System reboot and the binding database, Configuring dhcp snooping, Client ip-to-mac address mappings – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 305

background image

Brocade ICX 6650 Security Configuration Guide

285

53-1002601-01

DHCP snooping

Client IP-to-MAC address mappings

Client IP addresses need not be on directly-connected networks, as long as the client MAC address
is learned on the client port and the client port is in the same VLAN as the DHCP server port. In this
case, the system will learn the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP
snooping enabled does not require a VE interface.

In earlier releases, in the Layer 3 software image, DHCP snooping does not learn the secure
IP-to-MAC address mapping for a client, if the client port is not a virtual ethernet (VE) interface with
an IP subnet address. In other words, the client IP address had to match one of the subnets of the
client port in order for DHCP to learn the address mapping.

System reboot and the binding database

To allow DAI and DHCP snooping to work smoothly across a system reboot, the binding database is
saved to a file in the system flash memory after an update to the binding database, with a 30
second delay. The flash file is written and read only if DHCP snooping is enabled.

Configuration notes and feature limitations
for DHCP snooping

The following limits and restrictions apply to DHCP snooping:

To run DHCP snooping, you must first enable support for ACL filtering based on VLAN
membership or VE port membership. To do so, enter the following commands at the Global
CONFIG Level of the CLI.

Brocade(config)# enable ACL-per-port-per-vlan
Brocade(config)# write memory
Brocade(config)# exit
Brocade# reload

NOTE

You must save the configuration and reload the software to place the change into effect.

DHCP snooping is supported on trunk ports (tagged and untagged) for trusted ports.

DHCP snooping is not supported on trunk ports for untrusted ports.

DHCP snooping is not supported together with DHCP Auto-configuration.

A switch can have up to 256 ARP entries, therefore, DHCP entries are limited to 256. A router,
however, can have 64,000 ARP entries, so a router can have up to 64,000 DHCP entries, of
which only 1024 entries can be saved to flash on reboot.

ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP
Inspection (DAI) are enabled.

See also

“Client IP-to-MAC address mappings”

on page 285.

DHCP snooping supports DHCP relay agent information (DHCP Option 82). For details, refer to

“DHCP relay agent information”

on page 288.

Configuring DHCP snooping

Configuring DHCP snooping consists of the following steps.