VLAN-specific DHCP snooping configuration example

Network configuration

As shown in Figure 32, Switch B is connected to the authorized DHCP server through GigabitEthernet 1/0/1, to the unauthorized DHCP server through GigabitEthernet 1/0/3, and to the DHCP client through GigabitEthernet 1/0/2.

Configure only the port in VLAN 100 connected to the authorized DHCP server to forward the responses from the DHCP server. Enable the port in VLAN 100 to record clients' IP-to-MAC bindings by reading DHCP-ACK messages received from the trusted port and the DHCP-REQUEST messages.

Figure 32: Network diagram

Configuration procedure

# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet1/0/3 to VLAN 100.

<SwitchB> system-view
[SwitchB] vlan 100
[SwitchB-vlan100] port gigabitethernet 1/0/1 to gigabitethernet 1/0/3
[SwitchB-vlan100] quit

# Enable DHCP snooping for VLAN 100.

[SwitchB] dhcp snooping enable vlan 100

# Configure GigabitEthernet1/0/1 as DHCP snooping trusted port.

[SwitchB] vlan 100
[SwitchB-vlan100] dhcp snooping trust gigabitethernet 1/0/1

# Enable recording clients' IP-to-MAC bindings in VLAN 100.

[SwitchB-vlan100] dhcp snooping binding record
[SwitchB-vlan100] quit

Verifying the configuration

# Verify that the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. (Details not shown.)

# Display the DHCP snooping entry recorded for the client.

[SwitchB] display dhcp snooping binding