The Dell OS10 Switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-269959SRG-NET-000362-L2S-000025OS10-L2S-000130SV-269959r1052263_rule2024-12-111
Description
In an enterprise network, devices under administrative control are trusted sources. These devices include the switches, routers, and servers in the network. Host ports and unknown DHCP servers are considered untrusted sources. An unknown DHCP server on the network on an untrusted port is called a spurious DHCP server, any device (PC, Wireless Access Point) that is loaded with DHCP server enabled. The DHCP snooping feature determines whether traffic sources are trusted or untrusted. The potential exists for a spurious DHCP server to respond to DHCPDISCOVER messages before the real server has time to respond. DHCP snooping allows switches on the network to trust the port a DHCP server is connected to and not trust the other ports. The DHCP snooping feature validates DHCP messages received from untrusted sources and filters out invalid messages as well as rate-limits DHCP traffic from trusted and untrusted sources. DHCP snooping feature builds and maintains a binding database, which contains information about untrusted hosts with leased IP addresses, and it uses the database to validate subsequent requests from untrusted hosts. Other security features, such as IP Source Guard and Dynamic Address Resolution Protocol (ARP) Inspection (DAI), also use information stored in the DHCP snooping binding database. Hence, it is imperative that the DHCP snooping feature is enabled on all VLANs.
ℹ️ Check
Review the Dell OS10 Switch configuration and verify that DHCP snooping is enabled on all user VLANs. Verify that DHCP snooping is enabled globally: ip dhcp snooping Verify that interfaces attached to trusted DHCP servers are configured: interface ethernet 1/1/4 ip dhcp snooping trust Verify that static DHCP snooping entries are in the binding table: ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/1 Note that OS10 supports three types of source address validation of trusted DHCP servers: source IP address validation, source IP and MAC address validation, and DHCP source MAC address validation. If the switch does not have DHCP snooping enabled for all user VLANs to validate DHCP messages from untrusted sources, this is a finding.
✔️ Fix
Configure the Dell OS10 Switch to have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources, as shown in the example below: Enable DHCP snooping globally in CONFIGURATION mode: OS10(config)# ip dhcp snooping Specify physical or LAG interfaces that have connections towards DHCP servers as trusted in INTERFACE mode: OS10(config)# interface ethernet 1/1/4 OS10(conf-if-eth1/1/1)# ip dhcp snooping trust Alternatively, add static DHCP snooping entry in the binding table: OS10(config)# ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/1