Dhcp snooping configuration, Functions of dhcp snooping, Recording ip-to-mac mappings of dhcp clients – H3C Technologies H3C WX6000 Series Access Controllers User Manual

26-24

DHCP Snooping Configuration

A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP

server, and it can work when it is between the DHCP client and relay agent or between the DHCP

client and server.

You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on the

same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP

client/DHCP client may fail to obtain an IP address.

Functions of DHCP Snooping

As a DHCP security feature, DHCP snooping can implement the following:

1) Recording IP-to-MAC mappings of DHCP clients

2) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to

record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the

clients, ports that connect to DHCP clients, and VLANs to which the ports belong.

Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers

If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses

and network configuration parameters, and cannot normally communicate with other network devices.

With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the

clients to obtain IP addresses from authorized DHCP servers.

Trusted: A trusted port forwards DHCP messages normally.

Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from

any DHCP server.