4-2
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to
record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the
clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping
entries, DHCP snooping can implement the following:
z ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details,
refer to ARP Configuration in the IP Services Volume.
z IP Source Guard: IP Source Guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis, and thus prevents unauthorized packets from traveling through.
For details, refer to IP Source Guard Configuration in the Security Volume.
Application Environment of Trusted Ports
Configuring a trusted port connected to a DHCP server
Figure 4-1 Configure trusted and untrusted ports
Trusted
DHCP server
DHCP snooping
Untrusted Untrusted
Unauthorized
DHCP server
DHCP client
DHCP reply messages
As shown in
Figure 4-1, a DHCP snooping device’s port that is connected to an authorized DHCP
server should be configured as a trusted port to forward reply messages from the DHCP server, so that
the DHCP client is guaranteed to obtain IP addresses from the authorized DHCP server.
Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP
snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly connected to DHCP
clients, from recording clients’ IP-to-MAC bindings upon receiving DHCP requests.
To Next Page
Loading...
Need help?
General