Logo free mcse ccna rhce linux java learning free mcse ccna rhce linux java learning
          Sharefacebook twitter google+ google bookmark yahoo bookmark delicious digg linkedin pinterest reddit stumbleupon evernote diigo blinklist blogmarks livejournal email feed


How to configure DHCP Snooping

External Resources

DHCP snooping is a DHCP security feature which provides protection from DHCP starvation attacks by filtering untrusted DHCP messages.

DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP snooping feature can be used to differentiate between untrusted interfaces (where DHCP clients are connected) and trusted interfaces (where a DHCP server or another switches are connected).

Trusted ports (where a DHCP server or other switches are connected) can source all types of DHCP messages, including DHCP OFFER message.

Untrusted ports are the ports where DHCP clients are connected. Untrusted switch ports cannot source DHCP messages like : DHCPOFFER, DHCPACK, DHCPNAK, which are normally generated by a DHCP server. By default, all switch ports are untrusted.

When DHCP snooping is enabled, Cisco switches build a table known as DHCP snooping binding database (known as DHCP snooping binding table).

DHCP snooping binding table is used to identify and filter untrusted DHCP messages from the network. DHCP snooping binding table keeps track of DHCP addresses that are assigned to switch ports. DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on untrusted switch ports.

When a switch receives a packet on an untrusted switch port where DHCP snooping is enabled, with the help of information stored on DHCP snooping binding table the switch will be permitted or denied.

The packet is denied when

• DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are received on an untrusted switch port.

• The source MAC address does not match MAC address in the DHCP binding table entry.


How to enable DHCP snooping globally


OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping


How to enable DHCP snooping on a specific VLAN


OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping vlan 500


How to configure a switch port as trusted


OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip dhcp snooping trust


How to view the DHCP snooping database


OmniSecuSW1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:00:AB:19:C6:00    690515      dhcp-snooping   500   Gigabitethernet0/1
00:00:AB:34:CB:00    690518      dhcp-snooping   500   Gigabitethernet0/2
00:00:AB:2A:FE:00    690512      dhcp-snooping   500   Gigabitethernet0/3
00:00:AB:F7:D0:00    690512      dhcp-snooping   500   Gigabitethernet0/4
00:00:AB:93:82:00    690518      dhcp-snooping   500   Gigabitethernet0/5
Total number of bindings: 5


How to view the DHCP Snooping configuration


OmniSecuSW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.0100 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
Ethernet0/0                yes        yes             unlimited
  Custom circuit-ids:
              Jajish Thomason Google+
Related Topics
comments powered by Disqus

eXTReMe Tracker