Operation Manual – DHCP
H3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration
2-2
2.1.2 Introduction to DHCP Snooping Trusted/Untrusted Ports
When an unauthorized DHCP server exists in the network, a DHCP client may obtains
an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid
DHCP servers, The S3100-EI series Ethernet switches can specify a port to be a
trusted port or an untrusted port by the DHCP snooping function.
z Trusted: A trusted port is connected to an authorized DHCP server directly or
indirectly. It forwards DHCP messages to guarantee that DHCP clients can obtain
valid IP addresses.
z Untrusted: An untrusted port is connected to an unauthorized DHCP server. The
DHCP-ACK or DHCP-OFFER packets received from the port are discarded,
preventing DHCP clients from receiving invalid IP addresses.
2.1.3 Introduction to Unauthorized DHCP Server Detection
S3100-SI series Ethernet switches do not support the DHCP snooping trusted port
function due to limited ACL resources; however, they provide the unauthorized DHCP
server detection feature to guard against network troubles caused by unauthorized
DHCP servers, or prevent an attacker from assigning IP addresses to clients as a valid
DHCP server.
After you enable this feature on a downstream port (which is connected to DHCP
clients directly or indirectly) of a DHCP snooping enabled switch, the switch sends a
DHCP-DISCOVER message. If a DHCP-OFFER message is received from the
downstream port, an unauthorized DHCP server is considered present, and the switch
either sends a trap, or sends a trap and administratively shuts down the port as
configured.
 Note:
The port that is shut down administratively is in the closed state and cannot receive or
forward packets; however, using the display current-configuration command cannot
display the port state. You can use the undo shutdown command in port view to
enable this port.
To prevent any unauthorized DHCP server from filtering DHCP-DISCOVER messages
sent by the DHCP snooping device, you can specify a source MAC address for such
messages.
To Next Page
Loading...
Need help?
General