beautypg.com

LevelOne GSW-4876 User Manual

Page 109

background image

C

HAPTER

4

| Configuring the Switch

Configuring Security

– 109 –

Table entries are only learned for trusted interfaces. An entry is added

or removed dynamically to the DHCP snooping table when a client

receives or releases an IP address from a DHCP server. Each entry

includes a MAC address, IP address, lease time, VLAN identifier, and

port identifier.

When DHCP snooping is enabled, DHCP messages entering an

untrusted interface are filtered based upon dynamic entries learned via

DHCP snooping.

Filtering rules are implemented as follows:

If the global DHCP snooping is disabled, all DHCP packets are
forwarded.

If DHCP snooping is enabled globally, all DHCP packets are

forwarded for a trusted port. If the received packet is a DHCP ACK

message, a dynamic DHCP snooping entry is also added to the

binding table.

If DHCP snooping is enabled globally, but the port is not trusted, it

is processed as follows:

If the DHCP packet is a reply packet from a DHCP server

(including OFFER, ACK or NAK messages), the packet is

dropped.

If a DHCP DECLINE or RELEASE message is received from a

client, the switch forwards the packet only if the corresponding

entry is found in the binding table.

If a DHCP DISCOVER, REQUEST or INFORM message is received

from a client, the packet is forwarded.

If the DHCP packet is not a recognizable type, it is dropped.

If a DHCP packet from a client passes the filtering criteria above, it

will only be forwarded to trusted ports in the same VLAN.

If a DHCP packet is from server is received on a trusted port, it will

be forwarded to both trusted and untrusted ports in the same VLAN.

If the DHCP snooping is globally disabled, all dynamic bindings are

removed from the binding table.

Additional considerations when the switch itself is a DHCP client

The port(s) through which the switch submits a client request to the

DHCP server must be configured as trusted. Note that the switch

will not add a dynamic entry for itself to the binding table when it

receives an ACK message from a DHCP server. Also, when the

switch sends out DHCP client packets for itself, no filtering takes

place. However, when the switch receives any messages from a

DHCP server, any packets received from untrusted ports are

dropped.

See also other documents in the category LevelOne Routers: