User's Manual
331
44.1.2 Enabling DHCP Snooping in a VLAN
If DHCP snooping is enabled in a VLAN, the DHCP packets which are received from all distrusted physical
ports in a VLAN will be legally checked. The DHCP response packets which are received from distrusted
physical ports in a VLAN will then be dropped, preventing the faked or mis-configured DHCP server from
providing address distribution services. For the DHCP request packet from distrusted ports, if the hardware
address field in the DHCP request packet does not match the MAC address of this packet, the DHCP request
packet is then thought as a fake packet which is used as the attack packet for DHCP DOS and then the switch
will drop it.
Run the following commands in global configuration mode.
Command Purpose
ip dhcp-relay snooping vlan vlan_id
Enables DHCP-snooping in a VLAN.
no ip dhcp-relay snooping vlan vlan_id
Disables DHCP-snooping in a VLAN.
44.1.3 Enabling DHCP Anti-attack in a VLAN.
To enable attack prevention in a VLAN, you need to configure the allowable maximum DHCP clients in a
specific VLAN and conduct the principle of “first come and first serve”. When the number of users in the specific
VLAN reaches the maximum number, new clients are not allowed to be distributed.
Run the following commands in global configuration mode.
Command Purpose
ip dhcp-relay snooping vlan vlan_id max-
client number
Enabling DHCP anti-attack in a VLAN.
no ip dhcp-relay snooping vlan vlan_id max-
client
Disables DHCP anti-attack in a VLAN.
44.1.4 Setting an Interface to a DHCP-Trusting Interface
If an interface is set to be a DHCP-trusting interface, the DHCP packets received from this interface will not be
checked.
Run the following commands in physical interface configuration mode.
Command Operation
dhcp snooping trust
Setting an Interface to a DHCP-
Trusting Interface
no dhcp snooping trust
Resumes an interface to a DHCP-
distrusted interface.
The interface is a distrusted interface by default