R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

Configuring DHCP snooping

A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between

the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

This feature is supported only when SAP modules operate in bridge mode.

Overview

DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only

from authorized DHCP servers.

• Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP

addresses from authorized DHCP servers.

• Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to

prevent unauthorized servers from assigning IP addresses.

DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST

messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP

addresses of a client, the port that connects to the DHCP client, and the VLAN of the port.

The following features need to use DHCP snooping entries:

• ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For

more information, see Security Configuration Guide.

• IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more

information, see Security Configuration Guide.

• VLAN mapping—The device replaces service provider VLANs (SVLANs) in packets with customer

VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information

including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For

more information, see Layer 2—LAN Switching Configuration Guide.