Chapter 4 Dhcp Snooping Configuration; Dhcp Snooping Overview; Introduction - H3C S9500 Series Operation Manual

Operation Manual – DHCP
H3C S9500 Series Routing Switches

Chapter 4 DHCP Snooping Configuration

When configuring DHCP snooping, go to these sections for information you are
interested in:

DHCP Snooping Overview

DHCP Snooping Configuration
Displaying and Maintaining DHCP Snooping
DHCP Snooping Configuration Example
Wrong DHCP Snooping Networking Examples
4.1 DHCP Snooping Overview

4.1.1 Introduction

As a DHCP security feature, DHCP snooping can implement the following:
I. Preventing DHCP clients from obtaining IP addresses from unauthorized
DHCP servers
With DHCP snooping, the ports of a device can be configured as trusted or untrusted.
Trusted: Ports that are connected to authorized DHCP servers or other authorized
devices are configured as trusted ports, which can forward DHCP messages
normally to guarantee that DHCP clients can obtain valid IP addresses.
Untrusted: An untrusted port discards DHCP-ACK and DHCP-OFFER packets
received from any DHCP server to prevent DHCP clients from receiving invalid IP
addresses.
II. Preventing illegal clients from accessing the external network
When a client obtains an IP address from a DHCP server, DHCP snooping records the
client's IP and MAC addresses, port name (common port or aggregate port), and VLAN
ID by reading its DHCP message and saves the information in the DHCP snooping
table.
DHCP snooping prevents illegal clients from accessing the external network in
cooperation with ARP. When a client wants to access the external network, it sends an
ARP request to the gateway. Then, DHCP snooping intercepts the ARP request and
checks the client's information against the DHCP snooping entries:
If the client is legal, a matching DHCP snooping entry can be found and the DHCP
snooping device sends an ARP reply or forwards the ARP request. Then, the
client can access the network normally.
Chapter 4 DHCP Snooping Configuration
4-1