ZyXEL Communications XGS-4526 User Manual

Chapter 26 IP Source Guard

XGS-4526/4528F/4728F User’s Guide

Use DHCP snooping to filter unauthorized DHCP packets on the network and to 
build the binding table dynamically. This can prevent clients from getting IP 
addresses from unauthorized DHCP servers.

Every port is either a trusted port or an untrusted port for DHCP snooping. This 
setting is independent of the trusted/untrusted setting for ARP inspection. You can 
also specify the maximum number for DHCP packets that each port (trusted or 
untrusted) can receive each second.

Trusted ports are connected to DHCP servers or other switches. The Switch 
discards DHCP packets from trusted ports only if the rate at which DHCP packets 
arrive is too high. The Switch learns dynamic bindings from trusted ports.

Note: The Switch will drop all DHCP requests if you enable DHCP snooping and there 

are no trusted ports.

Untrusted ports are connected to subscribers. The Switch discards DHCP packets 
from untrusted ports in the following situations:

• The packet is a DHCP server packet (for example, OFFER, ACK, or NACK).
• The source MAC address and source IP address in the packet do not match any 

of the current bindings.

• The packet is a RELEASE or DECLINE packet, and the source MAC address and 

source port do not match any of the current bindings.

• The rate at which DHCP packets arrive is too high.

The Switch stores the binding table in volatile memory. If the Switch restarts, it 
loads static bindings from permanent memory but loses the dynamic bindings, in 
which case the devices in the network have to send DHCP requests again. As a 
result, it is recommended you configure the DHCP snooping database.

The DHCP snooping database maintains the dynamic bindings for DHCP snooping 
and ARP inspection in a file on an external TFTP server. If you set up the DHCP 
snooping database, the Switch can reload the dynamic bindings from the DHCP 
snooping database after the Switch restarts.