1. Home
  2. Support
  3. FAQs

[IGS-5225-8P4S-12V] How to Implement and Configure DHCP Snooping Correctly on IGS-5225-8P4S-12V?

 

1. What is DHCP Snooping?

DHCP Snooping is a security feature that protects your network from rogue DHCP servers.

When enabled, the switch:

  • Allows DHCP reply (OFFER/ACK) messages only from ports you mark as Trusted.
  • Blocks DHCP replies from all other (Untrusted) ports.
  • Builds a Dynamic DHCP Snooping Table that records which MAC address received which IP, on which VLAN/port, and from which DHCP server.

IGS-5225-8P4S-12V DHCP Snooping prevents an attacker on an access port from handing out fake IP addresses or wrong gateways to clients.

 

2. Example topology:

 

 

  • PC (DHCP client) 
    • Connected to SW 1 port 6
  • SW1 (IGS-5225-8P4S-12V, Layer 3)
    • Port 6: Access port toward PC
    • Port 8: connection toward the DHCP server
    • Port 7: connection toward the Rogue DHCP server
  • DHCP server
    • IP: 192.168.10.254/24
    • DHCP pool: 192.168.10.100~.150 with default gateway 192.168.10.254
    • MAC
  • Rouge DHCP server
    • IP: 192.168.10.254/24
    • DHCP pool: 192.168.10.200~.250 with default gateway 192.168.10.254
    • MAC

Goal:

  • Enable DHCP Snooping on SW1 so that only replies from the legitimate DHCP server are accepted.

 

3. Enable DHCP Snooping on the IGS-5225:

 3.1 Global settings: Snooping Mod

  • Log into the Web UI of SW1 (IGS-5225).
  • Go to Security → DHCP Snooping → DHCP Snooping Configuration.
  • On the DHCP Snooping Configuration page, set:
    • Snooping Mode = Enabled

 

 

When Snooping Mode is Enabled, the switch forwards DHCP requests from clients toward trusted ports and only allows DHCP reply packets from trusted ports. Replies from untrusted ports are blocked.

  • Port Mode per interface:
    • Trusted ports: legitimate sources of DHCP replies. 

 

   

 

    • Untrusted ports: access/user ports; DHCP replies from these ports are blocked.

 

 

  • Set the following ports to Trusted on SW1 (IGS-5225):
    • Port 8 – uplink toward the DHCP server.
  • Leave all other ports Untrusted:
    • Port 7 (toward Rogue DHCP Server).
    • Any ports facing end-users.

This ensures:

  • DHCP DISCOVER/REQUEST from clients (coming from untrusted ports) are forwarded through the switch to the trusted port and then to the DHCP server.
  • Only OFFER/ACK coming back via trusted port(s) are allowed through. Any rogue server connected to an untrusted port on SW1 is blocked.

 

4. Click Apply.

 

5. Verify DHCP Snooping:

The IGS-5225 provides a Dynamic DHCP Snooping Table that shows all valid bindings learned while snooping is enabled.

  • Go to Security → DHCP Snooping → Dynamic DHCP Snooping Table.

 

 

  • You will see entries with:
    • MAC Address – Client MAC
    • VLAN ID – VLAN where DHCP traffic is permitted (e.g. 20)
    • Source Port – Switch port where the client is connected (e.g. port toward SW2)
    • IP Address – Assigned client IP (e.g. 172.16.20.100)
    • IP Subnet Mask – Client subnet mask
    • DHCP Server Address – IP address of the server that provided the lease

This table confirms that:

  • DHCP Snooping is enabled and learning bindings correctly, and
  • Clients are obtaining IP addresses only from the legitimate DHCP server.
Sustainability
Awards
Contact Us
News Subscription
PLANET eTV
News
Events
繁體中文
Corporate APP
Copyright © PLANET Technology Corporation.
All rights reserved.
|
Privacy Statement
|
Sitemap
Contact Us