DHCP Snooping
Day 50
DHCP Snooping is a security feature of switches that is used to filter DHCP messages received on untrusted ports. All ports are untrusted by default.
DHCP Snooping only filters DHCP messages, non-DHCP messages aren't affected. When it filters messages, it differentiates between DHCP Server messages and DHCP Client messages.
CHADDR(Client Hardware Address) field in the DHCP message indicates the MAC address of the clientNAK- message sent by DHCP Server to decline a client's REQUESTDECLINE- message used by DHCP Client to decline the IP address offered by a DHCP Server
Operations
If a DHCP message is received on a trusted port, it is forwarded as normal without any inspection. If a DHCP message is received on an untrusted port, it is inspected and if it is a DHCP Server message, it gets discarded, otherwise:
DISCOVER/REQUESTmessages: if the frame's source MAC address and the DHCP message's CHADDR fields match, it is forwarded, otherwise - discarded.RELEASE/DECLINEmessages: if the packet's source IP address and the receiving interface match the entry in the DHCP Snooping Binding Table, it is forwarded, otherwise - discarded.
When a client successfully leases an IP address from a server, a new entry in the DHCP Snooping Binding Table is created. To view it, use the command show ip dhcp snooping binding.
Configuration
To configure DHCP snooping from the global config mode:
ip dhcp snooping- enable DHCP Snooping globally on a switchip dhcp snooping vlanfollowed by the VLAN number - enable DHCP Snooping on a VLANno ip dhcp snooping information option- Option 82 (aka DHCP relay agent information option). It provides additional information about which DHCP relay agent received the client's message, on which interface, VLAN, etc. It is used by DHCP relay agents. When DHCP Snooping is enabled, by default Cisco switches add Option 82 to DHCP messages they receive from clients, even if the switch is not a DHCP relay agent. By default, Cisco switches drop DHCP messages with Option 82 that are received on an untrusted port. That's why Option 82 needs to be disabled.interfacefollowed by the interface number - enter the interface config modeip dhcp snooping trust- make the interface trusted
Rate-Limiting
DHCP snooping can limit the rate at which DHCP messages are allowed to enter an interface. If the rate of DHCP messages crosses the limit, the interface is put on err-disabled mode. The interface can then be re-enabled manually or automatically with errdisable recovery. To configure the rate limit on an interface, use the command ip dhcp snooping limit rate followed by the number (of messages per second).
Last updated
