Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell EMC SmartFabric OS10 User Guide Release 10.5.0

Source Address Validation

Source Address Validation (SAV) is a security feature that instructs switches to permit IP traffic only from clients present in the DHCP snooping binding table.

When you enable SAV, the switch compares the source IP and MAC addresses in the packet with the DHCP snooping binding table. If there is a match, the device forwards the packet. If there is no match, it drops the packet.

SAV is disabled by default.

NOTE Dell EMC Networking recommends enabling SAV before enabling DHCP snooping on the system.

OS10 supports three types of Source Address Validation:

  1. Source IP address validation
  2. Source IP and MAC address validation
  3. DHCP source MAC address validation

Source IP address validation

This feature filters IP traffic, based on the source IP address and permits traffic only from clients present in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table:

  • Source IP address
  • The VLAN to which the client is connected
  • The interface (physical or port channel) to which the client is connected

If there is a match, the switch forwards the packet.

Source IP and MAC address validation

This feature filters IP traffic, based on both source IP and source MAC addresses and permits traffic only from clients found in the DHCP snooping binding table. The switch compares the following in the packet to the DHCP snooping binding table:

  • Source MAC address
  • Source IP address
  • The VLAN to which the client is connected
  • The interface (physical or port channel) to which the client is connected

If there is a match, the switch forwards the packet.

DHCP source MAC address validation

The switch compares the source MAC address of the DHCP packet to the Client Hardware Address (CHADDR) field in the DHCP packet and drops the DHCP packet if there is a mismatch.

Restrictions for Source Address Validation

  • As the SAV feature shares TCAM memory with user ACLs, the maximum number of SAV rules that the system can support depends on how much TCAM memory is allocated to user ACLs.

Enable source IP address validation

  • Enable source IP address validation in INTERFACE mode.

    ip dhcp snooping source-address-validation ip [vlan vlan-name]

    Use the vlan option to optionally specify SAV for one or more VLANs. The range is from 1 to 4093. If you do not specify the vlan option, SAV is enabled on all VLANs of an interface.

Enable source IP and MAC address validation

  • Enable source IP and MAC address validation in INTERFACE mode.

    ip dhcp snooping source-address-validation ipmac [vlan vlan-name]

    Use the VLAN option to optionally specify SAV for one or more VLANs. The range is from 1 to 4093. If you do not specify the vlan option, SAV is enabled on all VLANs of an interface.

Enable DHCP source MAC address validation

  • Enable DHCP source MAC address validation in CONFIGURATION mode.

    ip dhcp snooping verify mac-address

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\