46DHCP snooping configuration• The DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between theDHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.DHCP snooping overviewFunction of DHCP snoopingAs a DHCP security feature, DHCP snooping can do the following:1. Ensure that DHCP clients obtain IP addresses from authorized DHCP servers2. Record IP-to-MAC mappings of DHCP clientsEnsuring that DHCP clients obtain IP addresses from authorized DHCP serversIf DHCP clients obtain invalid IP addresses and network configuration parameters from an unauthorizedDHCP server, they will be unable to communicate normally with other network devices. With DHCPsnooping, the ports of a switch can be configured as trusted or untrusted to ensure that clients obtain IPaddresses only from authorized DHCP servers.• Trusted: A trusted port forwards DHCP messages normally but never sends any DHCP messageback.• Untrusted: An untrusted port discards the DHCP-ACK or DHCP-OFFER messages from any DHCPserver.• Configure ports that connect to authorized DHCP servers or other DHCP snooping switches astrusted, and configure other ports as untrusted. This enables DHCP clients obtain IP addresses fromauthorized DHCP servers only.Recording IP-to-MAC mappings of DHCP clientsDHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to recordDHCP snooping entries. DHCP snooping entries include the following:• MAC addresses of clients• IP addresses obtained by the clients