About client ip-to-mac address mappings, System reboot and the binding database – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 338
The lease time will be refreshed when the client renews its IP address with the DHCP server;
otherwise the Brocade device removes the entry when the lease time expires.
About client IP-to-MAC address mappings
Client IP addresses need not be on directly-connected networks, as long as the client MAC address is
learned on the client port and the client port is in the same VLAN as the DHCP server port. In this
case, the system will learn the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP
snooping enabled does not require a VE interface.
In earlier releases, in the Layer 3 software image, DHCP snooping does not learn the secure IP-to-
MAC address mapping for a client, if the client port is not a virtual ethernet (VE) interface with an IP
subnet address. In other words, the client IP address had to match one of the subnets of the client port
in order for DHCP to learn the address mapping.
System reboot and the binding database
To allow DAI and DHCP snooping to work smoothly across a system reboot, the binding database is
saved to a file in the system flash memory after an update to the binding database, with a 30 second
delay. The flash file is written and read only if DHCP snooping is enabled.
Configuration notes and feature limitations for DHCP snooping
The following limits and restrictions apply to DHCP snooping:
• To run DHCP snooping, you must first enable support for ACL filtering based on VLAN membership
or VE port membership. To do so, enter the following commands at the Global CONFIG Level of the
CLI.
device(config)#enable ACL-per-port-per-vlan
device(config)#write memory
device(config)#exit
device#reload
NOTE
You must save the configuration and reload the software to place the change into effect.
• DHCP snooping is not supported on LAG ports.
• DHCP snooping is not supported together with DHCP Auto-configuration.
• A switch can have up to 256 ARP entries, therefore, DHCP entries are limited to 256. A router,
however, can have 64,000 ARP entries, so a router can have up to 64,000 DHCP entries, of which
only 1024 entries can be saved to flash on reboot.
• ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP
Inspection (DAI) are enabled.
• See also
About client IP-to-MAC address mappings
on page 338.
• On FastIron X Series devices, DHCP snooping is supported together with multi-device port
authentication and dynamic ACLs.
• DHCP snooping supports DHCP relay agent information (DHCP Option 82). For details, refer to
on page 342.
• For default vlan-id changes, DHCP Snooping and Dynamic ARP Inspection should be re-applied on
the new default VLAN.
About client IP-to-MAC address mappings
338
FastIron Ethernet Switch Security Configuration Guide
53-1003088-03