DHCP Snooping

DHCP, the abbreviation for Dynamic Host Configuration Protocol, is designed to allocate appropriate IP addresses and related network parameters for sub networks automatically. DHCP Snooping can create binding relationship between the MAC address of the DHCP client and the allocated IP address by analyzing the packets between the DHCP client and server. When ARP Inspection is also enabled, system will check if an ARP packet passing through can be matched to any binding of the list. If not, the ARP packet will be dropped. In the network that allocates addresses via DHCP, you can prevent against ARP spoofing attacks by enabling ARP inspection and DHCP Snooping.

DHCP clients look for the server by broadcasting, and only accept the network configuration parameters provided by the first reachable server. Therefore, an unauthorized DHCP server in the network might lead to DHCP server spoofing attacks. System can prevent against DHCP server spoofing attacks by dropping DHCP response packets on related ports.

Besides, some malicious attackers send DHCP requests to a DHCP server in succession by forging different MAC addresses, and eventually lead to IP address unavailability to legal users by exhausting all the IP address resources. This kind of attacks is commonly known as DHCP Starvation. System can prevent against such attacks by dropping request packets on related ports, setting rate limit or enabling validity check.

This section describes how to configure DHCP snooping.

Configuring DHCP Snooping

The VSwitch interface supports DHCP snooping. This function is disabled by default.

To configure DHCP snooping, take the following steps:

  1. On the Navigation pane, click Configure > Security > ARP Defense to visit the ARP Defense page.
  2. Click DHCP Snooping.
  3. On the Interface tab in the DHCP Snooping dialog, select the interface(s) that need enable DHCP snooping.
  4. On the Port tab, configure options for DHCP snooping.
    • Rate limit (pkts/sec): Specifies the number of DHCP packets received per second on the interface. If the number exceeds the specified value, system will drop the excessive DHCP packets. The value range is 0 to 10000. The default value is 0, i.e., no rate limit.
    • Validity check: Checks if the client's MAC address of the DHCP packet is the same with the source MAC address of the Ethernet packet. If not, the packet will be dropped. Select the Check check box to enable this function.
    • Drop: If the DHCP Request check box is selected, system will drop all the request packets sent by the client to the server; if the DHCP Response check box is selected, system will drop all the response packets returned by the server to the client.
  5. Click OK to save your settings and return to the ARP Defense page.

DHCP Snooping List

With DHCP Snooping enabled, system will inspect all the DHCP packets passing through the interface, and create and maintain a DHCP Snooping list that contains IP-MAC binding information during the process of inspection. Besides, if the VSwitch, VLAN interface or any other Layer 3 physical interface is configured as a DHCP server, system will create IP-MAC binding information automatically and add it to the DHCP Snooping list even if DHCP Snooping is not enabled. The bindings in the list contain information like legal users' MAC addresses, IPs, interfaces, ports, lease time, etc.

To visit the DHCP Snooping list, take the following steps:

  1. On the Navigation pane, click Configure > Security > ARP Defense to visit the ARP Defense page.
  2. On the Task tab in the right pane, click DHCP Snooping List to visit the the DHCP Snooping list page.