Configuration Guide Configuring DHCP Snooping
8.3 Features
Basic Concepts
 DHCP Request Packets
Request packets are sent from a DHCP client to a DHCP server, including DHCP-DISCOVER packets, DHCP-REQUEST
packets, DHCP-DECLINE packets, DHCP-RELEASE packets and DHCP-INFORM packets.
 DHCP Response Packets
Response packets are sent from a DHCP server to a DHCP client, including DHCP-OFFER packets, DHCP-ACK packets
and DHCP-NAK packets.
 DHCP Snooping Trusted Ports
IP address request interaction is complete via broadcast. Therefore, illegal DHCP services will influence normal clients'
acquisition of IP addresses and lead to service spoofing and stealing. To prevent illegal DHCP services, DHCP Snooping
ports are divided into two types: trusted ports and untrusted ports. The access devices only transmit DHCP response
packets received on trusted ports, while such packets from untrusted ports are discarded. In this way, we may
configure the ports connected to a legal DHCP Server as trusted and the other ports as untrusted to shield illegal
DHCP Servers.
On switches, all switching ports or layer-2 aggregate ports are defaulted as untrusted, while trusted ports can be specified.
On wireless access points (APs), all the WLAN interfaces are untrusted and cannot be specified as trusted. In fat AP
configuration mode, all the layer-2 switching ports and layer-2 encapsulation sub-interfaces are untrusted by default, and can
be specified as trusted. In fit AP configuration mode, all the layer-2 switching ports are untrusted by default and can be
specified as trusted, and all the layer-2 encapsulation sub-interfaces are trusted and cannot be specified as untrusted. On
wireless access controllers (ACs), all WLAN interfaces are untrusted ports and cannot be specified as trusted, and all the
switching ports and layer-2 aggregate ports are untrusted ports by default and can be specified as trusted.
 DHCP Snooping Packet Suppression
To shield all the DHCP packets on a specific client, we can enable DHCP Snooping packet suppression on its untrusted
ports.
 VLAN-based DHCP Snooping
DHCP Snooping can work on a VLAN basis. By default, when DHCP Snooping is enabled, it is effective to all the VLANs of
the current client. Specify VLANs help control the effective range of DHCP Snooping flexibly.
 DHCP Snooping Binding Database
In a DHCP network, clients may set static IP addresses randomly. This increases not only the difficulty of network
maintenance but also the possibility that legal clients with IP addresses assigned by the DHCP server may fail to use the
network normally due to address conflict. Through snooping packets between clients and servers, DHCP Snooping
summarizes the user entries including IP addresses, MAC address, VLAN ID (VID), ports and lease time to build the DHCP
To Next Page
Loading...
Need help?
General
