Brocade Communications Systems 6650 Switch User Manual


 
284 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
DHCP snooping
How DHCP snooping works
When enabled on a VLAN, DHCP snooping stands between untrusted ports (those connected to
host ports) and trusted ports (those connected to DHCP servers). A VLAN with DHCP snooping
enabled forwards DHCP request packets from clients and discards DHCP server reply packets on
untrusted ports, and it forwards DHCP server reply packets on trusted ports to DHCP clients, as
shown in the following figures
FIGURE 17 DHCP snooping at work - on an untrusted port
FIGURE 18 DHCP snooping at work - on a trusted port
DHCP binding database
When it forwards DHCP server reply packets on trusted ports, the Brocade device saves the client
IP-to-MAC address binding information in the DHCP binding database. This is how the DHCP
snooping binding table is populated. The information saved includes MAC address, IP address,
lease time, VLAN number, and port number.
In the Brocade device, the DHCP binding database is integrated with the enhanced ARP table,
which is used by Dynamic ARP Inspection. For more information, refer to “ARP entries” on
page 280.
The lease time will be refreshed when the client renews its IP address with the DHCP server;
otherwise the Brocade device removes the entry when the lease time expires.
Brocade Switch
DHCP server
reply packet
Trusted
Untrusted
DHCP
Server
DHCP
Snooping
DHCP client
request packet
DHCP
Client
Brocade Switch
DHCP server
reply packet
Trusted
Untrusted
DHCP
Server
DHCP
Snooping