Chapter 19 IP Source Guard
MES-2110 User’s Guide
142
19.1.1 DHCP Snooping Overview
Use DHCP snooping to filter unauthorized DHCP frames on the network and to
build the binding table dynamically. This can prevent clients from getting IP
addresses from unauthorized DHCP servers.

19.1.1.1 Trusted vs. Untrusted Ports

Every port is either a trusted port or an untrusted port for DHCP snooping. This
setting is independent of the trusted/untrusted setting for ARP inspection. You can
also specify the maximum number for DHCP frames that each port (trusted or
untrusted) can receive each second.
Trusted ports are connected to DHCP servers or other switches. The MES-2110
discards DHCP frames from trusted ports only if the rate at which DHCP frames
arrive is too high. The MES-2110 learns dynamic bindings from trusted ports.

Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not

succeed.

Untrusted ports are connected to subscribers. The MES-2110 discards DHCP
frames from untrusted ports in the following situations:
The frame is a DHCP server frame (for example, OFFER, ACK, or NACK).
The source MAC address and source IP address in the frame do not match any
of the current bindings.
The frame is a RELEASE or DECLINE frame, and the source MAC address and
source port do not match any of the current bindings.
The rate at which DHCP frames arrive is too high.

19.1.1.2 DHCP Snooping Static Binding Table

The MES-2110 stores the binding table in volatile memory. If the MES-2110
restarts, it loads static bindings from permanent memory but loses the dynamic
bindings, in which case the devices in the network have to send DHCP requests
again. As a result, it is recommended you configure the DHCP snooping database.

19.1.1.3 Configuring DHCP Snooping

Follow these steps to configure DHCP snooping on the MES-2110.
1Enable DHCP snooping on the MES-2110.
2Configure trusted and untrusted ports, and specify the maximum number of DHCP
frames that each port can receive per second.