Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-management-DHCP-snooping

DHCP snooping

DHCP snooping is a Layer 2 security technology that prevents rogue DHCP servers from offering IP addresses to DHCP clients. Malicious attackers often use rogue DHCP servers in man-in-the-middle or denial-of-service (DoS) attacks.

You can configure DHCP snooping globally on your switch or on individual VLANs, set trusted ports that you know have DHCP servers connected to them, and have the switch verify all DHCP traffic on untrusted ports.

Settings

Go to My Products > Switches > Switches, select the switch or site where you want to configure DHCP snooping, and go to L3 protocols > DHCP snooping > Settings to configure the DHCP snooping.

Status

Status turns DHCP snooping on or off globally for the switch or site.

Select Enabled or Disabled to turn DHCP snooping on or off.

Select Not set to use the DHCP snooping status configured locally on the switch.

Once you've selected an option, select whether or not you want to synchronize the settings to the switches immediately, then click Save.

MAC address verification

When you turn on MAC address verification, the switch verifies the DHCP packets on untrusted ports to make sure that the source MAC address and the endpoint hardware address match.

Select Enabled or Disabled to turn MAC address verification on or off.

Select Not set to use the MAC address verification settings configured locally on the switch.

Once you've selected an option, select whether or not you want to synchronize the settings to the switches immediately, then click Save.

VLAN settings

You can turn DHCP snooping on or off for each VLAN on the switch.

Select Enabled or Disabled to turn DHCP snooping on or off for the specified VLAN.

Select Not set to use the DHCP snooping status configured locally on the switch.

Once you've selected an option, select whether or not you want to synchronize the settings to the switches immediately, then click Save.

Configuration source shows the origin of the DHCP snooping settings for that VLAN.

Trust port settings

You can configure each port on your switch as trusted or untrusted. Trusted ports are ports connected to DHCP servers. The switch allows DHCP traffic to flow through trusted ports and automatically forwards DHCP messages on them.

Note

If you turn off DHCP snooping, the switch treats all ports as trusted.

Select Trusted or Untrusted to set the status of the specified port.

Select Not set to use the trust port status configured locally on the switch.

Once you've selected an option, select whether or not you want to synchronize the settings to the switches immediately, then click Save.

Configuration source shows the origin of the port's trust status.

Binding list

The Binding list shows the MAC address to IP bindings, including the VLAN and port the device connects to.