10 dhcp snooping, 1 dhcp snooping overview – PLANET WGSW-28040P User Manual

User’s Manual of WGSW-28040 / 28040P / 28040P4

178

4.10 DHCP Snooping

4.10.1 DHCP Snooping Overview

The addresses assigned to DHCP clients on unsecure ports can be carefully controlled using the dynamic bindings registered

with DHCP Snooping. DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which

send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.

Command Usage

• Network traffic may be disrupted when malicious DHCP messages are received from an outside source.

DHCP snooping is

used to filter DHCP messages received on a non-secure interface from outside the network or firewall.

When DHCP

snooping is enabled globally and enabled on a VLAN interface,

DHCP messages received on an untrusted interface from

a device not listed in the DHCP snooping table will be dropped.

• Table entries are only learned for trusted interfaces. An entry is added or removed dynamically to the DHCP snooping table

when a client receives or releases an IP address from a DHCP server. Each entry includes a MAC address, IP address, lease

time, VLAN identifier, and port identifier.

• When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries

learned via DHCP snooping.

• Filtering rules are implemented as follows:



If the global DHCP snooping is disabled, all DHCP packets are forwarded.

Illegal DHCP Server