On January 29th Extreme Networks announced that it supports Hardened DHCP-based Edge Security with ExtremeWare EXOS 11.6. But what is this exactly?
The principle is actually very simple. Normally all devices you connect to a switch can get access to the network if they have an IP address. The IP address can be given out by DHCP, but you can also configure one statically (running Wireshark/Ethereal will reveal the network). Extreme Networks now has a feature called DHCP Snooping. When DHCP Snooping is enabled you force users to use a DHCP server. The switch will then inspect the DHCP request and the DHCP reply from the server. With this information EXOS will only allow traffic from this specific host. At the DHCP server you can configure which hosts are allowed to login and which ones are not allowed. If someone tries to bypass this behavior by configuring a static IP address, the user will be denied access and the administrator will get a notification.
What are the advantages then? By default all users are denied except for the ones which do get an IP address by the DHCP server.