beautypg.com

Overview, Trusted ports, Untrusted ports – Allied Telesis AT-GS950/24 User Manual

Page 300: Unauthorized dhcp servers

background image

Chapter 22: DHCP Snooping

300

Overview

The DHCP Snooping feature provides security by inspecting ingress
packets for the correct IP and MAC address information. The DHCP
Snooping feature defines the AT-GS950/24 ports as either trusted or
untrusted. With DHCP Snooping enabled, two network security issues are
addressed:

All ingress DHCP packets are examined on the
untrusted ports and only authorized packets are
passed through the switch. Unwanted ingress DHCP
packets are discarded. See "Unauthorized DHCP
Servers" below.

DHCP ingress packets on an untrusted port are
inspected to insure that the source IP Address and
MAC Address combination in each packet is valid
when compared to the DHCP Snooping Binding Table.
If a match is not found, the packet is discarded.

Trusted Ports

By definition, trusted ports inherently trust all ingress Ethernet traffic.
There is no checking or testing on ingress packets for this type of port. A
trusted port connects to a DHCP server in one of the following ways:

Directly to the legitimate trusted DHCP Server

A network device relaying DHCP messages to and
from a trusted server

Another trusted source such as a switch with DHCP
Snooping enabled

Untrusted Ports

The Ethernet traffic on an untrusted port is inherently not trusted. The
ingress packets are consequently tested against specific criteria to
determine if they can be forwarded through the switch or should be
immediately discarded. Untrusted ports are connected to DHCP clients
and to traffic that originates outside of the LAN.

Unauthorized

DHCP Servers

Normally in a network, a single DHCP server exists in a local area network
(LAN). The DHCP server supplies network configuration information to
individual devices on the network, including the assigned IP address for
each host. A trusted DHCP server is connected to a trusted port on the
switch.

It is possible that another unauthorized and unwanted DHCP server could
be connected to the network. This situation can occur if a client on the
network happens to enable a DHCP server application on his workstation
or if someone outside the network attempts to send DHCP packets to your
network. These situations pose a security risk.

See also other documents in the category Allied Telesis Computer hardware: