Dell POWEREDGE M1000E User Manual

794

Snooping and Inspecting Traffic

DHCP Snooping and VLANs

DHCP snooping forwards valid DHCP client messages received on non-

routing VLANs. The message is forwarded on all trusted interfaces in the

VLAN.
DHCP snooping can be configured on switching VLANs and routing VLANs.

When a DHCP packet is received on a routing VLAN, the DHCP snooping

application applies its filtering rules and updates the bindings database. If a

client message passes filtering rules, the message is placed into the software

forwarding path where it may be processed by the DHCP relay agent, the

local DHCP server, or forwarded as an IP packet.

DHCP Snooping Logging and Rate Limits

The DHCP snooping application processes incoming DHCP messages. For

DHCPRELEASE and DHCPDECLINE messages, the application compares

the receive interface and VLAN with the client interface and VLAN in the

bindings database. If the interfaces do not match, the application logs the

event and drops the message. For valid client messages, DHCP snooping

compares the source MAC address to the DHCP client hardware address.

When there is a mismatch, DHCP snooping drops the packet and generates a

log message if logging of invalid packets is enabled.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are

sent to DHCP relay for further processing.
To prevent DHCP packets from being used as a DoS attack when DHCP

snooping is enabled, the snooping application enforces a rate limit for DHCP

packets received on interfaces. DHCP snooping monitors the receive rate on

each interface separately. If the receive rate exceeds a configurable limit,

DHCP snooping brings down the interface. Administrative intervention is

necessary to enable the port, either by using the no shutdown command in

Interface Config mode or on the Switching → Ports → Port Configuration

page.