Dhcp snooping configuration, Configuring dhcp snooping – H3C Technologies H3C WX3000 Series Unified Switches User Manual
Page 319
31-5
z
After receiving such type of packets, a device needs to send them to the CPU for processing. Too
many request packets cause high CPU usage rate. As a result, the CPU cannot work normally.
The device can filter invalid IP packets through the DHCP-snooping table and IP static binding table.
DHCP-snooping table
After DHCP snooping is enabled on a device, a DHCP-snooping table is generated. It is used to record
IP addresses obtained from the DHCP server, MAC addresses, the number of the port through which a
client is connected to the DHCP-snooping-enabled device, and the number of the VLAN to which the
port belongs to. These records are saved as entries in the DHCP-snooping table.
IP static binding table
The DHCP-snooping table only records information about clients that obtains IP address dynamically
through DHCP. If a fixed IP address is configured for a client, the IP address and MAC address of the
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP
filtering of the DHCP-snooping table, thus it cannot access external networks.
To solve this problem, the device supports the configuration of static binding table entries, that is, the
binding relationship between IP address, MAC address, and the port connecting to the client, so that
packets of the client can be correctly forwarded.
IP filtering
The device can filter IP packets in the following two modes:
z
Filtering the source IP address in a packet. If the source IP address and the number of the port that
receives the packet are consistent with entries in the DHCP-snooping table or static binding table,
the device regards the packet as a valid packet and forwards it; otherwise, the device drops it
directly.
z
Filtering the source IP address and the source MAC address in a packet. If the source IP address
and source MAC address in the packet, and the number of the port that receives the packet are
consistent with entries in the DHCP-snooping table or static binding table, the device regards the
packet as a valid packet and forwards it; otherwise, the device drops it directly.
DHCP Snooping Configuration
Configuring DHCP Snooping
Follow these steps to configure DHCP snooping:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable DHCP snooping dhcp-snooping
Required
By default, the DHCP snooping function is disabled.
Enter Ethernet port view
interface interface-type
interface-number
—
Specify the current port
as a trusted port
dhcp-snooping trust
Required
By default, after DHCP snooping is enabled, all ports
of a device are untrusted ports.