H3C S7500E Series Ethernet Switches Operation Manual
Operation Manual – DHCP
H3C S7500E Series Ethernet Switches Chapter 5 DHCP Snooping Configuration
5-2
II. Ensuring DHCP clients to obtain IP addresses from valid DHCP servers
If there is an unauthorized DHCP server on a network, the DHCP clients may obtain
invalid IP addresses. With DHCP snooping, the ports of a device can be configured as
trusted or untrusted, ensuring the clients to obtain IP addresses from authorized DHCP
servers.
z Trusted: A trusted port forwards DHCP messages normally to guarantee that
DHCP clients can obtain valid IP addresses from a DHCP server.
z Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER packets
from any DHCP server to prevent DHCP clients from receiving invalid IP
addresses.
5.1.2 Application Environment of Trusted Ports
I. Configuring a trusted port connected to a DHCP server
A DHCP snooping device’s port that is connected to an authorized DHCP server
directly or indirectly should be configured as a trusted port to forward reply messages
from the DHCP server.
As shown in
Figure 5-1, GE2/0/1 on Switch B is connected to Switch A (a DHCP server).
GE2/0/1 should be configured as a trusted port, so that it can forward replies from
Switch A.
GE2/0/1
Switch A
DHCP server
Switch B
DHCP snooping
GE2/0/2 GE2/0/3
DHCP clientDHCP client
Figure 5-1 Configure a trusted port connected with a DHCP sever
II. Configuring trusted ports in a cascaded network
In a cascaded network involving multiple DHCP snooping devices, the ports connected
to other DHCP snooping devices should be configured as trusted ports.
To save system resources, you can disable the trusted ports, which are indirectly
connected to DHCP clients, from recording clients’ IP-to-MAC bindings.
As shown in
Figure 5-2, Switch A, Switch B, and Switch C are DHCP snooping devices.
GE2/0/2 and GE2/0/3 on Switch A, GE2/0/1 and GE2/0/2 on Switch B, and GE2/0/2,
GE2/0/3, and GE2/0/4 on Switch C are configured as trusted ports. Disable the trusted