160
Use DHCP snooping to filter unauthorized DHCP packets on the network and to build the binding
table dynamically. This can prevent clients from getting IP addresses from unauthorized DHCP
servers.
Trusted vs. Untrusted Ports
Every port is either a trusted port or an untrusted port for DHCP snooping. This setting is
independent of the trusted/untrusted setting for ARP inspection. You can also specify the
maximum number for DHCP packets that each port (trusted or untrusted) can receive each second.
Trusted ports
are connected to DHCP servers or other switches. The Switch discards DHCP
packets from trusted ports only if the rate at which DHCP packets arrive is too high. The Switch
learns dynamic bindings from trusted ports.
Note:
The Switch will drop all DHCP requests if you enable DHCP snooping and there are no
trusted ports.
Untrusted ports
are connected to subscribers. The Switch discards DHCP packets from
untrusted ports in the following situations:
The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
The source MAC address and source IP address in the packet do not match any of the current
bindings.
The packet is a RELEASE or DECLINE packet, and the source MAC address and source
port do not match any of the current bindings.
The rate at which DHCP packets arrive is too high.
DHCP Snooping Database
The Switch stores the binding table in volatile memory. If the Switch restarts, it loads static
bindings from permanent memory but loses the dynamic bindings, in which case the devices in
the network have to send DHCP requests again.
Configuring DHCP Snooping
Follow these steps to configure DHCP snooping on the Switch.
1.
Enable DHCP snooping on the Switch.
2.
Enable DHCP snooping on each VLAN.
3.
Configure trusted and untrusted ports.
4.
Configure static bindings.
Note:
The Switch will drop all DHCP requests if you enable DHCP snooping and there are no
trusted ports.
If the port link down, the entries learned by this port in the DHCP snooping binding table
will be deleted.
You must enable the global DHCP snooping and DHCP Snooping for vlan first.
The main purposes of the DHCP Snooping are:
1.
Create and maintain binding table for ARP Inspection function.
2.
Filter the DHCP server’s packets that the DHCP server connects to an untrusted port.