Subscribe Subscribe | Subscribe Comments RSS
Subscribe in Bloglines

Add to netvibes
Add to Google Reader or Homepage

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2.

The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS

Enable DHCP Snooping

ciscoswitch(config)# ip dhcp snooping

Enable DHCP Snooping on VLANs

DHCP snooping can be enabled on one or more VLANs or a range of VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 100

The above enables dhcp snooping on VLAN 100

To enable on more VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110

where the DHCP snooping is enabled on VLAN 10-15, 100 and 110

Enable DHCP Option 82

This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046

ciscoswitch(config)# ip dhcp snooping information option

Configure Trust Interface

Interface not explcicitly configured as a trust interface is treated as an untrusted interface.

ciscoswitch(config)# interface fa0/0

ciscoswitch(config-if)# ip dhcp snooping trust

DHCP Snooping Rate limiting (optional)

Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive

ciscoswitch(config-if)# ip dhcp snooping limit rate 202

Where "202" indicates that the interface can receive "202" messages per second

This should configure DHCP Snooping on Cisco IOS switches.

Display DHCP Snooping

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
    10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20

Display DHCP Snooping Binding Table

ciscoswitch# show ip dhcp snooping binding
MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

6 Comments so far »

  1. by Tawfiq, on May 29 2008 @ 1:21 pm

     

    Thanks to him who is written this document -
    -he is describe easily here what is
    dhcp snooping and how to implement this security feature
    its a brilliant do doubt -

  2. by Cisco.zephyr, on July 29 2008 @ 10:52 am

     

    This was straight to the point and gave just enough references to follow up for my own reasoning and thoughts.
    Thank you for a (as the other person commented)Brilliant simplistic configuration.

  3. by dog, on July 4 2009 @ 7:20 am

     

    incomplete

  4. by Ramesh, on December 17 2009 @ 4:22 am

     

    What interface should be made as trust.

    DHCP Server Connected Interface ? or the client (Host ) Connected to the switch.

  5. by Ramesh Krishnan, on December 17 2009 @ 4:23 am

     

    What interface should be made as trust.

    DHCP Server Connected Interface ? or the client (Host ) Connected to the switch.

    Please clarify…

  6. by John, on July 13 2011 @ 8:50 am

     

    the interface connecting to the dhcp server should be configured as trust.

    The client should be in connected to the untrust port.

    Simple, yet effective document.

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

eMail: (Required)

Website:

Comment: