Ubiquiti EdgeSwitch ES-24-250W Administration Manual page 140

EdgeSwitch Administration Guide
™
Field
Interface
Trust State
Log Invalid Packets
Rate Limit (pps)
Burst Interval (Seconds)
Use the buttons to perform the following tasks:
• To edit DHCP snooping on one or more interfaces, select each interface entry, click Edit, change the
settings as needed, and click Submit to apply the changes.
• Click Refresh to refresh the page with the most current data from the switch.
To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save.
Ubiquiti Networks, Inc.
DHCP Snooping Interface Configuration
DHCP Snooping Interface Configuration Fields
Description
The interface associated with the rest of the data in the row. When configuring the settings for one or
more interfaces, this field identifies each interface that is being configured.
The trust state configured on the interface. The trust state is one of the following:
• Disabled The interface is considered to be untrusted and could potentially be used to launch a
network attack. DHCP server messages are checked against the bindings database. On untrusted
ports, DHCP snooping enforces the following security rules:
• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK, DHCPRELEASEQUERY) are
dropped.
• DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC address is in the snooping
database but the binding's interface is other than the interface where the message was received.
• DHCP packets are dropped when the source MAC address does not match the client hardware
address if MAC Address Validation is globally enabled.
• Enabled The interface is considered trusted and forwards DHCP server messages without validation.
The administrative mode of invalid packet logging on the interface. If enabled, the DHCP snooping
feature generates a log message when an invalid packet is received and dropped by the interface.
The rate limit value for DHCP packets received on the interface. To prevent DHCP packets from being
used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit
for DHCP packets received on untrusted interfaces. If the incoming rate of DHCP packets exceeds the
value of this object during the amount of time specified for the burst interval, the port will be shut
down. You must administratively enable the port to allow it to resume traffic forwarding.
The burst interval value for rate limiting on this interface. If the rate limit is unspecified, then burst
interval has no meaning.
Configuring Switching Information
139