Dhcp Snooping Configuration; Dhcp Snooping Overview; Functions Of Dhcp Snooping - HP A7500 Series Configuration Manual

Layer 3 - ip services
Hide thumbs Also See for A7500 Series:
Table of Contents

Advertisement

DHCP snooping configuration

NOTE:
The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

DHCP snooping overview

Functions of DHCP snooping

DHCP snooping can:
Ensure that DHCP clients obtain IP addresses from authorized DHCP servers
1.
Record IP-to-MAC mappings of DHCP clients
2.
Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers
With DHCP snooping, the ports of a switch can be configured as trusted or untrusted to ensure that clients
obtain IP addresses only from authorized DHCP servers.
Trusted: A trusted port forwards DHCP messages normally to ensure the clients get IP addresses
from an authorized DHCP server.
Untrusted: An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to avoid IP
address allocation from any unauthorized server.
Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,
and configure other ports as untrusted.
Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record
DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client, the
port that connects to the DHCP client, and the VLAN of the port. Using DHCP snooping entries, DHCP
snooping can implement the following functions:
ARP detection: Whether ARP packets are sent from an authorized client is determined based on
DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more
information, see the Security Configuration Guide.
IP source guard: IP source guard uses dynamic binding entries generated by DHCP snooping to
filter packets on a per-port basis. This prevents unauthorized packets from traveling through. For
more information, see the Security Configuration Guide.
VLAN mapping: The device replaces service provider VLANs (SVLANs) in packets with customer
VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information
including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For
more information, see the Layer 2—LAN Switching Configuration Guide.
70

Advertisement

Table of Contents
loading

Table of Contents