DHCP snooping
DHCP snooping identifies and drops unauthorized DHCP traffic.
Primarily, DHCP snooping is used to prevent unauthorized (rogue) DHCP servers from offering IP addresses to DHCP clients. Rogue DHCP servers are often used by malicious attackers in man-in-the-middle or denial-of-service (DoS) attacks.
Global settings
To configure MLD snooping, do as follows:
- For DHCP Snooping Status, select Turned on or Turned off to turn DHCP snooping on or off.
- For MAC address verification, select Turned on or Turned off to turn MAC address verification on or off. This feature verifies that the source MAC address and the endpoint hardware address in the DHCP packets on untrusted ports match.
- Click Apply.
VLAN settings
This setting configures the DHCP snooping function in other VLANs. DHCP snooping can be configured for switches and VLANs. When you turn DHCP snooping on for the switch, the interface becomes a layer 2 bridge and intercepts DHCP messages going to any layer 2 VLAN. When you turn on DHCP snooping for a VLAN, the switch becomes a layer 2 bridge only within the specific VLAN domain.
To configure VLAN settings, do as follows:
- Click Edit next to the VLAN you want to configure.
- In DHCP snooping status, select On or Off from the drop-down list to turn DHCP snooping on or off for the VLAN.
- Click Apply.
Trust port settings
A trusted port is connected to a DHCP server and can assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. Packets from these ports are automatically forwarded. If DHCP Snooping isn't turned on, all ports are trusted by default.
To configure trusted ports, do as follows:
- Select the port you want to configure.
- Click Edit.
- In Status, select Trusted or Untrusted from the drop-down list.
- Click Apply.
Binding list
This table shows the DHCP Snooping binding list table.
IP source guard (IPSG)
You can use IP source guard (IPSG) to allow traffic only from devices added to the filtering list. When you use IP source guard, the following restrictions apply:
- Only IPv4 is supported.
- You must turn DHCP snooping on.
- DHCP traffic isn't filtered.
- The maximum amount of entries in the binding list is 127.
- If a port has IPSG turned on, but the binding table is empty, the port will block all traffic.
- Trunk ports don't support IPSG.
To use IPSG, do as follows:
- Go to Configure > L3 protocols > DHCP snooping > Global settings.
-
In DHCP snooping status, select Turned on.
-
In MAC address verification, select Turned on.
-
Go to IP source guard, and select Add.
-
In VID, enter the VLAN ID that the device is connected to.
-
In Port, enter the port that the device is connected to.
-
In IP address, enter the device's IP address.
-
For MAC address, enter the device's MAC address.
-
Click Apply.
-
Go to IPSG ports.
-
Select the check box next to the ports you want to turn on IPSG for, and click Edit.
-
Select Turned on from the Status drop-down list.
-
Click Apply.