Description:

To prevent an attacker from setting up a DHCP server (Rogue DHCP) in the network and assign IP parameters, the function DHCP Snooping can be configured on a managed switch. In doing so "DHCP Offer" packets are only transmitted on the switch port, the DHCP server is connected to. "DHCP Offer" packets on all other ports are discarded. Furthermore, "DHCP Discover" as well as "DHCP Request" packets from a network device are only forwarded to a "Trusted" port, but not to "Untrusted" ports. This significantly lessens the amount of Broadcast packets in the network, which is especially useful in bigger scenarios.   

This article describes how to configure DHCP Snooping on a GS-23xx series switch.

By using DHCP Snooping the switch has to inspect all DHCP packets. This leads to an increased CPU load.


Requirements:

  • LCOS SX as of version 3.32 Rel (download latest version)
  • Any web browser for accessing the webinterface
  • Configured and functional network including VLAN


Procedure:

1) Connect to the switch via the web browser and go to the menu Security → DHCP Snooping → Configuration.

2) For the Snooping Mode select the option Enabled and set the Port, where the DHCP server is connected, to Trusted. In doing so "DHCP Offer" packets are only transmitted via this port. Click Apply afterwards.

The remaining ports have to be left on the setting Untrusted.

If the DHCP server is connected via LACP, the option Trusted has to be selected on all LACP ports.

3) Go to the menu Maintenance → Save/Restore → Save Start and click Save, to save the configuration as the start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.