Specifications

DHCP Snooping Overview

SecureStack B2 Configuration Guide 18-3

switchisrebooting,whentheswitchreceivesaDHCPDISCOVERYorREQUESTmessage,the

clientʹsbindingwillgotoatentativebindingstate.

Rate Limiting

ToprotecttheswitchagainstDHCPattackswhenDHCPsnoopingisenabled,thesnooping

applicationenforcesarateli mitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP

snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsa

configurablelimit,DHCPsnoopingbringsdowntheinterface.Use

thesetportenablecommand

tore‐enabletheinterface.Boththerateandthe burst intervalcanbeconfigured.

Basic Configuration

Thefollowingconfigurationproceduredoesnotchangethewritedelaytothesnoopingdatabase

oranyofthedefaultrateli mitingvalues.Additionalconfigurationnotesfollowthisprocedure.

Procedure 18-1 Basic Configuration for DHCP Snooping

Step Task Command(s)

1. Enable DHCP snooping globally on the switch. set dhcpsnooping enable

2. Determine where DHCP clients will be

connected and enable DHCP snooping on their

VLANs.

set dhcpsnooping vlan vlan-list

enable

3. Determine which ports will be connected to the

DHCP server and configure them as trusted

ports.

set dhcpsnooping trust port

port-string enable

4. If desired, enable logging of invalid DHCP

messages on specfic ports.

set dhcpsnooping log-invalid port

port-string enable

5. If desired, add static bindings to the database. set dhcpsnooping binding mac-address

vlan vlan-id ipaddr port port-string