Dell PowerConnect 6248 Configuration Guide - Page 56

Example #2: Viewing the DoS Configuration Information console#show dos-control SIPDIP Mode Enable First Fragment Mode Enable Min TCP Hdr Size 20 TCP Fragment Mode Enable TCP Flag Mode Disable L4 Port Mode Enable ICMP Mode Enable Max ICMP Pkt Size 512 DHCP Snooping Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to: • Filter harmful DHCP messages • Build a bindings database of (MAC address, IP address, VLAN ID, port) authorized tuples. DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default. Network administrators can enable DHCP snooping globally and on specific VLANs. They can also configure ports within the VLAN to be trusted or untrusted. DHCP servers must be reached through trusted ports. DHCP snooping enforces the following security rules: • DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK, DHCPRELEASEQUERY) are dropped if received on an untrusted port. • DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC addresses in the snooping database, but the binding's interface is other than the interface where the message was received. • On untrusted interfaces, the switch drops DHCP packets with a source MAC address that does not match the client hardware address. This is a configurable option. Dynamic ARP Inspection uses the DHCP snooping bindings database to validate ARP packets. To prevent DHCP packets being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on interfaces. DHCP snooping monitors the receive rate on each interface separately. If the receive rate exceeds a configurable limit, DHCP snooping brings down the interface. The user must do "no shutdown" on this interface to further work with that port. The user can configure both the rate and the burst interval. 56 Switching Configuration