set antispoof dhcp-snooping port-mode

Use this command to set the DHCP snooping port mode on the specified port or port range.

Syntax

set antispoof dhcp-snooping port-mode {trusted | bypass | untrusted} port-string

Parameters

trusted Source MAC address and source IP addresses of DHCP server acknowledgment messages will be used to populate the source MAC address and source IP address binding table.
bypass DHCP server packets are ignored for purposes of populating the source MAC address and source IP address binding table.
untrusted DHCP server packets received on the port increment the untrusted server counter.
port-string Specifies the port or port range.

Defaults

DHCP snooping port mode defaults to untrusted on all ports.

Mode

All command modes.

Usage

In a DHCP snooping context, there are three configurable port modes that determine anti-spoofing behavior:

Trusted – When port mode is set to trusted, DHCP server traffic is accepted and used to create bindings in the source MAC address to IP address binding table for the user. Binding verification does not take place on trusted ports.

Bypass – When port mode is set to bypass, snooping of DHCP server traffic does not take place on the port.

Untrusted – When port mode is set to untrusted, the untrusted server counter is incremented when DHCP server traffic is detected on the port.

Note

Note

Untrusted ports should have a policy configuration that will drop DHCP server packets on that port.

Bindings created as a result of DHCP exchanges on trusted ports using DHCP snooping take precedence over bindings created through dynamic ARP inspection or IP source guard.

Examples

This example shows how to set the DHCP snooping port mode on port ge.1.2 to trusted:

System(rw)->set antispoof dhcp-snooping port-mode trusted ge.1.2
System(rw)->