Enterasys Networks 9034313-07 manual Rate Limiting, Basic Configuration, Configuration Notes

DHCP Snooping Overview

switch is rebooting, when the switch receives a DHCP DISCOVERY or REQUEST message, the clientʹs binding will go to a tentative binding state.

Rate Limiting

To protect the switch against DHCP attacks when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately. If the receive rate exceeds a configurable limit, DHCP snooping brings down the interface. Use the set port enable command to re‐enable the interface. Both the rate and the burst interval can be configured.

Basic Configuration

The following configuration procedure does not change the write delay to the snooping database or any of the default rate limiting values. Additional configuration notes follow this procedure.

Procedure 17-1 Basic Configuration for DHCP Snooping

1.Enable DHCP snooping globally on the switch. set dhcpsnooping enable

Configuration Notes

DHCP Server

•When the switch is operating in switch mode, then the DHCP server and DHCP clients must be in the same VLAN.

•If the switch is in routing mode (on those platforms that support routing), then the DCHP server can be remotely connected to a routing interface, or running locally.

•If the DHCP server is remotely connected, then the use of an IP helper address is required and MAC address verification should be disabled (set dhcpsnooping verify mac‐address disable).

•The DHCP server must use Scopes in order to provide the IP addresses per VLAN.

•DHCP snooping must be enabled on the interfaces where the DHCP clients are connected, and the interfaces must be untrusted DHCP snooping ports.

•The routing interface that is connected to the DHCP server must be enabled for DHCP snooping and must be a trusted DHCP snooping port.

SecureStack C3 Configuration Guide 17-3