R2511-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V5)
63
Configuring DHCP snooping
DHCP snooping is supported on fixed Layer 2 switching interfaces on MSR20-1X and MSR900 routers,
and is not supported on MSR93X routers. To use DHCP snooping, other series routers need to install a
FIC-16FSW, DFIC-24FSW, MIM-16FSW, or DMIM-24FSW interface module.
A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between
the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
Overview
DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only
from authorized DHCP servers.
• Trusted—A trusted port can forward DHCP messages correctly to make sure the clients get IP
addresses from authorized DHCP servers.
• Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to
prevent unauthorized servers from assigning IP addresses.
DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST
messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP
addresses of a client, the port that connects to the DHCP client, and the VLAN of the port.
The following features need to use DHCP snooping entries:
• ARP fast-reply—Uses DHCP snooping entries to reduce ARP broadcast traffic. For more information,
see "Configuring ARP fast-reply."
• ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For
more information, see Security Configuration Guide.
• IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more
information, see Security Configuration Guide.