From Layer 2 Switch Security Requirements Guide
Part of SRG-NET-000362
Associated with: CCI-002385
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports.
Review the switch configuration and verify that DHCP snooping is enabled on a per-VLAN basis. If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic, this is a finding. Note: Enabling DHCP snooping on a range of VLANs is permissible.
Configure the switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources as well as rate-limit DHCP traffic.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer