4.3 DHCP Snooping
With DHCP snooping, the system obtains a client's MAC-IP address information (in the reply
messages from a DHCP server) and stores it in the DHCP snooping table. Frames with known
source IP addresses are allowed to go through the subscriber ports. Frames from unknown IP
addresses are dropped. This feature prevents subscribers from assigning their own static IP
addresses that may conflict with a DHCP-assigned IP address.
You can also specify static IP addresses (for a subscriber given a static IP address) on a subscriber
port. This is useful when service providers assign static WAN IP addresses to some subscribers. This
static binding allows the switch to forward frames with the specified IP addresses.
In the following network example, the DHCP snooping table on the switch contains two source IP
addresses: 192.168.1.100 (DHCP-assigned) and 192.168.1.200 (static). Traffic from computers A
and B is allowed to go through the DSL ports. While traffic from computer C is blocked since its IP
address is unknown to the switch (not in the DHCP snooping table).
Figure 29 DHCP Snooping Network Example
A: 192.168.1.100
B: 192.168.1.200
C: 192.168.1.10
4.3.1 Anti-IP Address Spoofing
While performing DHCP snooping, a line card records which IP address is assigned to each DHCP
client MAC address and which VLAN the client uses. The line card drops packets from a device using
an IP address that is assigned to a different MAC address.
4.4 DHCP Snooping Configuration
Click ACL > DHCP Snoop to display the screen shown next.
Management Switch Card User's Guide
Chapter 4 Access Control List Screens
DHCP Snooping
192.168.1.100
192.168.1.200
DHCP
Internet
87