Installation manual

ManualsBrandsSignaMax ManualsComputer equipmentF0-065-1200 Series

161

162

163

164

165

166

167

168

169

170

3-116

SIGNAMAX LLC • www.signamax.eu

DHCP Snooping

The addresses assigned to DHCP clients on unsecure ports can be carefully controlled

using the dynamic bindings registered with DHCP Snooping (or using the static bindings

configured with IP Source Guard). DHCP snooping allows a switch to protect a network

from rogue DHCP servers or other devices which send port-related information to a

DHCP server. This information can be useful in tracking an IP address back to a physical

port.

Command Usage

• Network traffic may be disrupted when malicious DHCP messages are received from an

outside source. DHCP snooping is used to filter DHCP messages received on a

non-secure interface from outside the network or firewall. When DHCP snooping is

enabled globally and enabled on a VLAN interface, DHCP messages received on an

untrusted interface from a device not listed in the DHCP snooping table will be dropped.

• Table entries are only learned for trusted interfaces. An entry is added or removed

dynamically to the DHCP snooping table when a client receives or releases an IP

address from a DHCP server. Each entry includes a MAC address, IP address, lease

time, VLAN identifier, and port identifier.

• The rate limit for the number of DHCP messages that can be processed by the switch is

100 packets per second. Any DHCP packets in excess of this limit are dropped.

• When DHCP snooping is enabled, DHCP messages entering an untrusted interface are

filtered based upon dynamic entries learned via DHCP snooping.

• Filtering rules are implemented as follows:

- If the global DHCP snooping is disabled, all DHCP packets are forwarded.

- If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the

received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also

added to the binding table.

- If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, but the port is not trusted, it is processed as follows:

* If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK

or NAK messages), the packet is dropped.

* If the DHCP packet is from a client, such as a DECLINE or RELEASE message,

the switch forwards the packet only if the corresponding entry is found in the binding

table.

* If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM,

DECLINE or RELEASE message, the packet is forwarded if MAC address

verification is disabled. However, if MAC address verification is enabled, then the

packet will only be forwarded if the client’s hardware address stored in the DHCP

packet is the same as the source MAC address in the Ethernet header.

* If the DHCP packet is not a recognizable type, it is dropped.

- If a DHCP packet from a client passes the filtering criteria above, it will only be

forwarded to trusted ports in the same VLAN.