Ip Dhcp Snooping Trust - D-Link DXS-3600 Series Reference Manual
Dxs-3600 series layer 2/3 managed 10gigabit ethernet switch
Hide thumbs
Also See for DXS-3600 Series:
- Cli reference manual (1456 pages) ,
- Reference manual (680 pages) ,
- Hardware installation manual (55 pages)
Table of Contents
Advertisement
DXS-3600 Series Layer 3 Managed 10Gigabit Ethernet Switch CLI Reference Guide
22-8 ip dhcp snooping trust
This command is used to configure a port as a trusted interface for DHCP snooping. Use the no form of
this command to return to the default setting.
ip dhcp snooping trust
no ip dhcp snooping trust
Parameters
None.
Default
By default, this option is disabled.
Command Mode
Interface Configuration Mode.
Command Default Level
Level: 12.
Usage Guideline
This command is available for physical port and port-channel interface configuration.
Ports connected to the DHCP server or to other switches should be configured as trusted interfaces. The
ports connected to DHCP clients should be configured as untrusted interfaces. DHCP snooping acts as a
firewall between untrusted interfaces and DHCP servers.
When a port is configured as a untrusted interface, the DHCP message arrives at the port on a VLAN that
is enabled for DHCP snooping. The switch forwards the DHCP packet unless any of the following
conditions occur (in which case the packet is dropped):
•
The switch port receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet) from a DHCP server outside the firewall.
•
If ip dhcp snooping verify mac-address is enabled, the source MAC in the Ethernet header
must be the same as the DHCP client hardware address to pass the validation.
•
The untrusted interface receives a DHCP packet that includes a relay agent IP address that is not
0.0.0.0 or the relay agent forward a packet that includes Option 82 to an untrusted interface.
•
The router receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with
an entry in the DHCP snooping binding table, and the interface information in the binding table
does not match the interface on which the message was received.
In addition to doing the validation, DHCP snooping also create a binding entry based on the IP address
assigned to client by the server in DHCP snooping binding database. The binding entry contains
information including MAC address, IP address, the VLAN ID and port ID where the client is located, and
the expiry of the lease time.
Example
This example shows how to enable DHCP snooping trust for port 3/0/3.
Switch# configure terminal
Switch(config)# interface eth3/0/3
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)#
365
Advertisement
Table of Contents
