3-1
3 DHCP Snooping Configuration
z A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP
server, and it can work when it is between the DHCP client and relay agent or between the DHCP
client and server.
z You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on the
same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP
client/DHCP client may fail to obtain an IP address.
DHCP Snooping Overview
Functions of DHCP Snooping
As a DHCP security feature, DHCP snooping can implement the following:
1) Recording IP-to-MAC mappings of DHCP clients
2) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to
record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the
clients, ports that connect to DHCP clients, and VLANs to which the ports belong.
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
If there is an unauthorized DHCP server on a network, DHCP clients may obtain invalid IP addresses
and network configuration parameters, and cannot normally communicate with other network devices.
With DHCP snooping, the ports of a device can be configured as trusted or untrusted, ensuring the
clients to obtain IP addresses from authorized DHCP servers.
z Trusted: A trusted port forwards DHCP messages normally.
z Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages received from
any DHCP server.
To Next Page
Loading...
