Installation manual

ManualsBrandsSignaMax ManualsComputer equipmentF0-065-1200 Series

481

482

483

484

485

486

487

488

489

490

4-163

SIGNAMAX LLC • www.signamax.eu

ip dhcp snooping

This command enables DHCP snooping globally. Use the no form to restore the default

setting.

Syntax

[no] ip dhcp snooping

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

• Network traffic may be disrupted when malicious DHCP messages are received

from an outside source. DHCP snooping is used to filter DHCP messages received

on an unsecure interface from outside the network or firewall. When DHCP

snooping is enabled globally by this command, and enabled on a VLAN interface

by the ip dhcp snooping vlan command (page 4-164), DHCP messages received

on an untrusted interface (as specified by the no ip dhcp snooping trust

command, page 4-165) from a device not listed in the DHCP snooping table will be

dropped.

• When enabled, DHCP messages entering an untrusted interface are filtered based

upon dynamic entries learned via DHCP snooping.

• Table entries are only learned for untrusted interfaces. Each entry includes a MAC

address, IP address, lease time, VLAN identifier, and port identifier.

• When DHCP snooping is enabled, the rate limit for the number of DHCP messages

that can be processed by the switch is 100 packets per second. Any DHCP packets

in excess of this limit are dropped.

• Filtering rules are implemented as follows:

- If global DHCP snooping is disabled, all DHCP packets are forwarded.

- If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, all DHCP packets are forwarded for a trusted port. If

the received packet is a DHCP ACK message, a dynamic DHCP snooping entry

is also added to the binding table.

- If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, but the port is not trusted, it is processed as follows:

* If the DHCP packet is a reply packet from a DHCP server (including OFFER,

ACK or NAK messages), the packet is dropped.

* If the DHCP packet is from a client, such as a DECLINE or RELEASE

message, the switch forwards the packet only if the corresponding entry is

found in the binding table.

* If the DHCP packet is from client, such as a DISCOVER, REQUEST,

INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC

address verification is disabled (as specified by the ip dhcp snooping verify