Chapter 4 Dhcp Snooping Configuration; Introduction To Dhcp Snooping - H3C S3600 Series Operation Manual

Operation Manual – DHCP
H3C S3600 Series Ethernet Switches-Release 1510

Chapter 4 DHCP Snooping Configuration

Note:
After DHCP-Snooping is enabled on an S3600 Ethernet switch, clients connected with
this switch cannot obtain IP addresses dynamically through BOOTP.

4.1 Introduction to DHCP Snooping

For the sake of security, the IP addresses used by online DHCP clients need to be
tracked for the administrator to verify the corresponding relationship between the IP
addresses the DHCP clients obtained from DHCP servers and the MAC addresses of
the DHCP clients.
Layer 3 switches can track DHCP client IP addresses through DHCP relay.
Layer 2 switches can track DHCP client IP addresses through the DHCP snooping
function, which listens DHCP broadcast packets.
When an unauthorized DHCP server exists in the network, a DHCP client may obtains
an illegal IP address. To ensure that the DHCP clients obtain IP addresses from valid
DHCP servers, you can specify a port to be a trusted port or an untrusted port by the
DHCP snooping function.
Trusted ports can be used to connect DHCP servers or ports of other switches.
Untrusted ports can be used to connect DHCP clients or networks.
Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets received from
DHCP servers. Trusted ports forward any received DHCP packets to ensure that
DHCP clients can obtain IP addresses from valid DHCP servers.
Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where
Switch A is an S3600 series Ethernet switch.
Chapter 4 DHCP Snooping Configuration
4-1