4.10 DHCP Snooping
4.10.1 DHCP Snooping Overview
The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered
with DHCP Snooping. DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which
send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Command Usage
• Network traffic may be disrupted when malicious DHCP messages are received from an outside source.
used to filter DHCP messages received on a non-secure interface from outside the network or firewall.
snooping is enabled globally and enabled on a VLAN interface,
a device not listed in the DHCP snooping table will be dropped.
• Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table
when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease
time, VLAN identifier, and port identifier.
• When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries
learned via DHCP snooping.
• Filtering rules are implemented as follows:
If the global DHCP snooping is disabled, all DHCP packets are forwarded.
User's Manual of WGSW-28040 / 28040P / 28040P4
Illegal DHCP Server
DHCP messages received on an untrusted interface from
178
DHCP snooping is
When DHCP