60
DHCP SNOOPING CONFIGURATION
When configuring DHCP snooping, go to these sections for information you are
interested in:
■ “DHCP Snooping Overview” on page 825
■ “Configuring DHCP Snooping Basic Functions” on page 828
■ “Configuring DHCP Snooping to Support Option 82” on page 828
■ “Displaying and Maintaining DHCP Snooping” on page 829
■ “DHCP Snooping Configuration Example” on page 829
n
■ DHCP Snooping supports no link aggregation. If an Ethernet port is added into
an aggregation group, DHCP Snooping configuration on it will not take effect.
When the port is removed from the group, DHCP Snooping can take effect.
■ The DHCP snooping enabled device does not work if it is between the DHCP
relay agent and DHCP server, and it can work when it is between the DHCP
client and relay agent or between the DHCP client and server.
■ The DHCP Snooping enabled device cannot be a DHCP server or DHCP relay
agent.
■ You are not recommended to enable the DHCP client, BOOTP client, and DHCP
Snooping on the same device. Otherwise, DHCP Snooping entries may fail to
be generated, or the BOOTP client/DHCP client may fail to obtain an IP address.
DHCP Snooping
Overview
Function of DHCP
Snooping
As a DHCP security feature, DHCP snooping can implement the following:
Recording IP-to-MAC mappings of DHCP clients
For security sake, a network administrator needs to record the mapping between a
client’s IP address obtained from the DHCP server and the client’s MAC address.
DHCP snooping can meet the need.
DHCP snooping records clients’ MAC and IP addresses by reading their
DHCP-REQUEST and DHCP-ACK messages from trusted ports. The network
administrator can check out which IP addresses are assigned to the DHCP clients
with the display dhcp-snooping command.
Ensuring DHCP clients to obtain IP addresses from valid DHCP servers
If there is an unauthorized DHCP server on a network, the DHCP clients may
obtain invalid IP addresses. With DHCP snooping, the ports of a device can be
To Next Page
Loading...
