13.1.1 Overview

DHCP snooping monitors the DHCP packets that pass through the Switch to restrict access from untrusted terminals.

DHCP snooping also supports terminal filters, which limit the IPv4 packets from untrusted terminals, and dynamic ARP inspection, which discards invalid ARP packets.

To enable DHCP snooping, place the Switch between the DHCP server and DHCP clients as shown in the following figure.

Figure 13-1 DHCP snooping overview

The registration destination of the terminal information is called the binding database.

The following table describes the functionality provided by DHCP snooping.

Table 13-1 Features supported by DHCP snooping
Item	Description
Monitoring DHCP packets	Monitors the DHCP clients that received IP addresses distributed by a DHCP server and manages terminal information in a binding database.
Registration of terminals with a fixed IP address	Statically registers terminal information in a binding database.
Saving a binding database	Saves a binding database and restores it when the Switch restarts.
Inspecting DHCP packets	Untrusted DHCP servers from distributing IP addresses Prevents untrusted DHCP clients from releasing IP addresses Prevents MAC address spoofing Prevents Option 82 spoofing
Limiting the rate of DHCP packet reception	Discards DHCP packets that exceed the predetermined reception rate.
Terminal filtering	Prohibits the forwarding of IPv4 packets from untrusted terminals.
ARP packet inspection	Prohibits the forwarding of ARP packets from untrusted terminals. Prevents MAC address and IP address spoofing.
Limiting the rate of ARP packet reception	Discards ARP packets that exceed the predetermined reception rate.

<Structure of this section>

(1) Stack configuration

(1) Stack configuration

The master switch manages the binding database and synchronizes with the member switches.

A member switch other than the master switch stores the binding database and performs only terminal filtering. Other functions are performed by the master switch.