Recording ip-to-mac mappings of dhcp clients – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 189

Advertising

173

NOTE:

The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

As a DHCP security feature, DHCP snooping can implement the following:

Recording IP-to-MAC mappings of DHCP clients

Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record

DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the clients, ports
that connect to DHCP clients, and VLANs to which the ports belong.

Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses and

network configuration parameters, and cannot normally communicate with other network devices. With
DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the clients to

obtain IP addresses from authorized DHCP servers.

•

Trusted—A trusted port forwards DHCP messages normally.

•

Untrusted—An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.

Recommended configuration procedure (for DHCP

server)

Step Remarks

1. Enabling DHCP

Required.
Enable DHCP globally.
By default, global DHCP is disabled.

Creating an address pool for the DHCP server

Creating a static address pool for the DHCP