3com S7906E Manuel De Montage

 

 

5-2 

from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IP addresses to 

DHCP clients. 

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to 

record DHCP snooping entries, including MAC addresses of clients, IP addresses obtained by the 

clients, ports that connect to DHCP clients, and VLANs to which the ports belong. With DHCP snooping 

entries, DHCP snooping can implement the following: 

z 

ARP detection: Whether ARP packets are sent from an authorized client is determined based on 

DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For details, 

refer to ARP Attack Protection Configuration in the Security Volume. 

z 

IP Source Guard: IP Source Guard uses dynamic binding entries generated by DHCP snooping to 

filter packets on a per-port basis, and thus prevents unauthorized packets from traveling through. 

For details, refer to IP Source Guard Configuration in the Security Volume. 

z 

VLAN mapping: The device replaces service provider VLANs (SVLANs) in packets with customer 

VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information 

including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For 

details, refer to VLAN Mapping Configuration in the Access Volume. 

Figure 5-1 Configure trusted and untrusted ports 

Trusted

Untrusted

Untrusted

DHCP reply messages

 

 

As shown in 

, a DHCP snooping device’s port that is connected to an authorized DHCP 

server should be configured as a trusted port to forward reply messages from the DHCP server, so that 

the DHCP client can obtain an IP address from the authorized DHCP server. 

In a cascaded network involving multiple DHCP snooping devices, the ports connected to other DHCP 

snooping devices should be configured as trusted ports.