HP 6125XLG R2306-HP 6125XLG Blade Switch Layer 3 - IP Services Configuration G - Page 73
Configuring DHCP snooping, Overview, Application of trusted and untrusted ports
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 73 highlights
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent. Overview DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only from authorized DHCP servers. • Trusted-A trusted port can forward DHCP messages normally to make sure the clients get IP addresses from authorized DHCP servers. • Untrusted-An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to prevent unauthorized servers from assigning IP addresses. DHCP snooping reads DHCP-ACK messages received from trusted ports and DHCP-REQUEST messages to create DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of a client, the port that connects to the DHCP client, and the VLAN. The following features need to use DHCP snooping entries: • ARP detection-Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For more information, see Security Configuration Guide. • IP source guard-Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more information, see Security Configuration Guide. Application of trusted and untrusted ports Configure ports facing the DHCP server as trusted ports, and configure other ports as untrusted ports. As shown in Figure 26, configure the DHCP snooping device's port that is connected to the DHCP server as a trusted port. The trusted port forwards response messages from the DHCP server to the client. The untrusted port connected to the unauthorized DHCP server discards incoming DHCP response messages. 64