Recording ip-to-mac mappings of dhcp clients, Application environment of trusted ports, Configuring trusted ports in a cascaded network – H3C Technologies H3C S7500E Series Switches User Manual
Page 83
8-2
from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP addresses to
DHCP clients.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to
record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the
clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP
snooping entries, DHCP snooping can implement the following:
z
ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details,
refer to ARP Attack Protection Configuration in the Security Configuration Guide.
z
IP Source Guard: IP Source Guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis, and thus prevents unauthorized packets from traveling through.
For details, refer to IP Source Guard Configuration in the Security Configuration Guide.
z
VLAN mapping: The device replaces service provider VLANs (SVLANs) in packets with customer
VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client
information including IP addresses, MAC addresses, and CVLANs, before sending the packets to
clients. For details, refer to VLAN Mapping Configuration in the Layer 2 - LAN Switching
Configuration Guide.
Application Environment of Trusted Ports
Configuring a trusted port connected to a DHCP server
Figure 8-1 Configure trusted and untrusted ports
Trusted
DHCP server
DHCP snooping
Untrusted
Untrusted
Unauthorized
DHCP server
DHCP client
DHCP reply messages
As shown in
, a DHCP snooping device’s port that is connected to an authorized DHCP
server should be configured as a trusted port to forward reply messages from the DHCP server, so that
the DHCP client can obtain an IP address from the authorized DHCP server.
Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP
snooping devices should be configured as trusted ports.