Configuring dhcp snooping, Overview, Dhcp snooping functions – H3C Technologies H3C S12500 Series Switches User Manual
Page 88: Recording ip-to-mac mappings of dhcp clients
74
Configuring DHCP snooping
The DHCP snooping-enabled switch must be either between the DHCP client and relay agent, or
between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP
server.
Overview
DHCP snooping functions
DHCP snooping can:
•
Ensure DHCP clients to obtain IP addresses from authorized DHCP servers.
•
Record IP-to-MAC mappings of DHCP clients.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to make sure clients
obtain IP address only from authorized DHCP servers.
•
Trusted—A trusted port forwards DHCP messages correctly.
•
Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCP
server.
Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,
and configure other ports as untrusted.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client., the
port that connects to the DHCP client, and the VLAN of the port. With DHCP snooping entries, DHCP
snooping can implement the following functions:
•
ARP detection—Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more
information, see Security Configuration Guide.
•
IP source guard—IP source guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis, and prevents unauthorized packets from traveling through. For
more information, see Security Configuration Guide.