DHCP snooping configuration
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the
•
DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
DHCP snooping overview
Function of DHCP snooping
As a DHCP security feature, DHCP snooping can do the following:
Ensure that DHCP clients obtain IP addresses from authorized DHCP servers
1.
Record IP-to-MAC mappings of DHCP clients
2.
Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers
If DHCP clients obtain invalid IP addresses and network configuration parameters from an unauthorized
DHCP server, they will be unable to communicate normally with other network devices. With DHCP
snooping, the ports of a switch can be configured as trusted or untrusted to ensure that clients obtain IP
addresses only from authorized DHCP servers.
•
Trusted: A trusted port forwards DHCP messages normally but never sends any DHCP message
back.
•
Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCP
server.
•
Configure ports that connect to authorized DHCP servers or other DHCP snooping switches as
trusted, and configure other ports as untrusted. This enables DHCP clients obtain IP addresses from
authorized DHCP servers only.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries. DHCP snooping entries include the following:
•
MAC addresses of clients
•
IP addresses obtained by the clients
46