4-14 DHCP Snooping ConfigurationWhen configuring DHCP snooping, go to these sections for information you are interested in:z DHCP Snooping Overviewz Configuring DHCP Snooping Basic Functionsz Configuring DHCP Snooping to Support Option 82z Displaying and Maintaining DHCP Snoopingz DHCP Snooping Configuration Examplesz The DHCP snooping enabled device does not work if it is between the DHCP relay agent andDHCP server, and it can work when it is between the DHCP client and relay agent or between theDHCP client and server.z You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on thesame device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTPclient/DHCP client may fail to obtain an IP address.DHCP Snooping OverviewFunction of DHCP SnoopingAs a DHCP security feature, DHCP snooping can implement the following:1) Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers2) Recording IP-to-MAC mappings of DHCP clientsEnsuring DHCP clients to obtain IP addresses from authorized DHCP serversIf there is an unauthorized DHCP server on a network, the DHCP clients may obtain invalid IPaddresses and network configuration parameters, and cannot normally communicate with othernetwork devices. With DHCP snooping, the ports of a device can be configured as trusted or untrusted,ensuring the clients to obtain IP addresses from authorized DHCP servers.z Trusted: A trusted port forwards DHCP messages normally.z Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from anyDHCP server.You should configure ports that connecting to authorized DHCP servers and other DHCP snoopingdevices as trusted, and other ports as untrusted. With such configurations, DHCP clients obtain IPaddresses from authorized DHCP servers only, while unauthorized DHCP servers cannot assign IPaddresses to DHCP clients.