Information About DHCP Snooping
Dynamic Host Control Protocol (DHCP) Snooping feature provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network and that can cause traffic attacks within the network. DHCP Snooping acts a firewall between untrusted hosts and the DHCP server. It helps the devices in the network to track DHCP client IP address and verify the source of the traffic that is received by the devices.
DHCP Snooping function specifies a port to be trusted or untrusted. Trusted ports connect to DHCP servers or ports of other devices in the network. Untrusted ports connect to DHCP clients or other networks. When DHCP Snooping is enabled on your device, it monitors and validates the DHCP packets that it receives. Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets that are received from DHCP servers. Trusted ports forward the received DHCP packets to DHCP clients.
Overview of IP Source Guard
IP Source Guard feature filters the source IP address on a Layer 2 port to prevent a malicious host from impersonating a legitimate host. It permits the IP traffic only when the IP address and the MAC address of each packet matches one of the two sources of IP and MAC address bindings:
-
Entries in the DHCP Snooping Binding table
-
Static IP source binding that you configure
You can enable the IP Source Guard feature only on untrusted ports. For IP Source Guard to function, enable DHCP Snooping.