Chapter 9
| General Security Measures
DHCPv4 Snooping
– 332 –
â–
If the DHCP packet is from a client, such as a DECLINE or RELEASE
message, the switch forwards the packet only if the corresponding
entry is found in the binding table.
â–
If the DHCP packet is from client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
address verification is disabled (as specified by the ip dhcp snooping
verify mac-address command). However, if MAC address verification is
enabled, then the packet will only be forwarded if the client’s hardware
address stored in the DHCP packet is the same as the source MAC
address in the Ethernet header.
â–
If the DHCP packet is not a recognizable type, it is dropped.
â–
If a DHCP packet from a client passes the filtering criteria above, it will only
be forwarded to trusted ports in the same VLAN.
â–
If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and untrusted ports in the same VLAN.
â—† If DHCP snooping is globally disabled, all dynamic bindings are removed from
the binding table.
◆ Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted (using the ip dhcp snooping trust command). Note that
the switch will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the switch sends out
DHCP client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCP server, any packets received from
untrusted ports are dropped.
Example
This example enables DHCP snooping globally for the switch.
Console(config)#ip dhcp snooping
Console(config)#
Related Commands
ip dhcp snooping vlan (338)
ip dhcp snooping trust (340)
To Next Page
Loading...
Need help?
General