4.9.3 DHCP Snooping
4.9.3.1 DHCP Snooping Overview
The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered
with DHCP Snooping. DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which
send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Command Usage
• Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
used to filter DHCP messages received on a non-secure interface from outside the network or firewall.
snooping is enabled globally and enabled on a VLAN interface,
a device not listed in the DHCP snooping table will be dropped.
• Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table
when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease
time, VLAN identifier, and port identifier.
• When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries
learned via DHCP snooping.
• Filtering rules are implemented as follows:
If the global DHCP snooping is disabled, all DHCP packets are forwarded.
User's Manual of GS-4210-16T2S_24T2S_16P2S_24P2S_48T4S
DHCP messages received on an untrusted interface from
258
DHCP snooping is
When DHCP