🌐
CCNA Prep
  • Intro
  • Network Devices
  • Interfaces and Cables
  • OSI Model & TCP/IP Suite
  • Intro to the CLI
  • Ethernet LAN Switching (Part 1)
  • Ethernet LAN Switching (Part 2)
  • IPv4 Addressing (Part 1)
  • IPv4 Addressing (Part 2)
  • Switch Interfaces
  • IPv4 Header
  • Routing Fundamentals
  • The Life of a Packet
  • Subnetting (Part 1)
  • Subnetting (Part 2)
  • Subnetting (Part 3 - VLSM)
  • VLANs (Part 1)
  • VLANs (Part 2)
  • VLANs (Part 3)
  • DTP/VTP
  • Spanning Tree Protocol (Part 1)
  • Spanning Tree Protocol (Part 2)
  • Rapid Spanning Tree Protocol
  • EtherChannel
  • Dynamic Routing
  • RIP & EIGRP
  • OSPF (Part 1)
  • OSPF (Part 2)
  • OSPF (Part 3)
  • First Hop Redundancy Protocols
  • TCP & UDP
  • IPv6 (Part 1)
  • IPv6 (Part 2)
  • IPv6 (Part 3)
  • Standard ACLs
  • Extended ACLs
  • CDP & LLDP
  • NTP
  • DNS
  • DHCP
  • SNMP
  • Syslog
  • SSH
  • FTP & TFTP
  • NAT (Part 1)
  • NAT (part 2)
  • QoS (Part 1)
  • QoS (Part 2)
  • Security Fundamentals
  • Port Security
  • DHCP Snooping
  • Dynamic ARP Inspection
  • LAN Architectures
  • WAN Architectures
  • Virtualization & Cloud, Containers, VRF
  • Wireless Fundamentals
  • Wireless Architectures
  • Wireless Security
  • Wireless Configuration
  • Network Automation
  • JSON, XML, & YAML
  • REST APIs
  • Software-Defined Networking
  • Ansible, Puppet, & Chef
Powered by GitBook
On this page
  • Operations
  • Configuration
  • Rate-Limiting

DHCP Snooping

Day 50

PreviousPort SecurityNextDynamic ARP Inspection

Last updated 1 year ago

DHCP Snooping is a security feature of switches that is used to filter DHCP messages received on untrusted ports. All ports are untrusted by default.

DHCP Snooping only filters DHCP messages, non-DHCP messages aren't affected. When it filters messages, it differentiates between DHCP Server messages and DHCP Client messages.

  • CHADDR (Client Hardware Address) field in the DHCP message indicates the MAC address of the client

  • NAK - message sent by DHCP Server to decline a client's REQUEST

  • DECLINE - message used by DHCP Client to decline the IP address offered by a DHCP Server

Operations

If a DHCP message is received on a trusted port, it is forwarded as normal without any inspection. If a DHCP message is received on an untrusted port, it is inspected and if it is a DHCP Server message, it gets discarded, otherwise:

  • DISCOVER/REQUEST messages: if the frame's source MAC address and the DHCP message's CHADDR fields match, it is forwarded, otherwise - discarded.

  • RELEASE/DECLINE messages: if the packet's source IP address and the receiving interface match the entry in the DHCP Snooping Binding Table, it is forwarded, otherwise - discarded.

When a client successfully leases an IP address from a server, a new entry in the DHCP Snooping Binding Table is created. To view it, use the command show ip dhcp snooping binding.

Configuration

To configure DHCP snooping from the global config mode:

  1. ip dhcp snooping - enable DHCP Snooping globally on a switch

  2. ip dhcp snooping vlan followed by the VLAN number - enable DHCP Snooping on a VLAN

  3. no ip dhcp snooping information option - Option 82 (aka DHCP relay agent information option). It provides additional information about which DHCP relay agent received the client's message, on which interface, VLAN, etc. It is used by DHCP relay agents. When DHCP Snooping is enabled, by default Cisco switches add Option 82 to DHCP messages they receive from clients, even if the switch is not a DHCP relay agent. By default, Cisco switches drop DHCP messages with Option 82 that are received on an untrusted port. That's why Option 82 needs to be disabled.

  4. interface followed by the interface number - enter the interface config mode

  5. ip dhcp snooping trust - make the interface trusted

Rate-Limiting

DHCP snooping can limit the rate at which DHCP messages are allowed to enter an interface. If the rate of DHCP messages crosses the limit, the interface is put on err-disabled mode. The interface can then be re-enabled manually or automatically with errdisable recovery. To configure the rate limit on an interface, use the command ip dhcp snooping limit rate followed by the number (of messages per second).

10KB
Day 50 Flashcards - DHCP Snooping.apkg
51KB
Day 50 Lab - DHCP Snooping.pkt
Summary
DHCP Snooping demo
Summary