To prevent an attacker from setting up a DHCP server (Rogue DHCP) in the network and assign IP parameters, the function DHCP Snooping can be configured on a managed switch. In doing so "DHCP Offer" packets are only transmitted on the switch port, the DHCP server is connected to. "DHCP Offer" packets on all other ports are discarded.

This article describes how to configure DHCP Snooping on an XS or GS-45xx series switch.

By using DHCP Snooping the switch has to inspect all DHCP packets. This leads to an increased CPU load.


  • LCOS SX as of version 5.10 (download latest version)
  • Any web browser for accessing the webinterface
  • Configured and functional network including VLAN


1) Connect to the switch via the web browser and go to the menu Switching → DHCP Snooping → Base → Global.

2) For the DHCP Snooping Mode select the option Enable and click Submit.

3) Change to the tab VLAN Configuration and click Add.

4) Select the VLAN where DHCP Snooping should be active and click Submit.

You can select multiple VLANs at the same time by pressing the <CTRL> key.

5) Go to the tab Interface Configuration and select the port the DHCP server is connected to (in this example 1/0/1). Click Edit afterwards. 

6) Activate the Trust State for this port and click Submit. In doing so "DHCP Offer" packets are transmitted via this port.

The Trust State must not be activated on any other ports.

If the DHCP server is connected via LACP, the Trust State must be activated for all LACP ports.

7) With the configuration complete, click on Save Configuration in the top right-hand corner to save the configuration as the boot configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

8) Acknowledge the save process by clicking OK.