3com 4210 User Manual

[SwitchA] dhcp-security static 10.10.10.5 0001-0010-0001 

# Enable the address check function on the DHCP relay agent.

[SwitchA] interface Vlan-interface 1

[SwitchA-Vlan-interface1] address-check enable 

Currently, a Switch 4500 operating as a DHCP relay agent does not support the 
address check function.

#

dhcp-server 1 ip

10.1.1.1

#

dhcp-security static 10.10.10.5 0001-0010-0001

#

interface Vlan-interface1

ip address 10.10.1.1 255.255.255.0

dhcp-server 1

address-check enable

# 

■

You need to perform corresponding configurations on the DHCP server to 
enable the DHCP clients to obtain IP addresses from the DHCP server. For DHCP 
server configuration information, refer to the “DHCP Server Global Address 
Pool Configuration Guide” on page 195.

■

The DHCP relay agent and server are reachable to each other.

For security, a network administrator needs to use the mappings between DHCP 
clients’ IP addresses obtained from the DHCP server and their MAC addresses. 
DHCP snooping is used to record such mappings from:

■

DHCP-ACK packets

■

DHCP-REQUEST packets

If there is an unauthorized DHCP server on a network, the DHCP clients may 
obtain invalid IP addresses. With DHCP snooping, the ports of a device can be 
configured as trusted or untrusted to ensure the clients to obtain IP addresses 
from authorized DHCP servers.

■

Trusted: A trusted port is connected to an authorized DHCP server directly or 
indirectly. It forwards DHCP messages normally to guarantee that DHCP clients 
can obtain valid IP addresses.

■

Untrusted: An untrusted port is connected to an unauthorized DHCP server. 
The DHCP-ACK or DHCP-OFFER packets received on the port are discarded to 
prevent DHCP clients from receiving invalid IP addresses.