Command Line Interface
4-232
4
firewall. When DHCP snooping is enabled globally by this command, and
enabled on a VLAN interface by the
ip dhcp snooping vlan
command
(page 4-233), DHCP messages received on an untrusted interface (as
specified by the
no ip dhcp snooping trust
command, page 4-234) from a
device not listed in the DHCP snooping table will be dropped.
• When enabled, DHCP messages entering an untrusted interface are filtered
based upon dynamic entries learned via DHCP snooping.
• Table entries are only learned for untrusted interfaces. Each entry includes a
MAC address, IP address, lease time, entry type (Dynamic-DHCP-Binding,
Static-DHCP-Binding), VLAN identifier, and port identifier.
• When DHCP snooping is enabled, the rate limit for the number of DHCP
messages that can be processed by the switch is 100 packets per second.
Any DHCP packets in excess of this limit are dropped.
• Filtering rules are implemented as follows:
- If the global DHCP snooping is disabled, all DHCP packets are forwarded.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, all DHCP packets are forwarded for a
trusted
port. If the received packet is a DHCP ACK message, a dynamic DHCP
snooping entry is also added to the binding table.
- If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, but the port is
not trusted
, it is processed as
follows:
* If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
* If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding entry
is found in the binding table.
* If the DHCP packet is from client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if
MAC address verification is disabled (as specified by the
ip dhcp
snooping verify mac-address
command, page 4-235). However, if
MAC address verification is enabled, then the packet will only be
forwarded if the client’s hardware address stored in the DHCP packet is
the same as the source MAC address in the Ethernet header.
* If the DHCP packet is not a recognizable type, it is dropped.
- If a DHCP packet from a client passes the filtering criteria above, it will only
be forwarded to trusted ports in the same VLAN.
- If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and untrusted ports in the same VLAN.
• If the DHCP snooping is globally disabled, all dynamic bindings are removed
from the binding table.
•
Additional considerations when the switch itself is a DHCP client
– The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted (
ip dhcp snooping trust
, page 4-234). Note that the
switch will not add a dynamic entry for itself to the binding table when it
Summary of Contents for TL-SG5426 -
Page 1: ...TL SG5426 26 Port Gigabit Managed Switch Rev 1 0 0 1910010105...
Page 17: ...Contents xiv...
Page 21: ...Tables xviii...
Page 25: ...Figures xxii...
Page 42: ...Initial Configuration 2 10 2...
Page 107: ...Configuring the Switch 3 64 3 Figure 3 41 802 1X Port Configuration...
Page 486: ...Software Specifications A 4 A...