Dell PowerConnect M6220 Configuration Guide - Page 43
DHCP Filtering, Overview, Limitations, CLI Examples
 |
View all Dell PowerConnect M6220 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 43 highlights
DHCP Filtering This section describes the Dynamic Host Configuration Protocol (DHCP) Filtering feature. Overview DHCP filtering provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network or firewall, and that can cause traffic attacks within network. You can use DHCP Filtering as a security measure against unauthorized DHCP servers. A known attack can occur when an unauthorized DHCP server responds to a client that is requesting an IP address. The unauthorized server can configure the gateway for the client to be equal to the IP address of the server. At that point, the client sends all of its IP traffic destined to other networks to the unauthorized machine, giving the attacker the possibility of filtering traffic for passwords or employing a 'man-in-the-middle' attack. DHCP filtering works by allowing the administrator to configure each port as a trusted or untrusted port. The port that has the authorized DHCP server should be configured as a trusted port. Any DHCP responses received on a trusted port will be forwarded. All other ports should be configured as untrusted. Any DHCP (or BootP) responses received on the ingress side will be discarded. Limitations • Port Channels (LAGs): If an interface becomes a member of a LAG, DHCP filtering is no longer operationally enabled on the interface. Instead, the interface follows the configuration of the LAG port. End user configuration for the interface remains unchanged. When an interface is no longer a member of a LAG, the current end user configuration for that interface automatically becomes effective. • Mirroring: If an interface becomes a probe port, DHCP filtering can no longer become operationally enabled on the interface. End user configuration for the interface remains unchanged. When an interface no longer acts as a probe port, the current end user configuration for that interface automatically becomes effective. • DHCP Relay: When DHCP Filtering is administratively enabled, the IP Helper function must check whether a port is trusted before a DHCP (or BootP) response is forwarded on the port. If the port is untrusted, the response is dropped. The forwarding of DHCP or BootP request is unaffected. • If DHCP Filtering is administratively disabled, the operation of the DHCP relay function is unaffected. CLI Examples The commands shown below show examples of configuring DHCP Filtering for the switch and for individual interfaces. Example #1: Enable DHCP Filtering for the Switch console#configure Switching Configuration 43
-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38 -
39 -
40 -
41 -
42 -
43 -
44 -
45 -
46 -
47 -
48 -
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
 |
 |
