DHCP Snooping

DHCP, the abbreviation for Dynamic Host Configuration Protocol, is

designed to allocate appropriate IP addresses and related network
parameters for sub networks automatically. DHCP Snooping can
create binding relationship between the MAC address of the DHCP
client and the allocated IP address by analyzing the packets
between the DHCP client and server. When ARP Inspection is also
enabled, system will check if an ARP packet passing through can be
matched to any binding of the list. If not, the ARP packet will be
dropped. In the network that allocates addresses via DHCP, you can
prevent against ARP spoofing attacks by enabling ARP inspection
and DHCP Snooping.

DHCP clients look for the server by broadcasting, and only accept
the network configuration parameters provided by the first
reachable server. Therefore, an unauthorized DHCP server in the
network might lead to DHCP server spoofing attacks. System can
prevent against DHCP server spoofing attacks by dropping DHCP
response packets on related ports.

Besides, some malicious attackers send DHCP requests to a DHCP

server in succession by forging different MAC addresses, and
eventually lead to IP address unavailability to legal users by
exhausting all the IP address resources. This kind of attacks is
commonly known as DHCP Starvation. System can prevent against
such attacks by dropping request packets on related ports, setting
rate limit or enabling validity check.

This section describes how to configure DHCP snooping.

Configuring DHCP Snooping

The VSwitch interface supports DHCP snooping. This function is

disabled by default.

To configure DHCP snooping, take the following steps:

1. On the Navigation pane, click Configure > Security > ARP

Defense to visit the ARP Defense page.
 2. Click DHCP Snooping.
3. On the Interface tab in the DHCP Snooping dialog, select the
interface(s) that need enable DHCP snooping.
4. On the Port tab, configure options for DHCP snooping.
5. Click OK to save your settings and return to the ARP Defense
page.

DHCP Snooping List

With DHCP Snooping enabled, system will inspect all the DHCP
packets passing through the interface, and create and maintain a
DHCP Snooping list that contains IP-MAC binding information
during the process of inspection. Besides, if the VSwitch, VLAN
interface or any other Layer 3 physical interface is configured as a
DHCP server, system will create IP-MAC binding information
automatically and add it to the DHCP Snooping list even if DHCP
Snooping is not enabled. The bindings in the list contain
information like legal users' MAC addresses, IPs, interfaces, ports,
lease time, etc.

To visit the DHCP Snooping list, take the following steps:

1. On the Navigation pane, click Configure > Security > ARP

Defense to visit the ARP Defense page.
2. On the Task tab in the right pane, click DHCP Snooping List
to visit the the DHCP Snooping list page.