User's Manual
C
HAPTER
 4
 | Configuring the Switch
Configuring Security
– 107 –
CONFIGURING DHCP
SNOOPING
Use the DHCP Snooping Configuration page to filter IP traffic on insecure 
ports for which the source address cannot be identified via DHCP snooping. 
The addresses assigned to DHCP clients on insecure ports can be carefully 
controlled using the dynamic bindings registered with DHCP Snooping (or 
using the static bindings configured with IP Source Guard). DHCP snooping 
allows a switch to protect a network from rogue DHCP servers or other 
devices which send port-related information to a DHCP server. This 
information can be useful in tracking an IP address back to a physical port. 
PATH 
Advanced Configuration, Security, Network, DHCP, Snooping
COMMAND USAGE
DHCP Snooping Process
◆ Network traffic may be disrupted when malicious DHCP messages are 
received from an outside source. DHCP snooping is used to filter DHCP 
messages received on a non-secure interface from outside the network 
or fire wall. When DHCP snooping is enabled globally and enabled on a 
VLAN interface, DHCP messages received on an untrusted interface 
from a device not listed in the DHCP snooping table will be dropped.
◆ Table entries are only learned for trusted interfaces. An entry is added 
or removed dynamically to the DHCP snooping table when a client 
receives or releases an IP address from a DHCP server. Each entry 
includes a MAC address, IP address, lease time, VLAN identifier, and 
port identifier. 
◆ When DHCP snooping is enabled, DHCP messages entering an 
untrusted interface are filtered based upon dynamic entries learned via 
DHCP snooping.
◆ Filtering rules are implemented as follows:
■
If the global DHCP snooping is disabled, all DHCP packets are 
forwarded.
■
If DHCP snooping is enabled globally, all DHCP packets are 
forwarded for a trusted port. If the received packet is a DHCP ACK 
message, a dynamic DHCP snooping entry is also added to the 
binding table.
■
If DHCP snooping is enabled globally, but the port is not trusted, it 
is processed as follows:
■
If the DHCP packet is a reply packet from a DHCP server 
(including OFFER, ACK or NAK messages), the packet is 
dropped.
■
If a DHCP DECLINE or RELEASE message is received from a 
client, the switch forwards the packet only if the corresponding 
entry is found in the binding table.
■
If a DHCP DISCOVER, REQUEST or INFORM message is received 
from a client, the packet is forwarded. 










