Dhcp snooping overview, Recording ip-to-mac mappings of dhcp clients – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 219
198
DHCP snooping overview
IMPORTANT:
The DHCP snooping-enabled device must be between the DHCP client and relay agent, or between the
DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
As a DHCP security feature, DHCP snooping can implement the following functionality:
•
Records IP-to-MAC mappings of DHCP clients.
•
Ensures DHCP clients to obtain IP addresses from authorized DHCP servers.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports
that connect to DHCP clients, and VLANs to which the ports belong. ARP uses DHCP snooping entries to
perform ARP detection (user validity check).
For more information about ARP detection, see "
Configuring ARP attack protection
Enabling DHCP clients to obtain IP addresses from authorized
DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients might obtain invalid IP addresses
and network configuration parameters, and cannot correctly communicate with other network devices.
With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients
to obtain IP addresses from authorized DHCP servers.
•
Trusted—A trusted port forwards DHCP messages correctly.
•
Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
Configure ports connected to a DHCP server or another DHCP snooping device as trusted ports and
configure other ports as untrusted ports.
Recommended configuration procedure (for DHCP
server)
Step Remarks
Required.
Enable DHCP globally.
By default, global DHCP is disabled.