DHCP Snooping

DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, which is also referred to as a DHCP snooping binding table.

Switch(config)#ip dhcp snooping

Enables DHCP snooping globally

NOTE: If you enable DHCP snooping on a switch, the following DHCP relay agent commands are not available until snooping is disabled:

Switch(config)#ip dhcp relay information check

Switch(config)#ip dhcp relay information policy {drop | keep | replace}Switch(config)#ip dhcp relay information trust-all

Switch(config-if)#ip dhcp relay information trusted

If you enter these commands with DHCP snooping enabled, the switch returns an error message.

Switch(config)#ip dhcp snooping vlan 20

Enables DHCP snooping on VLAN 20

Switch(config)#ip dhcp snooping vlan 10-35

Enables DHCP snooping on VLANs 10-35

Switch(config)#ip dhcp snooping vlan 20 30

Enables DHCP snooping on VLANs 20-30

Switch(config)#ip dhcp snooping 10,12,14

Enables DHCP snooping on VLANs 10, 12, and 14

Switch(config)#ip dhcp snooping information option

Enables DHCP option 82 insertion

NOTE: DHCP address allocation is usually based on an IP address—either the gateway IP address or the incoming interface IP address. In some networks, you might need additional information to determine which IP address to allocate. By using the "relay agent information option"—option 82—the Cisco IOS relay agent can include additional information about itself when forwarding DHCP packets to a DHCP server. The relay agent will add the circuit identifier suboption and the remote ID suboption to the relay information option and forward this all to the DHCP server.

Switch(config)#interface fasthethernet 0/1

Moves to interface config mode

Switch(config-if)#ip dhcp snooping trust

Configures the interface as trusted

NOTE: There must be at least one trusted interface when working with DHCP snooping. It is usually the port connected to the DHCP server or to uplink ports.

By default, all ports are untrusted.

Switch(config-if)#ip dhcp snooping limit rate 75

Configures the number of DHCP packets per second that an interface can receive

NOTE: The range of packets that can be received per second is 1 to 4,294,967,294. The default is no rate configured.

TIP: Cisco recommends an untrusted rate limit of no more than 100 packets per second.

Switch(config-if)#ip dhcp snooping verify mac-address

Configures the switch to verify that the source MAC address in a DHCP packet that is received on an untrusted port matches the client hardware address in the packet

Was this article helpful?

0 0

Post a comment