Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-management-L3

L3 protocols

You can use the L3 protocols tab to configure features such as DHCP relay, DHCP snooping, MLD snooping, and IGMP snooping.

DHCP relay

A DHCP relay is a host or router that forwards DHCP packets between DHCP clients and DHCP servers in different subnets. You can configure Sophos Switch to forward these packets by adding the IP addresses of your DHCP servers and relays. You can configure the following DHCP relay settings:

  • Status: Select from the following DHCP relay statuses:

    • Not set: Use the DHCP relay status configured locally on the switch.
    • Enabled: Turn on DHCP relay.
    • Disabled: Turn off DHCP relay.

    Once you've selected an option, select whether to synchronize the settings to the switches immediately, then click Save.

  • Server IP addresses: Enter up to five IP addresses to which the switch can forward DHCP packets.

    Enter an address in the Server IP addresses field and press Enter, select whether to synchronize the settings to the switches immediately, then click Save.

To delete an IP address, click delete Delete. on the IP address you want to remove, select whether to synchronize the settings to the switches immediately, then click Save.

DHCP snooping

DHCP snooping is a Layer 2 security technology that prevents rogue DHCP servers from offering IP addresses to DHCP clients. Malicious attackers often use rogue DHCP servers in man-in-the-middle or denial-of-service (DoS) attacks.

You can configure DHCP snooping globally on your switch or on individual VLANs, set trusted ports that you know have DHCP servers connected to them, and have the switch verify all DHCP traffic on untrusted ports.

Settings

The Settings tab is where you can configure the following DHCP snooping settings:

  • Status: Select from the following DHCP snooping statuses:

    • Not set: Use the DHCP snooping status configured locally on the switch.
    • Enabled: Turn on DHCP snooping.
    • Disabled: Turn off DHCP snooping.

    Once you've selected an option, select whether to synchronize the settings to the switches immediately, then click Save.

  • MAC address verification: Select from the following MAC address verification statuses:

    • Not set: Use the MAC address verification status configured locally on the switch.
    • Enabled: Turns MAC address verification on. The switch verifies the DHCP packets on untrusted ports to make sure that the source MAC address and the endpoint hardware address match. See Trust port settings.
    • Disabled: Turns MAC address verification off.

    Once you've selected an option, select whether to synchronize the settings to the switches immediately, then click Save.

VLAN settings

On the VLAN settings table, you can turn DHCP snooping on or off for each VLAN on the switch.

Select Enabled or Disabled to turn DHCP snooping on or off for the specified VLAN, or select Not set to use the DHCP snooping status configured locally on the switch. Once you've selected an option, select whether to synchronize the settings to the switches immediately, then click Save.

Configuration source shows the origin of the DHCP snooping settings for that VLAN.

Trust port settings

On the Trust port settings table, you can configure each port on your switch as trusted or untrusted. Trusted ports are ports connected to DHCP servers. The switch allows DHCP traffic to flow through trusted ports and automatically forwards DHCP messages on them.

Note

If you turn off DHCP snooping, the switch treats all ports as trusted.

Select Trusted or Untrusted to set the status of the specified port, or select Not set to use the trust port status configured locally on the switch. Once you've selected an option, select whether to synchronize the settings to the switches immediately, then click Save.

Configuration source shows the origin of the port's trust status.

Binding list

The Binding list shows the MAC address to IP bindings, including the VLAN and port to which the device connects.

MLD snooping

Multicast listener discovery (MLD) snooping performs a similar function for IPv6 as IGMP snooping does for IPv4. When you turn on MLD snooping, the switch creates a list of ports that receive multicast data. The switch only forwards multicast data to those ports, which avoids flooding all ports on the switch.

Settings

On the MLD snooping tab, you can configure the following settings:

  • Status: Select from the following MLD snooping statuses:

    • Not set: Use the MLD snooping status configured locally on the switch.
    • Enabled: Turn on MLD snooping.
    • Disabled: Turn off MLD snooping.

  • Report suppression: Limit the number of membership reports the member sends to multicast-capable routers. Enter a value from 1 to 25.

Click Save to update your settings.

Configuration source shows the origin of the MLD snooping settings.

You can also see the MLD snooping settings for each VLAN on the switch. Click edit Edit. to change the following settings for the specified VLAN:

  • Status: Turns MLD snooping on or off for the selected VLAN. Select one of the following statuses:

    • Enabled: Turn on MLD snooping.
    • Disabled: Turn off MLD snooping.
    • Not set: Use the MLD snooping status configured locally on the switch.

