Application Environment Of Trusted Ports - H3C S5500-EI series Operation Manual

Operation Manual – DHCP
H3C S5500-EI Series Ethernet Switches
II. Ensuring DHCP clients to obtain IP addresses from valid DHCP servers
If there is an unauthorized DHCP server on a network, the DHCP clients may obtain
invalid IP addresses. With DHCP snooping, the ports of a device can be configured as
trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP
servers.
Trusted: A trusted port forwards DHCP messages, ensuring that DHCP clients can
obtain valid IP addresses.
Untrusted: The DHCP-ACK or DHCP-OFFER packets received from an untrusted
port are discarded, preventing DHCP clients from receiving invalid IP addresses.

5.1.2 Application Environment of Trusted Ports

I. Configuring a trusted port connected with a DHCP server
A port that is connected with a DHCP server directly or indirectly should be configured
as a trusted port, so that the DHCP snooping device can forward reply messages from
the DHCP server, ensuring the DHCP clients to obtain IP addresses from the
authorized DHCP server.
As shown in
server). GE1/0/1 should be configured as a trusted port, so that it can forward replies
from Switch A.
Figure 5-1 Configure a trusted port connected with the DHCP sever
II. Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected
to other DHCP snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly
connected with DHCP clients, from recording clients' IP-to-MAC bindings.
As shown in
GE1/0/2 and GE1/0/3 on Switch A, GE1/0/1 and GE1/0/2 on Switch B, and GE1/0/2,
GE1/0/3, and GE1/0/4 on Switch C are configured as trusted ports. Disable the trusted
Figure 5-1, GE1/0/1 on Switch B is connected with Switch A (a DHCP
Figure 5-2, Switch A, Switch B, and Switch C are DHCP snooping devices.
Chapter 5 DHCP Snooping Configuration
5-2