Chapter 26 IP Source Guard
MGS3700-12C User’s Guide
270
26.1.1 DHCP Snooping Overview
Use DHCP snooping to filter unauthorized DHCP packets on the network and to
build the binding table dynamically. This can prevent clients from getting IP
addresses from unauthorized DHCP servers.
26.1.1.1 Trusted vs. Untrusted Ports
Every port is either a trusted port or an untrusted port for DHCP snooping. This
setting is independent of the trusted/untrusted setting for ARP inspection. You can
also specify the maximum number for DHCP packets that each port (trusted or
untrusted) can receive each second.
Trusted ports are connected to DHCP servers or other switches. The Switch
discards DHCP packets from trusted ports only if the rate at which DHCP packets
arrive is too high. The Switch learns dynamic bindings from trusted ports.
Note: If DHCP is enabled and there are no trusted ports, DHCP requests will not
succeed.
Untrusted ports are connected to subscribers. The Switch discards DHCP packets
from untrusted ports in the following situations:
• The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
• The source MAC address and source IP address in the packet do not match any
of the current bindings.
• The packet is a RELEASE or DECLINE packet, and the source MAC address and
source port do not match any of the current bindings.
• The rate at which DHCP packets arrive is too high.
26.1.1.2 DHCP Snooping Database
The Switch stores the binding table in volatile memory. If the Switch restarts, it
loads static bindings from permanent memory but loses the dynamic bindings, in
which case the devices in the network have to send DHCP requests again. As a
result, it is recommended you configure the DHCP snooping database.
The DHCP snooping database maintains the dynamic bindings for DHCP snooping
and ARP inspection in a file on an external TFTP server. If you set up the DHCP
snooping database, the Switch can reload the dynamic bindings from the DHCP
snooping database after the Switch restarts.