DHCP snooping
Trusted and non-trusted ports
The concept of trusted and
zTrusted ports connect to a trusted entity in the network, and are under the complete control of the network manager.
z
z
In general, trusted ports connect to the network core, and
DHCP snooping will make forwarding decisions based on the trust status of ports:
zBOOTP packets that contain Option 82 information received on untrusted ports will be dropped
zIf Option 82 is enabled, the switch will insert Option 82 information into BOOTP REQUEST packets received from an untrusted port.
zBOOTP REQUEST packets that contain Option 82 information received on trusted ports will not have the Option 82 information updated with information for the receive port. It will be kept.
zBOOTP REPLY packets (from servers) should come from a trusted source.
zThe switch will remove Option 82 information from BOOTP REPLY packets destined to an untrusted port.
zBOOTP REPLY packets received on
Enabling DHCP snooping
DHCP snooping is enabled globally by the command enable dhcpsnooping. All ports are untrusted by default. For DHCP snooping to do anything useful, at least one port must be trusted.
Static binding
If there is a device with a statically set IP attached to a port in the DHCP snooping port range, then, with filtering enabled it is necessary to statically bind it to the port. This will ensure the device's IP connectivity to the rest of the network.
If a device with the IP 172.16.1.202 and MAC address
add dhcpsnooping
Adding a static binding uses a lease on the port. If the maximum leases on the port is 1 (the default), the static binding means that no device on the port can acquire an address by DHCP.
Page 6 AlliedWare™ OS How To Note: DHCP Snooping on