  • Querier status: The MLD snooping querier sends out MLD queries that trigger MLD report messages from connected devices that want to receive IP multicast traffic. MLD snooping uses these reports to establish correct forwarding. Select from the following options:

    • Enabled: Turn on the MLD snooping querier.
    • Disabled: Turn off the MLD snooping querier.
    • Not set: Use the MLD snooping querier status configured locally on the switch.

  • Querier interval (seconds): Sets the time between general query transmissions. Enter a value from 60 to 600.

  • Version: Select the MLD version to use from the following options:

    • v1: MLDv1. This is equivalent to IGMPv2 for IPv4.
    • v2: MLDv2. This is equivalent to IGMPv3 for IPv4.
    • Not set: Use the MLD version configured locally on the switch.

  • Fast leave: When turned on, the switch considers the port to have only one endpoint attached. This can improve bandwidth usage for a network that frequently experiences many MLD host add and leave requests.

    • Enabled: Turn on Fast leave.
    • Disabled: Turn off Fast leave.
    • Not set: Use the Fast leave status configured locally on the switch.

  • Static ports: Select the ports connected to multicast-enabled routers from the drop-down list.

Click Save to save your changes to the VLAN settings.

Group list

The Group list tab shows the list of discovered multicast groups. These groups of computers or devices receive the same network traffic.

IGMP snooping

Internet Group Management Protocol (IGMP) snooping is a method that network switches use to identify IPv4 multicast groups. With IGMP snooping turned on, the switch creates a list of ports that receive multicast data. The switch only forwards multicast data to those ports.

Settings

Go to My Products > Switches > Switches, select the switch or site where you want to configure IGMP snooping, and go to L3 protocols > IGMP snooping > Settings to configure the IGMP snooping.

  • Status: Turns IGMP snooping on or off for the selected VLAN. Select one of the following statuses:

    • Enabled: Turn IGMP snooping on.
    • Disabled: Turn IGMP snooping off.
    • Not set: Use the IGMP snooping status configured locally on the switch.

  • Report suppression: Limit the number of membership reports the member sends to multicast-capable routers. Enter a value from 1 to 25.

Click Save to update your settings.

Configuration source shows the origin of the IGMP snooping settings.

You can also see the IGMP snooping settings for each VLAN on the switch. Click edit Edit. to change the settings for the selected VLAN. You can change the following settings:

  • Status: Turns IGMP snooping on or off for the selected VLAN. Select one of the following statuses:

    • Enabled: Turn on IGMP snooping.
    • Disabled: Turn off IGMP snooping.
    • Not set: Use the IGMP snooping status configured locally on the switch.

  • Version: Select the IGMP version to use from the following options:

    • v1: IGMPv1
    • v2: IGMPv2
    • v3: IGMPv3
    • Not set: Use the IGMP version configured locally on the switch.

  • Querier status: The IGMP snooping querier sends IGMP queries that trigger IGMP report messages from connected devices wanting to receive IP multicast traffic. IGMP snooping uses these reports to establish correct forwarding. Select from the following options:

    • Enabled: Turn on the IGMP snooping querier.
    • Disabled: Turn off the IGMP snooping querier.
    • Not set: Use the IGMP snooping querier status configured locally on the switch.

  • Fast leave: When turned on, the switch considers the port to have only one endpoint attached. This can improve bandwidth usage for a network that frequently experiences many IGMP host add and leave requests.

    • Enabled: Turn on Fast leave.
    • Disabled: Turn off Fast leave.
    • Not set: Use the Fast leave status configured locally on the switch.

  • Querier interval (seconds): Sets the time between general query transmissions. Enter a value from 60 to 600.

  • Response interval (seconds): Sets the time hosts must respond to IGMP queries within. Enter a value from 0 to 25.
  • Startup query counter: Sets the number of IGMP queries the switch sends out at the rate set by the Startup query interval. Enter a value from 2 to 5.
  • Startup query interval (seconds): Sets the rate at which the switch sends IGMP membership queries after it starts up. Enter a value from 15 to 150.
  • Static ports: Select the ports connected to multicast-enabled routers from the drop-down list.

Click Save to save your changes to the VLAN settings.

Group list

The Group list tab shows the list of discovered multicast groups. These groups of computers or devices receive the same network traffic.