Configuration manual
DHCP Snooping
26-18 Configuring Security Features
-------
set system service-acl my-sacl deny ip-source 192.168.10.10 mask 255.255.255.255
service ssh priority 1
set system service-acl my-sacl permit port ge.1.1 priority 2
set system service-acl my-sacl permit port ge.1.2 priority 3
set system service-acl my-sacl permit ip-source 10.10.22.2 port 123
! (Note: all other access implicitly denied)
C5(su)->set system service-class my-sacl
DHCP Snooping
DHCP snooping monitors DHCP messages between DHCP clients and DHCP servers to filter
harmful DHCP messages and to build a bindings database of {MAC address, IP address, VLAN
ID, port} tuples that are considered authorized.
DHCP snooping is disabled globally and on all VLANs by default. Ports are untrusted by default.
DHCP snooping must be enabled globally and on specific VLANs. Ports within the VLANs must
be configured as trusted or untrusted. On trusted ports, DHCP client messages are forwarded
directly by the hardware. On untrusted ports, client messages are given to the DHCP snooping
application.DHCP servers must be reached through trusted ports.
DHCP snooping enforces the following security rules:
• DHCP packets from a DHCP server (DHCP OFFER, DHCP ACK, DHCP NAK) are dropped if
received on an untrusted port.
• DHCP RELEASE and DHCP DECLINE messages are dropped if they are for a MAC address
in the snooping database but the binding's interface in the database is different from the
interface where the message was received.
• On untrusted interfaces, the switch drops DHCP packets whose source MAC address does not
match the client hardware address. This feature is a configurable option.
DHCP Message Processing
The hardware identifies all incoming DHCP packets on ports where DHCP snooping is enabled.
On untrusted ports, the hardware traps all incoming DHCP packets to the CPU. On trusted ports,
the hardware forwards client messages and copies server messages to the CPU so DHCP snooping
can learn the binding.
The DHCP snooping application processes incoming DHCP messages. For DHCP RELEASE and
DHCP DECLINE messages, the application compares the receive interface and VLAN with the
client's interface and VLAN in the bindings database. If the interfaces do not match, the
application logs the event and drops the message. For valid client messages, DHCP snooping
compares the source MAC address to the DHCP client hardware address. Where there is a
mismatch, DHCP snooping logs and drops the packet. You can disable this feature using the set
dhcpsnooping verify mac-address disable command.
DHCP snooping can be configured on switching VLANs and routing VLANs. When a DHCP
packet is received on a routing VLAN, the DHCP snooping application applies its filtering rules
and updates the bindings database. If a client message passes filtering rules, the message is placed
Note: If the switch has been configured as a DHCP relay agent, to forward client requests to a
DHCP server that does not reside on the same broadcast domain as the client, MAC address
verification should be disabled in order to allow DHCP RELEASE packets to be processed by the
DHCP snooping functionality and client bindings removed from the bindings database.