Use this command to set the DHCP snooping port mode on the specified port or port range.
| trusted | Source MAC address and source IP addresses of DHCP server acknowledgment messages will be used to populate the source MAC address and source IP address binding table. |
| bypass | DHCP server packets are ignored for purposes of populating the source MAC address and source IP address binding table. |
| untrusted | DHCP server packets received on the port increment the untrusted server counter. |
| port-string | Specifies the port or port range. |
DHCP snooping port mode defaults to untrusted on all ports.
All command modes.
In a DHCP snooping context, there are three configurable port modes that determine anti-spoofing behavior:
Trusted – When port mode is set to trusted, DHCP server traffic is accepted and used to create bindings in the source MAC address to IP address binding table for the user. Binding verification does not take place on trusted ports.
Bypass – When port mode is set to bypass, snooping of DHCP server traffic does not take place on the port.
Untrusted – When port mode is set to untrusted, the untrusted server counter is incremented when DHCP server traffic is detected on the port.
Note
Untrusted ports should have a policy configuration that will drop DHCP server packets on that port.Bindings created as a result of DHCP exchanges on trusted ports using DHCP snooping take precedence over bindings created through dynamic ARP inspection or IP source guard.
This example shows how to set the DHCP snooping port mode on port ge.1.2 to trusted:
System(rw)->set antispoof dhcp-snooping port-mode trusted ge.1.2 System(rw)->
Print
this page
Email this topic
Feedback
View PDF
Download EPUB