beautypg.com

Configuring dhcp server compatibility, Configuring dhcp snooping, Overview – H3C Technologies H3C S12500 Series Switches User Manual

Page 72: Application of trusted and untrusted ports

background image

59

8B

Configuring DHCP snooping

DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent.

It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records

IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.
DHCP snooping does not work between the DHCP server and DHCP relay agent.

71B

Overview

DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only

from authorized DHCP servers.

Trusted—A trusted port can forward DHCP messages normally to make sure the clients get IP

addresses from authorized DHCP servers.

Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent
unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages

to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client,

the port that connects to the DHCP client, and the VLAN.
The following features need to use DHCP snooping entries:

ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information,
see "Configuring ARP fast-reply."

ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For
more information, see Security Configuration Guide.

MAC-forced forwarding (MFF)—Auto-mode MFF intercepts ARP requests from clients, uses DHCP
snooping entries to find the gateway address, and returns the gateway MAC address to the clients.

This feature forces the client to send all traffic to the gateway so that the gateway can monitor client

traffic to prevent malicious attacks among clients. For more information, see Security Configuration
Guide.

IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more
information, see Security Configuration Guide.

222B

Application of trusted and untrusted ports

Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports.
As shown in

711H

Figure 23

, configure the DHCP snooping device's port that is connected to the DHCP server

as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The

untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: