12.1.7 Notes on using DHCP snooping
- <Structure of this section>
-
(1) Coexistence with Layer 2 Switch Function
See "Configuration Guide: Coexistence of Vol.1" "22.3 Layer 2 Switch Function and Other Functions".
(2) Coexistence with Layer 2 authentication
(a) Coexistence with Web authentication
[5.2.1 See Coexistence of Layer 2 Authentication with Other Functions.
(b) Notes on configuring authentication-only IPv4 access lists
When you enable DHCP snooping and use the authentication-dedicated IPv4 access lists, if you specify the protocol name bootps or bootpc as a filtering condition in the authentication-dedicated IPv4 access lists, the packets of both bootps and bootpc are passed regardless of other filter conditions.
(c) Coexistence with Port Mirroring
If DHCP snooping is enabled, DHCP packets sent by the Switch are not mirrored. If dynamic ARP inspection is also enabled in addition to DHCP snooping, ARP packets sent by the Switch are not mirrored, either.
(3) Coexistence with Policy-Based Routing
If packets with a protocol name of bootps or bootpc are subject to policy-based routing, all of those packets that pass through the Switch are forwarded based on the routing information of the routing protocol instead of the routing information of policy-based routing.
(4) About Saving and Restoring Binding Databases
-
If the ip dhcp snooping database url configuration command has not been specified (initial status), the binding database will not be saved. Therefore, stopping or restarting the switch will erase the registered binding database, disabling communication from DHCP clients. If this occurs, release and update the IP addresses on the DHCP clients. In Windows, for example, in the Command Prompt window, execute ipconfig /release and then execute ipconfig /renew.
This re-registers terminal information in the binding database and enables communication by DHCP clients.
-
When you restore a binding database, entries that have exceeded the lease time of the DHCP server will not be restored. If you change the time settings of the switch before you stop or restart the switch, the binding database might not be correctly restored when the switch starts.
-
When you use the ip source binding configuration command to statically register entries, the entries will be restored based on the startup configuration.
-
If you have saved the binding database on an external memory card, do not remove the memory card until a prompt appears on the screen after the switch starts.
(5) Understanding Receive Rate-Limiting for DHCP Packets
-
When both the DHCP packet reception rate and the ARP packet reception rate have limits, the switch monitors packets for the total value of both limits.
(6) About Dynamic ARP Checking
-
Dynamic ARP inspection can be enabled only after the following configuration commands have been executed and a binding database has been generated:
-
ip dhcp snooping
-
ip dhcp snooping vlan
-
-
Dynamic ARP inspection also checks the entries that are statically registered in a binding database by using ip source binding.
-
Dynamic ARP checking cannot be used when the receive-side flow-detection mode is set to IP not set VLAN suppression mode.
(7) Understanding Receive Rate-Limiting for ARP Packets
-
When both the ARP packet reception rate and the DHCP packet reception rate have limits, the switch monitors packets for the total value of both limits.