826 CHAPTER 60: DHCP SNOOPING CONFIGURATION
configured as trusted or untrusted, ensuring the clients to obtain IP addresses from
authorized DHCP servers.
■ Trusted: A trusted port forwards DHCP messages, ensuring that DHCP clients
can obtain valid IP addresses.
■ Untrusted: The DHCP-ACK or DHCP-OFFER packets received from an untrusted
port are discarded, preventing DHCP clients from receiving invalid IP addresses.
Application
Environment of Trusted
Ports
Configuring a trusted port connected with a DHCP server
A port that is connected with a DHCP server directly or indirectly should be
configured as a trusted port, so that the DHCP snooping device can forward reply
messages from the DHCP server, ensuring the DHCP clients to obtain IP addresses
from the authorized DHCP server.
As shown in Figure 250, GE1/0/1 on Switch B is connected with Switch A (a DHCP
server). GE1/0/1 should be configured as a trusted port, so that it can forward
replies from Switch A.
Figure 250 Configure a trusted port connected with the DHCP sever
Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports
connected to other DHCP snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly
connected with DHCP clients, from recording clients’ IP-to-MAC bindings.
As shown in Figure 251, Switch A, Switch B, and Switch C are DHCP snooping
devices. GE1/0/2 and GE1/0/3 on Switch A, GE1/0/1 and GE1/0/2 on Switch B, and
GE1/0/2, GE1/0/3, and GE1/0/4 on Switch C are configured as trusted ports.
Disable the trusted ports, GE1/0/3 on Switch A, GE1/0/1 on Switch B, GE1/0/3 and
GE1/0/4 on Switch C, which are not directly connected to DHCP clients, from
recording client’s IP-to-MAC bindings.
GE1/0/1
Switch A
DHCP server
Switch B
DHCP snooping
GE1/0/2
DHCP clientDHCP client
GE1/0/3
To Next Page
Loading...
