Tags:Cisco denial-of-service DHCP DHCP-Snooping ios Option82 Security
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2.
The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS
Enable DHCP Snooping
ciscoswitch(config)# ip dhcp snooping
Enable DHCP Snooping on VLANs
DHCP snooping can be enabled on one or more VLANs or a range of VLANs
ciscoswitch(config)# ip dhcp snooping vlan number 100
The above enables dhcp snooping on VLAN 100
To enable on more VLANs
ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110
where the DHCP snooping is enabled on VLAN 10-15, 100 and 110
Enable DHCP Option 82
This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046
ciscoswitch(config)# ip dhcp snooping information option
Configure Trust Interface
Interface not explcicitly configured as a trust interface is treated as an untrusted interface.
ciscoswitch(config)# interface fa0/0
ciscoswitch(config-if)# ip dhcp snooping trust
DHCP Snooping Rate limiting (optional)
Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive
ciscoswitch(config-if)# ip dhcp snooping limit rate 202
Where "202" indicates that the interface can receive "202" messages per second
This should configure DHCP Snooping on Cisco IOS switches.
Display DHCP Snooping
ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
10-15 100 110
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
——— ——- —————-
FastEthernet2/1 yes 10
FastEthernet2/2 yes none
FastEthernet3/1 no 20
Display DHCP Snooping Binding Table
ciscoswitch# show ip dhcp snooping binding
MacAddress IP Address Lease (seconds) Type VLAN Interface
———– ———– —————- —– —– ————
0000.0100.0201 10.0.0.1 1600 dynamic 100 FastEthernet2/1