Support User Manuals

Accton Technology ES3528M-SFP Switch User Manual

Open as PDF

of 644

Configuring the Switch

3-232

3

CLI – This example statically assigns a multicast group to a receiver port.

DHCP Snooping

DHCP snooping allows a switch to protect a network from rogue DHCP servers or

other devices which send port-related information to a DHCP server. This

information can be useful in tracking an IP address back to a physical port.

Network traffic may be disrupted when malicious DHCP messages are received

from an outside source. DHCP snooping is used to filter DHCP messages received

on a non-secure interface from outside the network or firewall. When DHCP

snooping is enabled globally and enabled on a VLAN interface, DHCP messages

received on an untrusted interface from a device not listed in the DHCP snooping

table will be dropped.

When enabled, DHCP messages entering an untrusted interface are filtered based

upon dynamic entries learned via DHCP snooping.

Filtering rules are implemented as follows:

• If the global DHCP snooping is disabled, all DHCP packets are forwarded.

• If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the

received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also

added to the binding table.

• If DHCP snooping is enabled globally, and also enabled on the VLAN where the

DHCP packet is received, but the port is not trusted, it is processed as follows:

• If the DHCP packet is a reply packet from a DHCP server (including OFFER,

ACK or NAK messages), the packet is dropped.

• If the DHCP packet is from a client, such as a DECLINE or RELEASE message,

the switch forwards the packet only if the corresponding entry is found in the

binding table.

• If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM,

DECLINE or RELEASE message, the packet is forwarded if MAC address

verification is disabled. However, if MAC address verification is enabled, then

the packet will only be forwarded if the client’s hardware address stored in the

DHCP packet is the same as the source MAC address in the Ethernet header.

• If the DHCP packet is not a recognizable type, it is dropped.

• If a DHCP packet from a client passes the filtering criteria above, it will only be

forwarded to trusted ports in the same VLAN.

• If a DHCP packet is from server is received on a trusted port, it will be forwarded

to both trusted and untrusted ports in the same VLAN.

Console(config)#interface ethernet 1/2

Console(config-if)#mvr group 228.1.23.1 4-305

Console(config-if)#

previous next