Dhcp Snooping And Acl - H3C S9500 Series Operation Manual

Operation Manual – DHCP
H3C S9500 Series Routing Switches
If the client's IP address is manually configured, no matching DHCP snooping
entry can be found. Thus, the client cannot receive any ARP reply and will fail to
access the network.
Caution:
The ports of DHCP snooping entries can be manual or static aggregate ports, but
cannot be dynamic aggregate ports. So, the downstream ports of DHCP snooping
devices cannot be configured with dynamic aggregation.

4.1.2 DHCP Snooping and ACL

If DHCP snooping is enabled globally, the system automatically create an ACL to
filter out packets with source UDP port 67. Disabling DHCP snooping globally
removes the ACL.
If DHCP snooping is enabled on a VLAN, the system automatically create an ACL
to redirect packets received from the VLAN and with source UDP port 68 to the
CPU. Disabling DHCP snooping on the VLAN removes the ACL.
If you configure a port as trusted, the system automatically create an ACL to
redirect packets received from the port and with source UDP port 67 to the CPU.
Disabling the trusted port function removes the ACL.
If the security check function is enabled on a port, the system uses create an ACL
to redirect all ARP packets received from the port to the CPU. Disabling security
check on the port removes the ACL.
Chapter 4 DHCP Snooping Configuration
4-2