Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

DHCP snooping

DHCP snooping identifies and drops unauthorized DHCP traffic.

Primarily, DHCP snooping is used to prevent unauthorized (rogue) DHCP servers from offering IP addresses to DHCP clients. Rogue DHCP servers are often used by malicious attackers in man-in-the-middle or denial-of-service (DoS) attacks.

Global settings

To configure MLD snooping, do as follows:

  1. For DHCP Snooping Status, select Turned on or Turned off to turn DHCP snooping on or off.
  2. For MAC address verification, select Turned on or Turned off to turn MAC address verification on or off. This feature verifies that the source MAC address and the endpoint hardware address in the DHCP packets on untrusted ports match.
  3. Click Apply.

VLAN settings

This setting configures the DHCP snooping function in other VLANs. DHCP snooping can be configured for switches and VLANs. When you turn DHCP snooping on for the switch, the interface becomes a layer 2 bridge and intercepts DHCP messages going to any layer 2 VLAN. When you turn on DHCP snooping for a VLAN, the switch becomes a layer 2 bridge only within the specific VLAN domain.

To configure VLAN settings, do as follows:

  1. Click Edit next to the VLAN you want to configure.
  2. In DHCP snooping status, select On or Off from the drop-down list to turn DHCP snooping on or off for the VLAN.
  3. Click Apply.

Trust port settings

A trusted port is connected to a DHCP server and can assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. Packets from these ports are automatically forwarded. If DHCP Snooping isn't turned on, all ports are trusted by default.

To configure trusted ports, do as follows:

  1. Select the port you want to configure.
  2. Click Edit.
  3. In Status, select Trusted or Untrusted from the drop-down list.
  4. Click Apply.

Binding list

This table shows the DHCP Snooping binding list table.

IP source guard (IPSG)

You can use IP source guard (IPSG) to allow traffic only from devices added to the filtering list. When you use IP source guard, the following restrictions apply:

  • Only IPv4 is supported.
  • You must turn DHCP snooping on.
  • DHCP traffic isn't filtered.
  • The maximum amount of entries in the binding list is 127.
  • If a port has IPSG turned on, but the binding table is empty, the port will block all traffic.
  • Trunk ports don't support IPSG.

To use IPSG, do as follows:

  1. Go to Configure > L3 protocols > DHCP snooping > Global settings.
  2. In DHCP snooping status, select Turned on.

    Turn on DHCP snooping.

  3. In MAC address verification, select Turned on.

    Turn on MAC verification.

  4. Go to IP source guard, and select Add.

    IP source guard tab.

    IP source guard add.

  5. In VID, enter the VLAN ID that the device is connected to.

    Enter VID.

  6. In Port, enter the port that the device is connected to.

    Enter port.

  7. In IP address, enter the device's IP address.

    Enter IP address.

  8. For MAC address, enter the device's MAC address.

    Enter MAC address.

  9. Click Apply.

    Click Apply.

  10. Go to IPSG ports.

    ISPG port tab.

  11. Select the check box next to the ports you want to turn on IPSG for, and click Edit.

    Select IPSG ports.

    Click Edit.

  12. Select Turned on from the Status drop-down list.

    Select turned on.

  13. Click Apply.

    Click apply.