Configuring Advanced Threat Protection

DHCP Snooping

ProCurve(config)# dhcp-snooping verify mac

ProCurve(config)# show dhcp-snooping

DHCP Snooping Information

 

 

DHCP Snooping

: Yes

Enabled Vlans

:

4

Verify MAC

 

:

yes

Option 82

untrusted policy :

drop

Option 82

Insertion

:

Yes

Option 82

remote-id

:

subnet-ip

Figure 8-7. Example Showing the DHCP Snooping Verify MAC Setting

The DHCP Binding Database

DHCP snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of:

Client MAC address

Port number

VLAN identifier

Leased IP address

Lease time

The switch can be configured to store the bindings at a specific URL so they will not be lost if the switch is rebooted. If the switch is rebooted, it will read its binding database from the specified location. To configure this location use this command.

Syntax: [no] dhcp-snooping database [file<tftp://<ip-address>/<ascii-string>>] [delay<15-86400>][ timeout<0-86400>]

file

Must be in Uniform Resource Locator (URL)

 

format — “tftp://ip-address/ascii-string”. The

 

maximum filename length is 63 characters.

delay

Number of seconds to wait before writing to the

 

database. Default = 300 seconds.

timeout

Number of seconds to wait for the database file

 

transfer to finish before returning an error. A

 

value of zero (0) means retry indefinitely.

 

Default = 300 seconds.

8-12