DHCP snooping

Trusted and non-trusted ports

The concept of trusted and non-trusted ports is fundamental to the operation of DHCP snooping:

zTrusted ports connect to a trusted entity in the network, and are under the complete control of the network manager.

zNon-trusted ports connect an untrusted entity to the trusted network.

zNon-trusted ports can connect to non-trusted ports.

In general, trusted ports connect to the network core, and non-trusted ports connect to subscribers.

DHCP snooping will make forwarding decisions based on the trust status of ports:

zBOOTP packets that contain Option 82 information received on untrusted ports will be dropped

zIf Option 82 is enabled, the switch will insert Option 82 information into BOOTP REQUEST packets received from an untrusted port.

zBOOTP REQUEST packets that contain Option 82 information received on trusted ports will not have the Option 82 information updated with information for the receive port. It will be kept.

zBOOTP REPLY packets (from servers) should come from a trusted source.

zThe switch will remove Option 82 information from BOOTP REPLY packets destined to an untrusted port.

zBOOTP REPLY packets received on non-trusted ports will be dropped.

Enabling DHCP snooping

DHCP snooping is enabled globally by the command enable dhcpsnooping. All ports are untrusted by default. For DHCP snooping to do anything useful, at least one port must be trusted.

Static binding

If there is a device with a statically set IP attached to a port in the DHCP snooping port range, then, with filtering enabled it is necessary to statically bind it to the port. This will ensure the device's IP connectivity to the rest of the network.

If a device with the IP 172.16.1.202 and MAC address 00-00-00-00-00-cais attached to VLAN 1 on port 2 then a static binding is configured by adding the following command to the basic DHCP configuration (see "Minimum configuration" on page 3):

add dhcpsnooping binding=00-00-00-00-00-CA interface=vlan1 ip=172.16.1.202 port=2

Adding a static binding uses a lease on the port. If the maximum leases on the port is 1 (the default), the static binding means that no device on the port can acquire an address by DHCP.

Page 6 AlliedWare™ OS How To Note: DHCP Snooping on Rapier-style switches

Page 6
Image 6
Allied Telesis Rapier i Series, AT-8600 Series manual Trusted and non-trusted ports, Enabling Dhcp snooping, Static binding