Korenix Technology Co., Ltd.
Industrial
Layer 3 Managed Ethernet Switch
_____________________________________________________________________________
Industrial Layer 3 Managed Ethernet SwitchUser Manual
Page: 502/1246
6.17
DHCP Snooping Commands
DHCP snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP
servers to filter harmful DHCP messages and to build a bindings database of {MAC address, IP address,
VLAN ID, port} tuples that are considered authorized. You can enable DHCP snooping globally and on
specific VLANs, and configure ports within the VLAN to be trusted or untrusted. DHCP servers must be
reached through trusted ports.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type,
VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it
does not contain information regarding hosts interconnected with a trusted interface. An untrusted
interface is an interface that is configured to receive messages from outside the network or firewall. A
trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way
to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected
to the DHCP server or another switch.
DHCP snooping enforces the following security rules:
DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK,
DHCPRELEASEQUERY) are dropped if received on an untrusted port.
DHCPRELEASE and DHCPDECLINE messages are dropped if for a MAC address in the
snooping database, but the binding's interface is other than the interface where the message
was received.
On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not
match the client hardware address. This feature is a configurable option.
The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled. DHCP
snooping is enabled on a port if (a) DHCP snooping is enabled globally, and (b) the port is a member of a
VLAN where DHCP snooping is enabled. On untrusted ports, the hardware traps all incoming DHCP
packets to the CPU. On trusted ports, the hardware forwards client messages and copies server
messages to the CPU so that DHCP snooping can learn the binding.
You can enable the switch to operate as a DHCP Layer 2 relay agent to relay DHCP requests from
clients to a Layer 3 relay agent or server. The Circuit ID and Remote ID can be added to DHCP requests
relayed from clients to a DHCP server. This information is included in DHCP Option 82, as specified in
sections 3.1 and 3.2 of RFC3046.