Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

DHCP Snooping

DHCP snooping is a layer 2 security technology built into a capable network switch operating system that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers from offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man-in-the-middle or denial-of-service attacks for malicious purposes. However, the most common DoS scenario is a user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.

Global Setting

Option Description
DHCP Snooping Status Turn on or turn off DHCP snooping.
Mac Verify This feature verifies that the source MAC address and the client hardware address in the DHCP packets on untrusted ports match.

VLAN Setting

This setting is to configure the DHCP snooping function in other VLAN. You can configure DHCP snooping for switches and VLANs. When you turn on DHCP snooping on a switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a Layer 2 VLAN. When you turn on DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge within a VLAN domain.

Trust Port Settings

A trusted port is a port that is connected to a DHCP server and is allowed to assign DHCP addresses. DHCP messages received on trusted ports are allowed to pass through the device. Packets from these ports are automatically forwarded. If DHCP Snooping isn't turned on, all ports are trusted by default.

Option Description
Port Displays the port number.
State Indicates whether the Port is Trusted or Untrusted.

Binding list

This table shows the DHCP Snooping binding list table.

IP source guard (IPSG)

You can use IP source guard (IPSG) to allow traffic only from devices added to the filtering list. When you use IP source guard, the following restrictions apply:

  • Only IPv4 is supported.
  • You must turn DHCP snooping on.
  • DHCP traffic isn't filtered.
  • The maximum amount of entries in the binding list is 127.
  • If a port has IPSG turned on, but the binding table is empty, the port will block all traffic.
  • Trunk ports don't support IPSG.

To use IPSG, do as follows:

  1. Go to Configure > L3 protocols > DHCP snooping > Global settings.
  2. For DHCP snooping status, select Turned on.

    Turn on DHCP snooping.

  3. For MAC address verification, select Turned on.

    Turn on MAC verification.

  4. Go to IP source guard, and select Add.

    IP source guard tab.

    IP source guard add.

  5. For VID, enter the VLAN ID that the device is connected to.

    Enter VID.

  6. For Port, enter the port that the device is connected to.

    Enter port.

  7. For IP address, enter the device's IP address.

    Enter IP address.

  8. For MAC address, enter the device's MAC address.

    Enter MAC address.

  9. Click Apply.

    Click Apply.

  10. Go to IPSG ports.

  11. Select the check box next to the ports you want to turn on IPSG for, and click Edit.

    Select IPSG ports.

    Click Edit.

  12. Select Turned on from the Status drop-down menu.

    Select turned on.

  13. Click Apply.

    Click apply.

VLAN Statistics

This table shows the DHCP Snooping VLAN Statistics status.