beautypg.com

Dhcp snooping configuration, Dhcp snooping overview, Functions of dhcp snooping – H3C Technologies H3C S10500 Series Switches User Manual

Page 81: Recording ip-to-mac mappings of dhcp clients

background image

70

DHCP snooping configuration

NOTE:

The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

DHCP snooping overview

Functions of DHCP snooping

DHCP snooping can:

1.

Ensure that DHCP clients obtain IP addresses from authorized DHCP servers

2.

Record IP-to-MAC mappings of DHCP clients

Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers

With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to ensure that clients
obtain IP addresses only from authorized DHCP servers.

Trusted: A trusted port forwards DHCP messages normally to ensure the clients get IP addresses
from an authorized DHCP server.

Untrusted: An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to avoid IP
address allocation from any unauthorized server.

Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,

and configure other ports as untrusted.

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record

DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client, the

port that connects to the DHCP client, and the VLAN of the port. Using DHCP snooping entries, DHCP
snooping can implement the following functions:

ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more

information, see the Security Configuration Guide.

IP source guard: IP source guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis. This prevents unauthorized packets from traveling through. For

more information, see the Security Configuration Guide.

VLAN mapping: The device replaces service provider VLANs (SVLANs) in packets with customer
VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information

including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For

more information, see the Layer 2LAN Switching Configuration Guide.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: