ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP Inspection (DAI) are enabled.
See also “Client IP-to-MAC address mappings” on page 285.
DHCP snooping supports DHCP relay agent information (DHCP Option 82). For details, refer to “DHCP relay agent information” on page 288.
Configuring DHCP snooping
Configuring DHCP snooping consists of the following steps.
DHCP snooping is not supported together with DHCP Auto-configuration.
DHCP snooping is not supported on trunk ports for untrusted ports.
DHCP snooping is supported on trunk ports (tagged and untagged) for trusted ports.
A switch can have up to 256 ARP entries, therefore, DHCP entries are limited to 256. A router, however, can have 64,000 ARP entries, so a router can have up to 64,000 DHCP entries, of which only 1024 entries can be saved to flash on reboot.
DHCP snooping
Client IP-to-MAC address mappings
Client IP addresses need not be on directly-connected networks, as long as the client MAC address is learned on the client port and the client port is in the same VLAN as the DHCP server port. In this case, the system will learn the client IP-to-MAC port mapping. Therefore, a VLAN with DHCP snooping enabled does not require a VE interface.
In earlier releases, in the Layer 3 software image, DHCP snooping does not learn the secure IP-to-MAC address mapping for a client, if the client port is not a virtual ethernet (VE) interface with an IP subnet address. In other words, the client IP address had to match one of the subnets of the client port in order for DHCP to learn the address mapping.
System reboot and the binding database
To allow DAI and DHCP snooping to work smoothly across a system reboot, the binding database is saved to a file in the system flash memory after an update to the binding database, with a 30 second delay. The flash file is written and read only if DHCP snooping is enabled.
Configuration notes and feature limitations for DHCP snooping
The following limits and restrictions apply to DHCP snooping:
To run DHCP snooping, you must first enable support for ACL filtering based on VLAN membership or VE port membership. To do so, enter the following commands at the Global CONFIG Level of the CLI.
Brocade(config)# enable ACL-per-port-per-vlan Brocade(config)# write memory Brocade(config)# exit
Brocade# reload
NOTE
You must save the configuration and reload the software to place the change into effect.

Brocade ICX 6650 Security Configuration Guide

285

53-1002601-01

 

Page 305
Image 305
Brocade Communications Systems 6650 manual