No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Fundamentals

DHCP Snooping Fundamentals

DHCP snooping provides the trusted interface and listening functions.

Trusted Interface

DHCP snooping involves two interface roles: trusted interface and untrusted interfaces, through which DHCP snooping ensures that DHCP clients obtain IP addresses from a valid DHCP server.

If a bogus DHCP server exists on a network, DHCP clients may obtain incorrect IP addresses and network configuration parameters from it, leading to communication failures. The trusted interface controls the source of DHCP Reply messages to prevent bogus DHCP servers from assigning IP addresses and other configurations to other DHCP clients.

Trusted interface and untrusted interfaces process DHCP messages as follows:
  • The device receives DHCP ACK messages, NAK messages, and Offer messages through the trusted interface.
  • The device discards DHCP ACK messages, NAK messages, and Offer messages on untrusted interfaces.

The administrator configures the interface directly or indirectly connected to an authorized DHCP server as the trusted interface, and other interfaces as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.


After DHCP snooping is enabled, the device generates a DHCP snooping binding table by listening to DHCP Request messages and Reply messages. A binding entry contains the MAC address, IP address, interface number, and Virtual Local Area Network (VLAN) ID of the DHCP client.

The DHCP snooping binding entries are aged out when the DHCP release expires, or the entries are deleted when users send DHCP Release packets to release IP addresses.

The administrator needs to record IP addresses of DHCP clients and identify the mappings between the IP addresses and MAC addresses of the DHCP clients. The DHCP snooping binding table helps the administrator conveniently record the mappings.

The DHCP snooping binding table records the mapping between IP addresses and MAC addresses of DHCP clients. The device can check DHCP messages against the DHCP snooping binding table to prevent attacks initiated by unauthorized users.

To ensure that the device obtains parameters such as MAC addresses for generating a DHCP snooping binding table, configure DHCP snooping on the Layer 2 access devices or the first DHCP relay agent from the device to the DHCP server.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137572

Downloads: 248

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next