Table of Contents
Advertisement
| Security Measures
C
13
HAPTER
DHCP Snooping
The rate limit for the number of DHCP messages that can be processed
◆
by the switch is 100 packets per second. Any DHCP packets in excess of
this limit are dropped.
When DHCP snooping is enabled, DHCP messages entering an
◆
untrusted interface are filtered based upon dynamic entries learned via
DHCP snooping.
Filtering rules are implemented as follows:
◆
If the global DHCP snooping is disabled, all DHCP packets are
■
forwarded.
If DHCP snooping is enabled globally, and also enabled on the VLAN
■
where the DHCP packet is received, all DHCP packets are forwarded
for a trusted port. If the received packet is a DHCP ACK message, a
dynamic DHCP snooping entry is also added to the binding table.
If DHCP snooping is enabled globally, and also enabled on the VLAN
■
where the DHCP packet is received, but the port is not trusted, it is
processed as follows:
If the DHCP packet is a reply packet from a DHCP server
■
(including OFFER, ACK or NAK messages), the packet is
dropped.
If the DHCP packet is from a client, such as a DECLINE or
■
RELEASE message, the switch forwards the packet only if the
corresponding entry is found in the binding table.
If the DHCP packet is from a client, such as a DISCOVER,
■
REQUEST, INFORM, DECLINE or RELEASE message, the packet
is forwarded if MAC address verification is disabled. However, if
MAC address verification is enabled, then the packet will only be
forwarded if the client's hardware address stored in the DHCP
packet is the same as the source MAC address in the Ethernet
header.
If the DHCP packet is not a recognizable type, it is dropped.
■
If a DHCP packet from a client passes the filtering criteria above, it
■
will only be forwarded to trusted ports in the same VLAN.
If a DHCP packet is from server is received on a trusted port, it will
■
be forwarded to both trusted and untrusted ports in the same VLAN.
If the DHCP snooping is globally disabled, all dynamic bindings are
■
removed from the binding table.
Additional considerations when the switch itself is a DHCP client –
■
The port(s) through which the switch submits a client request to the
DHCP server must be configured as trusted. Note that the switch
will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the
switch sends out DHCP client packets for itself, no filtering takes
place. However, when the switch receives any messages from a
– 360 –
- Quick Links:
- Connecting to the Switch
Hide quick links:
Advertisement
Table of Contents
