Introduction To Dhcp Snooping; Dhcp Snooping Features Supported By The S9300 - Huawei Quidway S9300 Configuration Manual

2 DHCP Snooping Configuration

2.1 Introduction to DHCP Snooping

This section describes the principle of DHCP snooping.
DHCP snooping intercepts and analyzes DHCP messages transmitted between DHCP clients
and a DHCP server. In this manner, DHCP snooping creates and maintains a DHCP snooping
binding table, and filters untrusted DHCP messages according to the table. The binding table
contains the MAC address, IP address, lease, binding type, VLAN ID, and interface information.
DHCP snooping ensures that authorized users can access the network by recording the mapping
between IP addresses and MAC addresses of clients. In this manner, DHCP snooping acts as a
firewall between DHCP clients and a DHCP server.
DHCP snooping prevents attacks including DHCP Denial of Service (DoS) attacks, bogus DHCP
server attacks, and bogus DHCP messages for extending IP address leases.

2.2 DHCP Snooping Features Supported by the S9300

This section describes the DHCP snooping features supported by the S9300.
The S9300 supports security features such as the trusted interface, DHCP snooping binding
table, binding of the IP address, MAC address, and interface, and Option 82. In this manner,
security of the device enabled with DHCP is ensured.
As the Terabit Routing Switch, the S9300 supports Layer 2 switching functions and Layer 3
routing functions. DHCP snooping can be used in the applications of Layer 2 switching functions
and Layer 3 routing features.
Applying DHCP Snooping on the S9300 on a Layer 2 Network
When being deployed on a Layer 2 network, the S9300 is located between the DHCP relay and
the Layer 2 user network.
DHCP snooping is enabled.
2-2
Figure 2-1 shows the DHCP snooping application on the S9300 where
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 01 (2009-07-28)