EasyManuals Logo
Home>Enterasys>Switch>SecureStack C2 C2G170-24

Enterasys SecureStack C2 C2G170-24 User Manual

Enterasys SecureStack C2 C2G170-24
698 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #486 background imageLoading...
Page #486 background image
DHCP Snooping Overview
17-2 DHCP Snooping and Dynamic ARP Inspection
thehardwareforwardsclientmessagesandcopiesservermessagestotheCPUsoDHCPsnooping
canlearnthebinding.
TheDHCPsnoopingapplicationprocessesincomingDHCPmessages.ForDHCPRELEASEand
DHCPDECLINEmessages,theapplicationcomparesthereceiveinterfaceand VLANwiththe
clientʹsinterfaceandVLANinthe
bindingsdatabase.Iftheinterfacesdonotmatch,the
applicationlogstheeventanddropsthemessage.Forvalidclientmessages,DHCPsnooping
comparesthesourceMACaddresstotheDHCPclienthardwareaddress.Wherethereisa
mismatch,DHCPsnoopinglogsanddropsthepacket.Youcandisablethis
featureusingtheset
dhcpsnoopingverifymacaddressdisablecommand.
DHCPsnoopingcanbeconfiguredonswitchingVLANsandroutingVLANs.WhenaDHCP
packetisreceivedonaroutingVLAN,theDHCPsnoopingapplicationappliesitsfilteringrules
andupdatesthebindingsdatabase.Ifaclientmessagepassesfilteringrules,
themessageisplaced
intothesoftwareforwardingpath,whereitmaybeprocessedbytheDHCPrelayagent,thelocal
DHCPserver,orforwardedasanIPpacket.
DHCPsnoopingforwardsvalidDHCPclientmessagesreceivedonnonroutingVLANs.The
messageisforwardedonalltrustedinterfacesin
theVLAN.Ifa DHCPrelayagentorlocalDHCP
servercoexistwiththeDHCPsnoopingfeature,DHCPclientmessageswillbesenttotheDHCP
relayagentorlocalDHCPservertoprocessfurther.
TheDHCPsnoopingapplicationdoesnotforwardservermessagessincetheyareforwardedin
hardware.
Building and Maintaining the Database
TheDHCPsnoopingapplicationusesDHCPmessagestobuildandmaintainthebindings
database.Thebindingsdatabaseincludesonlydataforclientsonuntrustedports.Thebindings
databaseincludesthefollowinginformationforeachentry:
•ClientMACaddress
•ClientIPaddress
•Timewhenclientʹsleaseexpires
•ClientVLANID
•Clientport
DHCPsnooping
createsatentativebindingfromDHCPDISCOVERandREQUESTmessages.
Tentativebindingstieaclienttoaport(theportwheretheDHCPclientmessagewasreceived).
TentativebindingsarecompletedwhenDHCPsnoopinglearnstheclientʹsIPaddressfroma
DHCPACKmessageonatrustedport.DHCP
snoopingremovesbindingsinresponseto
DECLINE,RELEASE,andNACKmessages.TheDHCPsnoopingapplicationignorestheACK
messagessentinreplytotheDHCPInformmessagesreceivedontrustedports.Youcanalso
enterstaticbindingsintothebindingsdatabase.
Whenaswitchlearnsofnewbindingsorwhenit
losesbindings,theswitchimmediatelyupdates
theentriesinthedatabase.
Iftheabsoluteleasetimeofasnoopingdatabaseentryexpires,thenthatentrywillberemoved.
Careshouldbetakentoensurethatsystemtimeisconsistentacrossthereboots.Otherwise,
snoopingentrieswillnotexpireproperly.Ifa
hostsendsaDHCPRELEASEmessagewhilethe
Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a
DHCP server that does not reside on the same broadcast domain as the client, MAC address
verification should be disabled in order to allow DHCP RELEASE packets to be processed by the
DHCP snooping functionality and client bindings removed from the bindings database.

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Preview: Hardware Installation Guide
Hardware Installation Guide74 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Enterasys SecureStack C2 C2G170-24 and is the answer not in the manual?

Enterasys SecureStack C2 C2G170-24 Specifications

General IconGeneral
BrandEnterasys
ModelSecureStack C2 C2G170-24
CategorySwitch
LanguageEnglish

Related product manuals