13.1.7 Notes on using DHCP snooping
- <Structure of this section>
(1) Coexistence with Layer 2 Switch Function
See "Configuration Guide: Coexistence of Vol.1" "22.3 Layer 2 Switch Function and Other Functions".
(2) Coexistence with Layer 2 authentication
[See "5.2.1 Coexistence of Layer 2 authentication and other functions."
(3) Notes on configuring authentication-only IPv4 access lists
When you enable DHCP snooping and use the authentication-dedicated IPv4 access lists, if you specify the protocol name bootps or bootpc as a filtering condition in the authentication-dedicated IPv4 access lists, the packets of both bootps and bootpc are passed regardless of other filter conditions.
(4) About Saving and Restoring Binding Databases
-
If the ip dhcp snooping database url configuration command has not been specified (initial status), the binding database will not be saved. Therefore, stopping or restarting the switch will erase the registered binding database, disabling communication from DHCP clients. If this occurs, release and update the IP addresses on the DHCP clients. In Windows, for example, in the Command Prompt window, execute ipconfig /release and then execute ipconfig /renew.
This re-registers terminal information in the binding database and enables communication by DHCP clients.
-
When you restore a binding database, entries that have exceeded the lease time of the DHCP server will not be restored. If you change the time settings of the switch before you stop or restart the switch, the binding database might not be correctly restored when the switch starts.
-
When you use the ip source binding configuration command to statically register entries, the entries will be restored based on the startup configuration.
-
If you have saved the binding database on an external memory card, do not remove the memory card until a prompt appears on the screen after the switch starts.
(5) Understanding Receive Rate-Limiting for DHCP Packets
When both the DHCP packet reception rate and the ARP packet reception rate have limits, the switch monitors packets for the total value of both limits.
(6) About Dynamic ARP Checking
-
Dynamic ARP inspection can be enabled only after the following configuration commands have been executed and a binding database has been generated:
-
ip dhcp snooping
-
ip dhcp snooping vlan
-
-
Dynamic ARP inspection also checks the entries that are statically registered in a binding database by using ip source binding.
(7) Understanding Receive Rate-Limiting for ARP Packets
When both the ARP packet reception rate and the DHCP packet reception rate have limits, the switch monitors packets for the total value of both limits.
(8) Capacity limits for terminal filters
If the capacity limit of the terminal filter is exceeded, it is retained in the binding database, but terminal filter registration fails. While clients that fail to register are kept in the binding database, they are not automatically registered in the terminal filter.
To register a terminal filter, you must first delete it from the binding database of the Switch and then re-learn it. For example, perform the following steps:
-
Delete unnecessary binding entries (the capacity limit is exceeded).
-
Release the addresson the client that you want to re-register (notify DHCP server of the release).
-
Execute address issuance at the client to be re-registered.