Enterasys Networks 9034313-07 manual Set dhcpsnooping trust, By default, ports are untrusted

set dhcpsnooping trust

Mode

Switch command, read‐write.

Usage

When a switch learns of new bindings or when it loses bindings, the switch updates the entries in the bindings database according to the write delay timer. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on the delay configured with this command, and the updates are batched.

Example

The following example specifies that the stored database should be updated once an hour.

C3(rw)->set dhcpsnooping database write-delay 3600

set dhcpsnooping trust

Use this command to enable or disable a port as a DHCP snooping trusted port.

Syntax

set dhcpsnooping trust port port-string{enable disable}

Parameters

Defaults

By default, ports are untrusted.

Mode

Switch command, read‐write.

Usage

In order for DHCP snooping to operate, snooping has to be enabled globally and on specific VLANs, and the ports within the VLANs have to be configured as trusted or untrusted. On trusted ports, DHCP client messages are forwarded directly by the hardware. On untrusted ports, client messages are given to the DHCP snooping application.

The DHCP snooping application builds the bindings database from client messages received on untrusted ports. DHCP snooping creates a “tentative binding” from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to the port on which the message packet was received. Tentative bindings are completed when DHCP snooping learns the client’s IP address from a DHCP ACK message on a trusted port.

The ports on the switch through which DHCP servers are reached must be configured as trusted ports so that packets received from those ports will be forwarded to clients. DCHP packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if received on an untrusted port.

17-6 DHCP Snooping and Dynamic ARP Inspection