Install guide
Software Version 2.7.6 9
Software Version 2.7.6
C613-10462-00 REV A
DHCP Snooping
In Software Release 2.7.6, DHCP snooping has been added to provide an extra
layer of security via dynamic IP source filtering. Snooping filters out messages
received from unknown, or “untrusted” ports, and builds and maintains a
DHCP snooping binding database.
DHCP snooping is disabled by default, and is user configurable.
Overview
Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP
addresses to client devices. The use of dynamically assigned addresses requires
traceability, so that a service provider can determine which clients own a
particular IP address at a certain time.
With DHCP snooping, IP sources are dynamically verified, and filtered
accordingly. IP packets that are not sourced from recognised IP addresses are
filtered out. This ensures the required traceability.
Trusted and untrusted
ports
DHCP snooping blocks unauthorised IP traffic from untrusted ports, and
prevents it from entering the trusted network. Ports on the switch are classified
as either trusted or untrusted:
■ Tru st ed ports receive only messages from within your network.
■ Untrusted ports receive messages from outside your network.
Enabling and disabling
DHCP snooping
To enable DHCP snooping on the switch, use the command:
enable dhcpsnooping
To disable DHCP snooping on the switch, use the command:
disable dhcpsnooping
The DHCP snooping binding database
When you enable DHCP snooping, the switch snoops client DHCP lease
information and records it in a DHCP snooping binding database.
The binding database contains current, dynamically allocated IP addresses.
When you enable DHCP snooping, the switch intercepts all DHCP packets it
receives, and sends them to the Central Processing Unit (CPU) where they are
verified. The binding database stores and maintains this information, and
installs IP source filters on ports associated with client leases.