Configuration Guide (Supporting R2.2.0.0) Owner's manual

ManualsBrandsBrocade ManualsComputer Accessories6910 Ethernet Access Switch

261

262

263

264

265

266

267

268

269

270

212 Brocade 6910 Ethernet Access Switch Configuration Guide

53-1002651-02

DHCP Snooping

ip dhcp snooping

This command enables DHCP snooping globally. Use the no form to restore the default setting.

Syntax

[no] ip dhcp snooping

Default Setting

Disabled

Command Mode

Global Configuration

Command Usage

• Network traffic may be disrupted when malicious DHCP messages are received from an

outside source. DHCP snooping is used to filter DHCP messages received on an unsecure

interface from outside the network or fire wall. When DHCP snooping is enabled globally by this

command, and enabled on a VLAN interface by the ip dhcp snooping vlan command, DHCP

messages received on an untrusted interface (as specified by the no ip dhcp snooping trust

command) from a device not listed in the DHCP snooping table will be dropped.

• When enabled, DHCP messages entering an untrusted interface are filtered based upon

dynamic entries learned via DHCP snooping.

• Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IP

address, lease time, VLAN identifier, and port identifier.

• When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be

processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit

are dropped.

• Filtering rules are implemented as follows:

• If global DHCP snooping is disabled, all DHCP packets are forwarded.

• If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP

packet is received, all DHCP packets are forwarded for a trusted port. If the received

packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the

binding table.

• If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP

packet is received, but the port is not trusted, it is processed as follows:

• If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK

messages), the packet is dropped.

• If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the

switch forwards the packet only if the corresponding entry is found in the binding

table.

• If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE

or RELEASE message, the packet is forwarded if MAC address verification is disabled

(as specified by the ip dhcp snooping verify mac-address command). However, if MAC

address verification is enabled, then the packet will only be forwarded if the client’s

hardware address stored in the DHCP packet is the same as the source MAC address

in the Ethernet header.

• If the DHCP packet is not a recognizable type, it is dropped.