Dhcp Snooping; Configuring Dhcp Snooping - 3Com 7757 Configuration Manual

59
Configuring DHCP
Snooping
Introduction to DHCP
Snooping
DHCP S
NOOPING
For the sake of security, the IP addresses used by online DHCP clients need to be
tracked for the administrator to verify the corresponding relationship between the
IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses
of the DHCP clients.
Layer 3 switches can track DHCP client IP addresses through a DHCP relay
■
agent.
Layer 2 switches can track DHCP client IP addresses through the DHCP
■
snooping function, which listens to DHCP broadcast packets.
When an unauthorized DHCP server exists in the network, a DHCP client may
obtain an illegal IP address. To ensure that the DHCP clients obtain IP addresses
from valid DHCP servers, you can specify a port to be a trusted port or an
untrusted port through the DHCP snooping function.
Trusted: A trusted port is connected to an authorized DHCP server directly or
■
indirectly. It forwards DHCP messages to guarantee that DHCP clients can
obtain valid IP addresses.
Untrusted: An untrusted port is connected to an unauthorized DHCP server.
■
The DHCP-ACK or DHCP-OFFER packets received from the port are discarded,
preventing DHCP clients from receiving invalid IP addresses.
Figure 157 illustrates a typical network diagram for DHCP snooping application,
where Switch A is a Switch 7750.
C
ONFIGURATION