Nsf and dhcp snooping – Dell POWEREDGE M1000E User Manual

166

Managing a Switch Stack

NSF and DHCP Snooping

Figure 8-15 illustrates an L2 access switch running DHCP snooping. DHCP

snooping only accepts DHCP server messages on ports configured as

trusted

ports. DHCP snooping listens to DHCP messages to build a bindings

database that lists the IP address the DHCP server has assigned to each host.

IP Source Guard (IPSG) uses the bindings database to filter data traffic in

hardware based on source IP address and source MAC address. Dynamic ARP

Inspection (DAI) uses the bindings database to verify that ARP messages

contain a valid sender IP address and sender MAC address. DHCP snooping

checkpoints its bindings database.

Figure 8-15. NSF and DHCP Snooping

If the Management Unit fails, all hosts connected to that unit lose network

access until that unit reboots. The hardware on surviving units continues to

enforce source filters IPSG installed prior to the failover. Valid hosts continue

to communicate normally. During the failover, the hardware continues to

drop data packets from unauthorized hosts so that security is not

compromised.

DHCP Server

LAG

`

`

`

`

`

`

Hosts

Hosts