To Next Page

To Previous Page

DHCP Snooping Overview

SecureStack C2 Configuration Guide 17-3

switchisrebooting,whentheswitchreceivesaDHCPDISCOVERYorREQUESTmessage,the

clientʹsbindingwillgotoatentativebindingstate.

Rate Limiting

Toprotectthe switchagainstDHCPattackswhenDHCP snoopingisenabled,thesnooping

applicationenforcesarateli mitforDHCPpacketsreceivedonuntrustedinterfaces.DHCP

snoopingmonitorsthereceiverateoneachinterfaceseparately.Ifthereceiverateexceedsa

configurablelimit,DHCPsnoopingbringsdowntheinterface.Use

thesetportenablecommand

tore‐enabletheinterface.Boththerateandthe burst intervalcanbeconfigured.

Basic Configuration

Thefollowingconfigurationproceduredoesnotchangethewritedelaytothesnoopingdatabase

oranyofthedefaultrateli mitingvalues.Additionalconfigurationnotesfollowthisprocedure.

Configuration Notes

DHCP Server

•Whentheswitchisoperatinginswitchmode,thentheDHCPserverandDHCPclientsmust

beinthesameVLAN.

•Iftheswitchisinroutingmode(onthoseplatformsthatsupportrouting),thenthe DCHP

servercanberemotely connectedtoaroutinginterface,orrunninglocally.

•IftheDHCP

serverisremotelyconnected,thentheuseofanIPhelperaddressisrequiredand

MACaddressverificationshouldbedisabled(setdhcpsnoopingverifymac‐address

disable).

•TheDHCPservermustuseScopesinordertoprovidethe IPaddressesperVLAN.

•DHCPsnoopingmustbeenabledontheint erfaces

wheretheDHCPclientsareconnected,

andtheinterfacesmustbeuntrustedDHCPsnoopingports.

•TheroutinginterfacethatisconnectedtotheDHCPservermustbeenabledforDHCP

snoopingandmustbeatrustedDHCPsnoopingport.

Procedure 17-1 Basic Configuration for DHCP Snooping

Step Task Command(s)

1. Enable DHCP snooping globally on the switch. set dhcpsnooping enable

2. Determine where DHCP clients will be

connected and enable DHCP snooping on their

VLANs.

set dhcpsnooping vlan vlan-list

enable

3. Determine which ports will be connected to the

DHCP server and configure them as trusted

ports.

set dhcpsnooping trust port

port-string enable

4. If desired, enable logging of invalid DHCP

messages on specfic ports.

set dhcpsnooping log-invalid port

port-string enable

5. If desired, add static bindings to the database. set dhcpsnooping binding mac-address

vlan vlan-id ipaddr port port-string

Brand	Enterasys
Model	SecureStack C2 C2G170-24
Category	Switch
Language	English

Enterasys SecureStack C2 C2G170-24 User Manual

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Questions and Answers:

Enterasys SecureStack C2 C2G170-24 Specifications

Related product manuals