The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Use the Security > DHCP Snooping (Configure Global) page to enable DHCP Snooping globally on the switch, or to configure MAC Address Verification.
General
Enables DHCP snooping globally. (Default: Disabled)
Enables or disables MAC address verification. If the source MAC address in the Ethernet header of the packet is not same as the client's hardware address in the DHCP packet, the packet is dropped. (Default: Enabled)
Information
Enables or disables DHCP Option 82 information relay. (Default: Disabled)
Enables or disables use of sub-type and sub-length fields in circuit-ID (CID) and remote-ID (RID) in Option 82 information. (Default: Enabled)
Specifies the MAC address, IP address, or arbitrary identifier of the requesting device (i.e., the switch in this context).
Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (i.e., the MAC address of the switch's CPU). This attribute can be encoded in Hexadecimal or ASCII.
Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (i.e., the IP address of the management interface). This attribute can be encoded in Hexadecimal or ASCII.
An arbitrary string inserted into the remote identifier field. (Range: 1-32 characters)
Specifies how to handle DHCP client request packets which already contain Option 82 information.
Drops the client‘s request packet instead of relaying it.
Retains the Option 82 information in the client request, inserts the relay agent‘s address, and forwards the packets to trusted ports.
Replaces the Option 82 information circuit-id field in the client‘s request with information provided by the relay agent itself, inserts the relay agent‘s address (when DHCP snooping is enabled), and forwards the packets to trusted ports. (This is the default policy.)
Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or disable DHCP snooping on specific VLANs.
ID of a configured VLAN.
Enables or disables DHCP snooping for the selected VLAN. When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN. (Default: Disabled)
Use the IP Service > DHCP > Snooping (Configure Interface) page to configure switch ports as trusted or untrusted.
Enables or disables a port as trusted. (Default: Disabled)
The maximum number of DHCP clients which can be supported per interface. (Range: 1-32; Default: 16)
Specifies DHCP Option 82 circuit ID suboption information.
Specifies the default string "VLAN-Unit-Port" or an arbitrary string. (Default: VLAN-Unit-Port)
An arbitrary string inserted into the circuit identifier field. (Range: 1-32 characters)
Use the IP Service > DHCP > Snooping (Show Information) page to display entries in the binding table.
Physical address associated with the entry.
IP address corresponding to the client.
The time for which this IP address is leased to the client.
Entry types include:
DHCP-Snooping - Dynamically snooped.
Static-DHCPSNP - Statically configured.
VLAN to which this entry is bound.
Port or trunk to which this entry is bound.
Writes all dynamically learned snooping entries to flash memory. This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Removes all dynamically learned snooping entries from flash memory.