Configuring Advanced Threat Protection

DHCP Snooping

Configuring Authorized Server Addresses

If authorized server addresses are configured, a packet from a DHCP server must be received on a trusted port AND have a source address in the authorized server list in order to be considered valid. If no authorized servers are configured, all servers are considered valid. You can configure a maximum of 20 authorized servers.

To configure a DHCP authorized server address, enter this command in the global configuration context:

ProCurve(config)# dhcp-snooping authorized-server <ip-address>

ProCurve(config)# show dhcp-snooping

DHCP Snooping Information

 

 

DHCP Snooping

: Yes

Enabled Vlans

:

4

Verify MAC

 

: No

Option 82

untrusted policy : drop

Option 82

Insertion

: Yes

Option 82

remote-id

: subnet-ip

Authorized Servers

 

 

---------------------

 

 

111.222.3.4

 

 

 

Figure 8-5. Example of Authorized Servers for DHCP Snooping

Using DHCP Snooping with Option 82

DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See the preceding section Configuring DHCP Relay for more information on Option 82.)

When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.

8-9