Apr 1

DHCP snooping is a security feature for filtering untrusted DHCP messages, and can protect clients on the network from peering up with an unauthorized DHCP server. When enabled, it builds a table of MAC address, IP address, lease time, binding type, and interface information .

There is also an important difference between trusted and untrusted interfaces when talking about DHCP snooping. . An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

When DHCP snooping on the entire switch is enabled, the switch acts like a firewall for your VLAN (define) . You’ll also want to enable DHCP snooping on the VLAN, to allow the switch to act as a firewall for the entire VLAN domain.

The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS

Enable DHCP Snooping

SWITCH(config)# ip dhcp snooping

Enable DHCP Snooping on VLANs

DHCP snooping can be enabled on one or more VLANs or a range of VLANs

SWITCH(config)# ip dhcp snooping vlan number 100

The above enables dhcp snooping on VLAN 100

To enable on more VLANs

SWITCH(config)# ip dhcp snooping vlan number 10-15 100 110

where the DHCP snooping is enabled on VLAN 10-15, 100 and 110

Enable DHCP Option 82

This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in

SWITCH(config)# ip dhcp snooping information option

Configure Trust Interface


Interface not explcicitly configured as a trust interface is treated as an untrusted interface.

SWITCH(config)# interface fa0/0

SWITCH(config-if)# ip dhcp snooping trust

DHCP Snooping Rate limiting (optional)

Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive

SWITCH(config-if)# ip dhcp snooping limit rate 202

Where “202″ indicates that the interface can receive “202″ messages per second

This should configure DHCP Snooping on Cisco OS switches.

Display DHCP Snooping

SWITCH# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20

Display DHCP Snooping Binding Table

SWITCH# show ip dhcp snooping binding

MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1

Posted in Security, Switching |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved