DHCP snooping

NAVIGATION  Partner Portal > Networking Status > Network Manager > Manage > Switches

This article describes the purpose of DHCP snooping and provides steps to configure the feature on your Datto switch.

Overview

DHCP snooping provides packet filtering between untrusted endpoints and trusted DHCP servers. When enabled and configured, it validates DHCP packets received from untrusted endpoints, dropping invalid messages.

An administrator designates whether traffic is trusted or untrusted on a per-interface (physical, or link aggregated) basis. When traffic crosses the ingress of a trusted interface, forwarding of the DHCP packet is permitted. Correspondingly, when traffic crosses the ingress of an untrusted interface, the DHCP packet is dropped to prevent it from being forwarded.

NOTE  You must activate DHCP snooping on a per-VLAN basis. By default, it is inactive on all VLANs.

Prerequisites

To enable DHCP snooping on your Datto switch, your environment must meet the following prerequisites:

  • A DSW-series switch running firmware 1.00.19 or later must be present on your network.

  • You've enabled Layer 3 operating mode in the Switch Settings section of Datto Network Manager.

To set up DHCP snooping on your DSW-series switch, perform the following steps:

  1. Navigate to portal.dattobackup.com

  2. Log in with your Partner Portal credentials.

  3. From the header menu, select Status > Networking Status.

  1. Select the name of a Network or Launch Network Manager, to load the Networking Manager.

  1. Navigate to Switches > Switch Settings.

  2. Expand the DHCP snooping configuration section of the page.

  3. Assign your trusted interfaces. Remember, interfaces that you'll want to configure as trusted include those that connect to other network infrastructure directly, such as upstream switches or routers. If an endpoint, such as a workstation or IoT device, is expected to plug into a switch port, you should consider it to be untrusted.

  4. Turn on DHCP snooping for the VLANs you'd like to protect from rogue DHCP servers. Generally, you'd want to have this enabled for all VLANs.

  5. On the Switch Settings page, click Save Changes.

To test your configuration in a staging environment or outside of business hours, you can set up a DHCP server on a device connected to an untrusted port on your DSW-series switch. Configure the server to listen and respond to DHCP handshakes (DISCOVER, OFFER, REQUEST, and ACK) on the active subnet. If DHCP snooping is successfully configured, the rogue DHCP server's OFFER and ACK packets should be dropped by the switch and not seen by the endpoint sending the DISCOVER and REQUEST packets.

Learn more

The following topics provide additional learning resources for managing your Datto switch: