DHCP snooping provides an extra layer of security on the switch via dynamic IP source
filtering. DHCP snooping filters out traffic received from unknown, or ‘untrusted’ ports,
and builds and maintains a DHCP snooping database.

Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses to client
devices. The use of dynamically assigned addresses requires traceability, so that a service
provider can determine which clients own a particular IP address at a certain time.

With DHCP snooping, IP sources are dynamically verified, and filtered accordingly. IP
packets that are not sourced from recognized IP addresses can be filtered out. This ensures
the required traceability.

With DHCP snooping, an administrator can control port-to-IP connectivity by:

■

permitting port access to specified IP addresses only

■

permitting port access to DHCP issued IP addresses only

■

dictating the number of IP clients on any given port

■

passing location information about an IP client to the DHCP server

■

permitting only known IP clients to ARP

Ports on the switch are classified as either trusted or untrusted:

■

Trusted ports receive only messages from within your network.

■

Untrusted ports receive messages from outside your network.

DHCP snooping blocks unauthorized IP traffic from untrusted ports, and prevents it from
entering the trusted network. It validates DHCP client packets from untrusted ports and
forwards them to trusted ports in the VLAN.

On this switch, DHCP snooping is disabled by default, and can be enabled on per-VLAN
basis to operate over switch ports and over static and dynamic (LACP) link aggregators
(channel groups).