Operation Manual – DHCPH3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration2-172.5.2 Unauthorized DHCP Server Detection Configuration ExampleI. Network requirementsAs shown in Figure 2-7, Ethernet 1/0/1 of the switch (S3100-SI) is connected to theDHCP server, and Ethernet 1/0/2 and Ethernet 1/0/3 are respectively connected toClient A, Client B.z Enable DHCP snooping on the switch.z Enable unauthorized DHCP server detection on Ethernet 1/0/2 and Ethernet 1/0/3.When an authorized DHCP server is detected on Ethernet 1/0/2, a trap messagewill be sent; when an authorized DHCP server is detected on Ethernet 1/0/3, theinterface is shut down administratively.z To prevent attackers from filtering the detecting DHCP-DISCOVER packets,specify the source MAC address for such packets as 000f-e200-1111 (differentfrom the bridge MAC address of the switch) on the switch.II. Network diagramEth1/0/1DHCP serverSwitchEth1/0/2 Eth1/0/3ClientA ClientBFigure 2-7 Network diagram for unauthorized DHCP server detectionIII. Configuration procedure# Enable DHCP snooping. system-viewEnter system view, return to user view with Ctrl+Z.[Sysname] dhcp-snooping# Specify the source MAC address for the DHCP-DISCOVER messages as000f-e200-1111.[Sysname] dhcp-snooping server-guard source-mac 000f-e200-1111# Enable unauthorized DHCP server detection on Ethernet 1/0/2.[Sysname] interface ethernet1/0/2
