UMN:CLI

User Manual

 

SURPASS hiD 6615 S223/S323 R1.5

 

 

 

8.8.7DHCP Snooping

For enhanced security, the hiD 6615 S223/S323 provides the DHCP snooping feature. The DHCP snooping filters untrusted DHCP messages and maintains a DHCP snooping binding table. An untrusted message is a message received from outside the network, and an untrusted interface is an interface configured to receive DHCP messages from outside the network.

The DHCP snooping basically permits all the trusted messages received from within the network and filters untrusted messages. In case of untrusted messages, all the binding entries are recorded in a DHCP snooping binding table. This table contains a hardware address, IP address, lease time, VLAN ID, interface, etc.

It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.

8.8.7.1Enabling DHCP Snooping

To enable the DHCP snooping on the system, use the following command

 

Command

Mode

Description

 

 

 

 

 

ip dhcp snooping

Global

Enables the DHCP snooping on the system.

 

 

 

 

no ip dhcp snooping

Disables the DHCP snooping on the system. (default)

 

 

 

 

 

 

!

Upon entering the ip dhcp snooping command, the DHCP_OFFER and DHCP_ACK

messages from all the ports will be discarded before specifying a trusted port.

 

To enable the DHCP snooping on a VLAN, use the following command

 

 

 

 

 

Command

Mode

Description

 

 

 

 

 

ip dhcp snooping vlan VLANS

 

Enables the DHCP snooping on a specified VLAN.

 

 

Global

 

 

no ip dhcp snooping vlan

Disables the DHCP snooping on a specified VLAN.

 

VLANS

 

 

 

 

 

 

 

 

You must enable DHCP snooping on the system before enabling DHCP snooping on a

! VLAN.

8.8.7.2DHCP Trust State

To define a state of a port as trusted or untrusted, use the following command.

i

Command

Mode

Description

 

 

 

ip dhcp snooping trust PORTS

 

Defines a state of a specified port as trusted.

 

Global

 

no ip dhcp snooping trust

Defines a state of a specified port as untrusted.

PORTS

 

 

 

 

 

 

Note that, the DHCP snooping only sees the DHCP_OFFER and DHCP_ACK messages which are received from untrusted interfaces.

258

A50010-Y3-C150-2-7619

Page 258
Image 258
Siemens S323, S223 user manual Enabling Dhcp Snooping, Dhcp Trust State, 258 A50010-Y3-C150-2-7619