Configuring dhcp snooping, Overview, Dhcp snooping functions – H3C Technologies H3C S12500 Series Switches User Manual

74

Configuring DHCP snooping

The DHCP snooping-enabled switch must be either between the DHCP client and relay agent, or

between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP

server.

Overview

DHCP snooping functions

DHCP snooping can:

•

Ensure DHCP clients to obtain IP addresses from authorized DHCP servers.

•

Record IP-to-MAC mappings of DHCP clients.

Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to make sure clients

obtain IP address only from authorized DHCP servers.

•

Trusted—A trusted port forwards DHCP messages correctly.

•

Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCP
server.

Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,

and configure other ports as untrusted.

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record

DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client., the

port that connects to the DHCP client, and the VLAN of the port. With DHCP snooping entries, DHCP

snooping can implement the following functions:

•

ARP detection—Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more

information, see Security Configuration Guide.

•

IP source guard—IP source guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis, and prevents unauthorized packets from traveling through. For

more information, see Security Configuration Guide.