VLAN-specific DHCP snooping configuration example
Network configuration
As shown in Figure 32, Switch B is connected to the authorized DHCP server through GigabitEthernet 1/0/1, to the unauthorized DHCP server through GigabitEthernet 1/0/3, and to the DHCP client through GigabitEthernet 1/0/2.
Configure only the port in VLAN 100 connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the port in VLAN 100 to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.
Figure 32: Network diagram
Configuration procedure
# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet1/0/3 to VLAN 100.
<SwitchB> system-view [SwitchB] vlan 100 [SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 [SwitchB-vlan100] quit
# Enable DHCP snooping for VLAN 100.
[SwitchB] dhcp snooping enable vlan 100
# Configure GigabitEthernet1/0/1 as DHCP snooping trusted port.
[SwitchB] vlan 100 [SwitchB-vlan100] dhcp snooping trust gigabitethernet 1/0/1
# Enable recording clients' IP-to-MAC bindings in VLAN 100.
[SwitchB-vlan100] dhcp snooping binding record [SwitchB-vlan100] quit
Verifying the configuration
# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)
# Display the DHCP snooping entry recorded for the client.
[SwitchB] display dhcp snooping binding