DHCP Snooping Interface Configuration

Use the DHCP Snooping Interface Configuration page to view and configure the DHCP (Dynamic Host Configuration Protocol) snooping settings for each interface. The DHCP snooping feature processes incoming DHCP messages.

For DHCPRELEASE and DHCPDECLINE messages, the feature compares the receive interface and VLAN with the client's interface and VLAN in the binding database. If the interfaces do not match, the application logs the event (when logging of invalid packets is enabled) and drops the message. If MAC address validation is globally enabled, messages that pass the initial validation are checked to verify that the source MAC address and the DHCP client hardware address match. Where there is a mismatch, DHCP snooping logs the event (when logging of invalid packets is enabled) and drops the packet. To change the DHCP Snooping settings for one or more interfaces, select each entry to modify and click Edit. The same settings are applied to all selected interfaces.

To access this page, click Switching > DCHP Snooping > Base > Interface Configuration in the navigation menu.

Click to expand in new window

DHCP Snooping Interface Configuration Fields

Field Description
Interface The interface associated with the rest of the data in the row. When configuring the settings for one or more interfaces, this field identifies each interface that is being configured.
Trust State The trust state configured on the interface. The trust state is one of the following:
  • Disabled: The interface is considered to be untrusted and could potentially be used to launch a network attack. DHCP server messages are checked against the bindings database. On untrusted ports, DHCP snooping enforces the following security rules:
    • DHCP packets from a DHCP server (DHCPOFFER, DHCPACK, DHCPNAK, DHCPRELEASEQUERY) are dropped.
    • DHCPRELEASE and DHCPDECLINE messages are dropped if the MAC address is in the snooping database but the binding's interface is other than the interface where the message was received.
    • DHCP packets are dropped when the source MAC address does not match the client hardware address if MAC Address Validation is globally enabled.
  • Enabled: The interface is considered to be trusted and forwards DHCP server messages without validation.
Log Invalid Packets The administrative mode of invalid packet logging on the interface. When enabled, the DHCP snooping feature generates a log message when an invalid packet is received and dropped by the interface.
Rate Limit (pps) The rate limit value for DHCP packets received on the interface. To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces. If the incoming rate of DHCP packets exceeds the value of this object during the amount of time specified for the burst interval, the port will be shutdown. You must administratively enable the port to allow it to resume traffic forwarding.
Burst Interval (Seconds) The burst interval value for rate limiting on this interface. If the rate limit is unspecified, then burst interval has no meaning.

Click Refresh to refresh the page with the most current data from the switch.