Recording IP-to-MAC mappings of DHCP clients
DHCP snooping reads DHCP-REQUEST messages and DHCP-ACK messages from trusted ports to record DHCP snooping entries. A DHCP snooping entry includes the MAC and IP addresses of the client, the port that connects to the DHCP client, and the VLAN of the port. Using DHCP snooping entries, DHCP snooping can implement the following functions:
ARP detection—Whether ARP packets are sent from an authorized client is determined based on DHCP snooping entries. This feature prevents ARP attacks from unauthorized clients. For more information, see Security Configuration Guide.
IP source guard—IP source guard uses dynamic binding entries generated by DHCP snooping to filter packets on a per-port basis. This prevents unauthorized packets from traveling through. For more information, see Security Configuration Guide.
VLAN mapping—The device replaces service provider VLANs (SVLANs) in packets with customer VLANs (CVLANs) by searching corresponding DHCP snooping entries for DHCP client information including IP addresses, MAC addresses, and CVLANs, before sending the packets to clients. For more information, see Layer 2—LAN Switching Configuration Guide.