4-14 DHCP Snooping ConfigurationWhen configuring DHCP snooping, go to these sections for information you are interested in:z DHCP Snooping Overviewz Configuring DHCP Snoopingz DHCP Snooping Configuration Examplesz Displaying DHCP Snooping ConfigurationDHCP Snooping OverviewIntroduction to DHCP SnoopingFor the sake of security, the IP addresses used by online DHCP clients need to be tracked for theadministrator to verify the corresponding relationship between the IP addresses the DHCP clientsobtained from DHCP servers and the MAC addresses of the DHCP clients.z Switches can track DHCP clients’ IP addresses through the security function of the DHCP relayagent operating at the network layer.z Switches can track DHCP clients’ IP addresses through the DHCP snooping function at the datalink layer.When an unauthorized DHCP server exists in the network, a DHCP client may obtains an illegal IPaddress. To ensure that the DHCP clients obtain IP addresses from valid DHCP servers, you canspecify a port to be a trusted port or an untrusted port by the DHCP snooping function.z Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwardsDHCP messages to guarantee that DHCP clients can obtain valid IP addresses.z Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK orDHCP-OFFER packets received from the port are discarded, preventing DHCP clients fromreceiving invalid IP addresses.Figure 4-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is anS5600 series Ethernet switch.