Siemens S323 User Manual
UMN:CLI User Manual
SURPASS hiD 6615 S223/S323 R1.5
258 A50010-Y3-C150-2-7619
8.8.7 DHCP
Snooping
For enhanced security, the hiD 6615 S223/S323 provides the DHCP snooping feature.
The DHCP snooping filters untrusted DHCP messages and maintains a DHCP snooping
binding table. An untrusted message is a message received from outside the network,
and an untrusted interface is an interface configured to receive DHCP messages from
outside the network.
The DHCP snooping filters untrusted DHCP messages and maintains a DHCP snooping
binding table. An untrusted message is a message received from outside the network,
and an untrusted interface is an interface configured to receive DHCP messages from
outside the network.
The DHCP snooping basically permits all the trusted messages received from within the
network and filters untrusted messages. In case of untrusted messages, all the binding
entries are recorded in a DHCP snooping binding table. This table contains a hardware
address, IP address, lease time, VLAN ID, interface, etc.
network and filters untrusted messages. In case of untrusted messages, all the binding
entries are recorded in a DHCP snooping binding table. This table contains a hardware
address, IP address, lease time, VLAN ID, interface, etc.
It also gives you a way to differentiate between untrusted interfaces connected to the
end-user and trusted interfaces connected to the DHCP server or another switch.
end-user and trusted interfaces connected to the DHCP server or another switch.
8.8.7.1
Enabling DHCP Snooping
To enable the DHCP snooping on the system, use the following command
Command Mode
Description
ip dhcp snooping
Enables the DHCP snooping on the system.
no ip dhcp snooping
Global
Disables the DHCP snooping on the system. (default)
Upon entering the ip dhcp snooping command, the DHCP_OFFER and DHCP_ACK
messages from all the ports will be discarded before specifying a trusted port.
messages from all the ports will be discarded before specifying a trusted port.
To enable the DHCP snooping on a VLAN, use the following command
Command Mode
Description
ip dhcp snooping vlan
VLANS
Enables the DHCP snooping on a specified VLAN.
no ip dhcp snooping vlan
VLANS
Global
Disables the DHCP snooping on a specified VLAN.
You must enable DHCP snooping on the system before enabling DHCP snooping on a
VLAN.
VLAN.
8.8.7.2
DHCP Trust State
To define a state of a port as trusted or untrusted, use the following command.
Command Mode
Description
ip dhcp snooping trust
PORTS
Defines a state of a specified port as trusted.
no ip dhcp snooping trust
PORTS
Global
Defines a state of a specified port as untrusted.
Note that, the DHCP snooping only sees the DHCP_OFFER and DHCP_ACK messages
which are received from untrusted interfaces.
which are received from untrusted interfaces.
!
!
i