Ip dhcp snooping – LevelOne GTL-2691 User Manual
Page 947
C
HAPTER
29
| General Security Measures
DHCP Snooping
– 947 –
ip dhcp snooping
This command enables DHCP snooping globally. Use the no form to restore
the default setting.
S
YNTAX
[no] ip dhcp snooping
D
EFAULT
S
ETTING
Disabled
C
OMMAND
M
ODE
Global Configuration
C
OMMAND
U
SAGE
◆
Network traffic may be disrupted when malicious DHCP messages are
received from an outside source. DHCP snooping is used to filter DHCP
messages received on an unsecure interface from outside the network
or fire wall. When DHCP snooping is enabled globally by this command,
and enabled on a VLAN interface by the
command, DHCP messages received on an untrusted interface (as
specified by the
command) from a device not
listed in the DHCP snooping table will be dropped.
◆
When enabled, DHCP messages entering an untrusted interface are
filtered based upon dynamic entries learned via DHCP snooping.
◆
Table entries are only learned for trusted interfaces. Each entry
includes a MAC address, IP address, lease time, VLAN identifier, and
port identifier.
◆
When DHCP snooping is enabled, the rate limit for the number of DHCP
messages that can be processed by the switch is 100 packets per
second. Any DHCP packets in excess of this limit are dropped.
◆
Filtering rules are implemented as follows:
■
If the global DHCP snooping is disabled, all DHCP packets are
forwarded.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, all DHCP packets are forwarded
for a trusted port. If the received packet is a DHCP ACK message, a
dynamic DHCP snooping entry is also added to the binding table.
■
If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, but the port is not trusted, it is
processed as follows:
■
If the DHCP packet is a reply packet from a DHCP server
(including OFFER, ACK or NAK messages), the packet is
dropped.