Skip to content

DHCP Snooping | Trusted Ports | Static IPsπŸ”—

DHCP Snooping is a security feature that helps protect against rogue DHCP servers, and along with the IP Source Guard capability, it protects against man-in-the-middle attacks or IP address conflicts. Rogue DHCP servers can assign incorrect IP addresses to devices, potentially leading to network downtime or security vulnerabilities.

DHCP SnoopingπŸ”—

The Enable DHCP Snooping feature is used to learn IP addresses offered to clients on "Untrusted Ports". DHCP Snooping protects your network by monitoring DHCP traffic and associating MAC addresses with assigned IP addresses on untrusted ports. As a side effect, only ports designated as trusted are allowed to forward DHCP OFFER messages. This is independent of the Verity Service feature, which blocks DHCP Servers.

To enable DHCP snooping go to: Topology > Site Settings > Enable DHCP Snooping and enable the checkbox. This allows for the reporting of learned IP addresses on ports. When the system is in a secure β€˜lock down’ mode, β€˜IP source guard’ is enabled. All traffic from client devices that do not match the learned IP address and MAC address bindings is blocked. IP addresses can also be set statically, and this is described in the section below.

Trusted PortsπŸ”—

Trusted Ports are a security mechanism that define which switch ports are considered β€˜trusted’ for receiving any traffic without known IP address bindings, as well as allowing DHCP (Dynamic Host Configuration Protocol) messages destined for and from servers to pass. A trusted port is a port where a legitimate DHCP server is expected to be connected. An untrusted port is any other port, typically where end devices (like computers or printers) are connected.

If DHCP Snooping is enabled, the Trusted Ports feature becomes available, as indicated by the Trusted Ports icon displayed on each port.

Trusted Ports StatesπŸ”—

When the port is trusted the icon displays the letter β€˜T’.

When the port is untrusted a shield (without a β€˜T’) is displayed.

When the button is blue, it means DHCP snooping has been performed and a designated IP address is found. This can happen on both trusted and untrusted ports.

Rules for Trusted PortsπŸ”—

The rules that determine if a port is trusted or untrusted are as follows:

  • DHCP Snooping feature is disabled: Trusted port feature is N/A
  • The port is a PON (multiport): Trusted
  • The port is connected to a managed switch or to an ONT (a fabric port): Trusted
  • The port has a future fabric connection (preprovisioned): Trusted
  • The port is not provisioned: Unprovisioned
  • the port is part of a lag whose provisioning is an enabled eth port, service port or authenticated eth port that has its trusted flag true: Trusted
  • The port is provisioned with an enabled eth-port profile, service port or authenticated eth-port that has its trusted flag true: Trusted

Static IPsπŸ”—

The Static IPs feature is applied to switch ports for devices that use fixed IP addresses and do not request IP information from a DHCP server.

To set a Static IP to a port go to Topology > Static IP and click the Add a New Static IP button .

Edit the tile information and invoke the Static IP by clicking the edit button and checking the enable checkbox.

Static IPs ReportsπŸ”—

Devices assigned Static Ips have their information listed in Reports > Static Ips.

Static IPs Import/ExportπŸ”—

Static IPs feature information can be exported and imported via Options > Import Export.

DHCP Assigned IP ReportsπŸ”—

Devices with DHCP Assigned IPs have their information listed in Reports > DHCP Assigned IPs.