Drop Dhcp Packets On Snooped Vlans Only; Dynamic Arp Inspection - Dell Force10 C150 Configuration Manual

Drop DHCP packets on snooped VLANs only

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE.
Starting with FTOS Release 8.2.1.1, line cards maintain a list of snooped VLANs. When the binding table
fills, DHCP packets are dropped only on snooped-VLANs, while such packets will be forwarded across
non-snooped VLANs. Since DHCP packets are dropped, no new IP address assignments are made.
However, DHCP Release and Decline packets are allowed so that the DHCP snooping table can decrease
in size. Once the table usage falls below the max limit of 4000 entries, new IP address assignments are
allowed.
View the number of entries in the table with the
displays the snooping binding table created using the ACK packets from the trusted port.
Figure 13-7. Command example:
FTOS#show ip dhcp snooping binding
Codes : S - Static D - Dynamic
IP Address MAC Address
========================================================================
10.1.1.251 00:00:4d:57:f2:50
10.1.1.252 00:00:4d:57:e6:f6
10.1.1.253 00:00:4d:57:f8:e8
10.1.1.254 00:00:4d:69:e8:f2
Total number of Entries in the table : 4

Dynamic ARP Inspection

Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated
against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP
request and replies from any device, and ARP replies are accepted even when no request was sent. If a
client receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the
existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers
use to inject false IP to MAC mappings into the ARP cache of a network device. It is used to launch
man-in-the-middle (MITM), and denial-of-service (DoS) attacks, among others.
A spoofed ARP message is one in which MAC address in the sender hardware address field and the IP
address in the sender protocol field are strategically chosen by the attacker. For example, in an MITM
attack, the attacker sends a client an ARP message containing the attacker's MAC address and the
gateway's IP address. The client then thinks that the attacker is the gateway, and sends all internet-bound
show ip dhcp snooping binding
show ip dhcp snooping binding
Expires(Sec) Type
172800 D
172800 D
172740 D
172740 D
command. This output
VLAN Interface
Vl 10 Gi 0/2
Vl 10 Gi 0/1
Vl 10 Gi 0/3
Vl 10 Te 0/50
Dynamic Host Configuration Protocol | 325