Chapter 25 IP Source Guard
Trusted ports are connected to DHCP servers or other switches. The Switch discards DHCP packets from trusted ports only if the rate at which DHCP packets arrive is too high. The Switch learns dynamic bindings from trusted ports.
Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not succeed.
Untrusted ports are connected to subscribers. The Switch discards DHCP packets from untrusted ports in the following situations:
•The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
•The source MAC address and source IP address in the packet do not match any of the current bindings.
•The packet is a RELEASE or DECLINE packet, and the source MAC address and source port do not match any of the current bindings.
•The rate at which DHCP packets arrive is too high.
25.10.1.2DHCP Snooping DatabaseThe Switch stores the binding table in volatile memory. If the Switch restarts, it loads static bindings from permanent memory but loses the dynamic bindings, in which case the devices in the network have to send DHCP requests again. As a result, it is recommended you configure the DHCP snooping database.
The DHCP snooping database maintains the dynamic bindings for DHCP snooping and ARP inspection in a file on an external TFTP server. If you set up the DHCP snooping database, the Switch can reload the dynamic bindings from the DHCP snooping database after the Switch restarts.
You can configure the name and location of the file on the external TFTP server. The file has the following format:
Figure 127 DHCP Snooping Database File Format
TYPE
BEGIN
...
...
END
The
242 |
| |
| ||
|
|
|