Operation Manual – DHCPH3C S9500 Series Routing Switches Chapter 4 DHCP Snooping Configuration4-1Chapter 4 DHCP Snooping ConfigurationWhen configuring DHCP snooping, go to these sections for information you areinterested in:z DHCP Snooping Overviewz DHCP Snooping Configurationz Displaying and Maintaining DHCP Snoopingz DHCP Snooping Configuration Examplez Wrong DHCP Snooping Networking Examples4.1 DHCP Snooping Overview4.1.1 IntroductionAs a DHCP security feature, DHCP snooping can implement the following:I. Preventing DHCP clients from obtaining IP addresses from unauthorizedDHCP serversWith DHCP snooping, the ports of a device can be configured as trusted or untrusted.z Trusted: Ports that are connected to authorized DHCP servers or other authorizeddevices are configured as trusted ports, which can forward DHCP messagesnormally to guarantee that DHCP clients can obtain valid IP addresses.z Untrusted: An untrusted port discards DHCP-ACK and DHCP-OFFER packetsreceived from any DHCP server to prevent DHCP clients from receiving invalid IPaddresses.II. Preventing illegal clients from accessing the external networkWhen a client obtains an IP address from a DHCP server, DHCP snooping records theclient’s IP and MAC addresses, port name (common port or aggregate port), and VLANID by reading its DHCP message and saves the information in the DHCP snoopingtable.DHCP snooping prevents illegal clients from accessing the external network incooperation with ARP. When a client wants to access the external network, it sends anARP request to the gateway. Then, DHCP snooping intercepts the ARP request andchecks the client’s information against the DHCP snooping entries:z If the client is legal, a matching DHCP snooping entry can be found and the DHCPsnooping device sends an ARP reply or forwards the ARP request. Then, theclient can access the network normally.