Configuring Dhcp Snooping; Dhcp Snooping Functions; Guaranteeing That Dhcp Clients Obtain Ip Addresses From Authorized Dhcp Servers; Recording Ip-To-Mac Mappings Of Dhcp Clients - HP 10500 Series Configuration Manual

Layer 3 - ip services

Hide thumbs Also See for 10500 Series:

Security configuration manual (596 pages)

Configuration manual (512 pages)

Specifications (42 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

Table of Contents

Configuring DHCP snooping

A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between

the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.

DHCP snooping functions

DHCP snooping can:

Make sure DHCP clients obtain IP addresses from authorized DHCP servers.

Record IP-to-MAC mappings for DHCP clients.

Guaranteeing that DHCP clients obtain IP addresses from

authorized DHCP servers

DHCP snooping allows you to classify ports into trusted and untrusted to make sure clients obtain IP

addresses only from authorized DHCP servers.

•

Trusted—A trusted port forwards DHCP messages normally to make sure the clients get IP addresses

from an authorized DHCP server.

Untrusted—An untrusted port discards received DHCP-ACK and DHCP-OFFER messages to avoid

•

IP address allocation from any unauthorized server.

Configure ports that connect to authorized DHCP servers or other DHCP snooping devices as trusted,

and configure other ports as untrusted.

Recording IP-to-MAC mappings of DHCP clients

DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to create

DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client, the

port that connects to the DHCP client, and the VLAN of the port. The following features need to use DHCP

snooping entries:

ARP detection—Uses DHCP snooping entries to filter ARP packets from unauthorized clients. For

•

more information, see Security Configuration Guide.

MAC-forced forwarding (MFF)—In automatic mode, after intercept

•

the MFF device searches DHCP snooping entries for the corresponding gateway address, and

sends the gateway MAC address to the client. This feature forces the client to send all traffic to the

gateway. The gateway can monitor client traffic to prevent malicious attacks among clients. For

more information, see Security Configuration Guide.

•

IP source guard—Uses DHCP snooping entries to filter illegal packets on a per-port basis. For more

information, see Security Configuration Guide.

VLAN mapping—The device replaces service provider VLANs (SVLANs) in packets with customer

•

VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information

including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For

more information, see Layer 2—LAN Switching Configuration Guide.

an ARP request from a client,

ing

Table of Contents

Configuring Dhcp Snooping; Dhcp Snooping Functions; Guaranteeing That Dhcp Clients Obtain Ip Addresses From Authorized Dhcp Servers; Recording Ip-To-Mac Mappings Of Dhcp Clients - HP 10500 Series Configuration Manual

Configuring DHCP snooping

DHCP snooping functions

Recording IP-to-MAC mappings of DHCP clients

Troubleshooting

Related Manuals for HP 10500 Series

Related Content for HP 10500 Series

Table of Contents