3-1
3 DHCP Snooping Configuration
Introduction
Introduction to DHCP Snooping
For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the
administrator to verify the corresponding relationship between the IP addresses the DHCP clients
obtained from DHCP servers and the MAC addresses of the DHCP clients.
z Layer 3 switches can track DHCP client IP addresses through DHCP relay.
z Layer 2 switches can track DHCP client IP addresses through the DHCP snooping function, which
listens DHCP broadcast packets.
Figure 3-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is a
Switch 4210.
Figure 3-1 Typical network diagram for DHCP snooping application
DHCP snooping listens the DHCP-REQUEST packets and DHCP-ACK packets to retrieve the IP
addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients.
Introduction to DHCP Snooping Trusted/Untrusted Ports
When an unauthorized DHCP server exists in the network, a DHCP client may obtains an illegal IP
address. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, The Switch
4210 Family can specify a port to be a trusted port or an untrusted port by the DHCP snooping function.
z Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards
DHCP messages to guarantee that DHCP clients can obtain valid IP addresses.
z Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or
DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from
receiving invalid IP addresses.
To Next Page
Loading...