Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-configure-l3P-DHCP-snooping

DHCP snooping

DHCP snooping is a Layer 2 security technology that prevents rogue DHCP servers from offering IP addresses to DHCP clients. Malicious attackers often use rogue DHCP servers in man-in-the-middle or denial-of-service (DoS) attacks.

You can configure DHCP snooping globally on your switch or on individual VLANs, set trusted ports that you know have DHCP servers connected to them, and have the switch verify all DHCP traffic on untrusted ports.

Global settings

The global DHCP snooping settings are as follows:

  • DHCP snooping status: Select Turned on or Turned off to turn DHCP snooping on or off.
  • MAC address verification: Select Turned on or Turned off to turn MAC address verification on or off. This feature verifies that the source MAC address and the endpoint hardware address in the DHCP packets on untrusted ports match.

Click Apply to save your changes.

VLAN settings

This setting configures the DHCP snooping function in other VLANs. You can configure DHCP snooping for each VLAN on the switch. When you turn DHCP snooping on for the switch, the interface becomes a Layer 2 bridge and intercepts DHCP messages going to any Layer 2 VLAN. When you turn on DHCP snooping for a VLAN, the switch becomes a Layer 2 bridge only within the specific VLAN domain.

To configure DHCP snooping for a VLAN, do as follows:

  1. Click Edit next to the VLAN you want to configure.
  2. In DHCP snooping status, select On or Off from the drop-down list to turn DHCP snooping on or off for the VLAN.
  3. Click Apply to save your changes.

Trust port settings

You can configure each port on your switch as trusted or untrusted. Trusted ports are ports connected to DHCP servers. The switch allows DHCP traffic to flow through trusted ports and automatically forwards DHCP messages on them.

To configure trusted ports, do as follows:

  1. Select the ports you want to configure.
  2. Click Edit.
  3. In Status, select Trusted or Untrusted from the drop-down list.
  4. Click Apply to save your changes.

Binding list

This table shows the DHCP Snooping binding list table.

IP source guard

You can use IP source guard (IPSG) to allow traffic only from devices added to the filtering list.

Restrictions

When you use IPSG, the following restrictions apply:

  • IPSG only supports IPv4.
  • You must turn DHCP snooping on.
  • DHCP traffic isn't filtered.
  • The maximum amount of entries in the binding list is 127.
  • If a port has IPSG turned on, but the binding table is empty, the port blocks all traffic.
  • Trunk ports don't support IPSG.

Configure IP source guard

To use IPSG, do as follows:

  1. Go to Configure > L3 protocols > DHCP snooping > Global settings.
  2. Select Turned on for DHCP snooping status and MAC address verification.
  3. Click Apply.
  4. Go to IP source guard and click Add.

  5. Configure the following settings:

    • VID: Enter the VLAN ID the device connects to.
    • Port: Enter the port the device connects to.
    • IP address: Enter the device's IP address.
    • MAC address: Enter the device's MAC address.

  6. Click Apply.

  7. Go to IPSG ports.
  8. Select the ports you want to turn on IPSG for, and click Edit.
  9. Select Turned on from the Status drop-down list.
  10. Click Apply to save your changes.