C
HAPTER
25
| General Security Measures
DHCPv4 Snooping
– 907 –
■
access node identifier - ASCII string. Default is the MAC address of
the switch’s CPU. This field is set by the ip dhcp snooping
information option command,
■
eth - The second field is the fixed string “eth”
■
slot - The slot represents the stack unit for this system.
■
port - The port which received the DHCP request. If the packet
arrives over a trunk, the value is the ifIndex of the trunk.
■
vlan - Tag of the VLAN which received the DHCP request.
Note that the sub-type and sub-length fields can be enabled or
disabled using the ip dhcp snooping information option command.
■
The ip dhcp snooping information option circuit-id command
can be used to modify the default settings described above.
EXAMPLE
This example sets the DHCP Snooping Information circuit-id suboption
string.
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping information option circuit-id string mv2
Console(config-if)#
ip dhcp snooping
trust
This command configures the specified interface as trusted. Use the no
form to restore the default setting.
SYNTAX
[no] ip dhcp snooping trust
DEFAULT SETTING
All interfaces are untrusted
COMMAND MODE
Interface Configuration (Ethernet, Port Channel)
COMMAND USAGE
◆ A trusted interface is an interface that is configured to receive only
messages from within the network. An untrusted interface is an
interface that is configured to receive messages from outside the
network or fire wall.
◆ Set all ports connected to DHCP servers within the local network or fire
wall to trusted, and all other ports outside the local network or fire wall
to untrusted.
◆ When DHCP snooping is enabled globally using the ip dhcp snooping
command, and enabled on a VLAN with ip dhcp snooping vlan
command, DHCP packet filtering will be performed on any untrusted
ports within the VLAN according to the default status, or as specifically
To Next Page
Loading...
Need help?
General
