Operation Manual – DHCPH3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration2-22.1.2 Introduction to DHCP Snooping Trusted/Untrusted PortsWhen an unauthorized DHCP server exists in the network, a DHCP client may obtainsan illegal IP address. To ensure that the DHCP clients obtain IP addresses from validDHCP servers, The S3100-EI series Ethernet switches can specify a port to be atrusted port or an untrusted port by the DHCP snooping function.z Trusted: A trusted port is connected to an authorized DHCP server directly orindirectly. It forwards DHCP messages to guarantee that DHCP clients can obtainvalid IP addresses.z Untrusted: An untrusted port is connected to an unauthorized DHCP server. TheDHCP-ACK or DHCP-OFFER packets received from the port are discarded,preventing DHCP clients from receiving invalid IP addresses.2.1.3 Introduction to Unauthorized DHCP Server DetectionS3100-SI series Ethernet switches do not support the DHCP snooping trusted portfunction due to limited ACL resources; however, they provide the unauthorized DHCPserver detection feature to guard against network troubles caused by unauthorizedDHCP servers, or prevent an attacker from assigning IP addresses to clients as a validDHCP server.After you enable this feature on a downstream port (which is connected to DHCPclients directly or indirectly) of a DHCP snooping enabled switch, the switch sends aDHCP-DISCOVER message. If a DHCP-OFFER message is received from thedownstream port, an unauthorized DHCP server is considered present, and the switcheither sends a trap, or sends a trap and administratively shuts down the port asconfigured.Note:The port that is shut down administratively is in the closed state and cannot receive orforward packets; however, using the display current-configuration command cannotdisplay the port state. You can use the undo shutdown command in port view toenable this port.To prevent any unauthorized DHCP server from filtering DHCP-DISCOVER messagessent by the DHCP snooping device, you can specify a source MAC address for suchmessages.
