Microsens MS453490M Management Guide User Manual
Page 662
C
HAPTER
25
| General Security Measures
DHCP Snooping
– 662 –
■
If the DHCP packet is from a client, such as a DECLINE or
RELEASE message, the switch forwards the packet only if the
corresponding entry is found in the binding table.
■
If the DHCP packet is from client, such as a DISCOVER,
REQUEST, INFORM, DECLINE or RELEASE message, the packet
is forwarded if MAC address verification is disabled (as specified
by the
ip dhcp snooping verify mac-address
command).
However, if MAC address verification is enabled, then the packet
will only be forwarded if the client’s hardware address stored in
the DHCP packet is the same as the source MAC address in the
Ethernet header.
■
If the DHCP packet is not a recognizable type, it is dropped.
■
If a DHCP packet from a client passes the filtering criteria above, it
will only be forwarded to trusted ports in the same VLAN.
■
If a DHCP packet is from server is received on a trusted port, it will
be forwarded to both trusted and untrusted ports in the same VLAN.
◆
If the DHCP snooping is globally disabled, all dynamic bindings are
removed from the binding table.
◆
Additional considerations when the switch itself is a DHCP client – The
port(s) through which the switch submits a client request to the DHCP
server must be configured as trusted (using the
command). Note that the switch will not add a dynamic entry for itself
to the binding table when it receives an ACK message from a DHCP
server. Also, when the switch sends out DHCP client packets for itself,
no filtering takes place. However, when the switch receives any
messages from a DHCP server, any packets received from untrusted
ports are dropped.
E
XAMPLE
This example enables DHCP snooping globally for the switch.
Console(config)#ip dhcp snooping
Console(config)#
R
ELATED
C
OMMANDS