4-1
4
DHCP Snooping Configuration
When configuring DHCP snooping, go to these sections for information you are interested in:
z
DHCP Snooping Overview
z
Configuring DHCP Snooping Basic Functions
z
Configuring DHCP Snooping to Support Option 82
z
Displaying and Maintaining DHCP Snooping
z
DHCP Snooping Configuration Examples
z
The DHCP snooping enabled device does not work if it is between the DHCP relay agent and
DHCP server, and it can work when it is between the DHCP client and relay agent or between the
DHCP client and server.
z
You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on the
same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP
client/DHCP client may fail to obtain an IP address.
DHCP Snooping Overview
Function of DHCP Snooping
As a DHCP security feature, DHCP snooping can implement the following:
1) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
2) Recording IP-to-MAC mappings of DHCP clients
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers
If there is an unauthorized DHCP server on a network, the DHCP clients may obtain invalid IP
addresses and network configuration parameters, and cannot normally communicate with other
network devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted,
ensuring the clients to obtain IP addresses from authorized DHCP servers.
z
Trusted: A trusted port forwards DHCP messages normally but never sends any DHCP message
back.
z
Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any
DHCP server.
You should configure ports that connecting to authorized DHCP servers and other DHCP snooping
devices as trusted, and other ports as untrusted. With such configurations, DHCP clients obtain IP
addresses from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP
addresses to DHCP clients.