Overview of DHCP Snooping Basic Functions
DHCP Snooping is one security feature of DHCP (Dynamic Host Configuration Protocol) and has the following two functions:
- Record the corresponding relation of the MAC address and IP address of the DHCP client:
Considering the security, the network administrator may need to record the IP address used when the user accesses the network, confirming the corresponding relation of the user host IP address and the IP address got from the DHCP server.
DHCP Snooping listens to the DHCP request packet and the DHCP response packet received by the trust port and records the MAC address of the DHCP client and the obtained IP address. The administrator can view the IP address information got by the DHCP client via the bound entry recorded by DHCP Snooping.
- Ensure that the client gets the IP address from the valid server
If there is unauthorized DHCP server in the network, the DHCP client may get the wrong IP address, resulting in the communication abnormality or security risks. To ensure that the DHCP client can get the IP address from the valid DHCP server, the DHCP Snooping function permits configuring the port as the trust port or un-trust port:
- Trust port is the port directly or indirectly connected to the valid DHCP server. The trust port forwards the received DHCP response packet normally, so as to ensure that the DHCP client can get the correct IP address.
- Un-trust port is the port not directly or indirectly connected to the valid DHCP server. If the un-trust port receives the DHCP response packet sent by the DHCP server, drop it, so as to prevent the DHCP client from getting the wrong IP address.