Overview

You can enable and disable anti-spoofing on a global and per-port basis. When the feature is globally disabled, no anti-spoofing features are active. Anti-spoofing must be globally enabled before port control values are considered when inspecting traffic. The default value for all anti-spoofing features, global and per port, is disabled.

DHCP snooping is controlled through port enable/disable commands, as well as per port MAC verification enable/disable commands. DAI and IP source guard have individual controls to enable, disable, and enable inspection-only (no binding association) on a per port level. Duplicate IP address detection can be enabled or disabled globally.

Port mode, or type, determines the role traffic traversing the port will take in DHCP snooping. DHCP server messages are only processed (for DHCP snooping purposes) on trusted ports. On untrusted ports, DHCP server messages are counted in the untrusted packet counter (per port). If configured by policy, these message can also be dropped.

On bypass ports, DHCP server messages are ignored (that is, they do not affect the source MAC/source IP binding database, but they are not dropped). Ports are untrusted by default.