DHCP Snooping Configuration Guide 201

 

[SwitchA] dhcp-security static 10.10.10.5 0001-0010-0001

 

# Enable the address check function on the DHCP relay agent.

 

[SwitchA] interface Vlan-interface 1

 

[SwitchA-Vlan-interface1] address-check enable

 

Currently, a Switch 4500 operating as a DHCP relay agent does not support the

 

address check function.

Complete Configuration

#

 

dhcp-server 1 ip 10.1.1.1

 

#

 

dhcp-security static 10.10.10.5 0001-0010-0001

 

#

 

interface Vlan-interface1

 

ip address 10.10.1.1 255.255.255.0

 

dhcp-server 1

 

address-check enable

 

#

Precautions

You need to perform corresponding configurations on the DHCP server to

 

enable the DHCP clients to obtain IP addresses from the DHCP server. For DHCP

 

server configuration information, refer to the “DHCP Server Global Address

 

Pool Configuration Guide” on page 195.

 

The DHCP relay agent and server are reachable to each other.

 

 

DHCP Snooping

For security, a network administrator needs to use the mappings between DHCP

Configuration Guide

clients’ IP addresses obtained from the DHCP server and their MAC addresses.

 

DHCP snooping is used to record such mappings from:

 

DHCP-ACK packets

 

DHCP-REQUEST packets

 

If there is an unauthorized DHCP server on a network, the DHCP clients may

 

obtain invalid IP addresses. With DHCP snooping, the ports of a device can be

 

configured as trusted or untrusted to ensure the clients to obtain IP addresses

 

from authorized DHCP servers.

 

Trusted: A trusted port is connected to an authorized DHCP server directly or

 

indirectly. It forwards DHCP messages normally to guarantee that DHCP clients

 

can obtain valid IP addresses.

 

Untrusted: An untrusted port is connected to an unauthorized DHCP server.

 

The DHCP-ACK or DHCP-OFFER packets received on the port are discarded to

 

prevent DHCP clients from receiving invalid IP addresses.

Page 201
Image 201
3Com 5500G, 4210, 4200G manual Dhcp Snooping