Configuring an Interface as a Trusted Interface

Context

To enable DHCP clients to obtain IP addresses only from authorized DHCP servers, configure the interfaces (if0, in Figure 1) directly or indirectly connected to the DHCP servers trusted by the administrator as the trusted interfaces, and other interfaces (if2, in Figure 1) as untrusted interfaces. This prevents bogus DHCP servers from assigning IP addresses to DHCP clients.

After enabling DHCP snooping on the interface or in the VLAN connected to the user, configure the interface connected to the DHCP server as the trusted interface, so that the dynamic DHCP snooping binding table is generated.

Figure 1 DHCP snooping networking diagram

Perform the following steps on the Layer 2 access device.

Procedure

Run system-view
The system view is displayed.
Configure the interface as the trusted interface in the interface view, BD view, or VLAN view.
- In the interface view:
1. Run interface interface-type interface-number
  The interface view is displayed.
2. Run dhcp snooping trusted
  The interface is configured as the trusted interface.
  
  By default, an interface is an untrusted interface.
- In the VLAN view:
1. Run vlan vlan-id
  The VLAN view is displayed.
2. Run dhcp snooping trusted interface interface-type interface-number
  The interface is configured as the trusted interface.
  
  By default, an interface is an untrusted interface.
  
  If you run this command in the VLAN view, the command takes effect only on DHCP messages in this VLAN received from interfaces that belong to this VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.
- In the BD view
  1. Run bridge-domain bd-id
    
    The BD view is displayed.
  2. Run dhcp snooping trusted
    
    The interface is configured as a trusted interface.
    
    By default, an interface is an untrusted interface.