addresses of ports in IP packets do not match the
assignments of the DHCP server, such packets will be discarded.
The networking topology scenario is the same as that shown in the previous figure.
To Next Page
Loading...
Need help?
General
