DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch. When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN that has DHCP snooping enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet. The switch drops a DHCP packet when one of these situations occurs:
·
A packet from a DHCP server,
such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received
from outside the network or firewall.
·
A packet is received on an
untrusted interface, and the source MAC address and the DHCP client hardware
address do not match.
·
The switch receives a
DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP
snooping binding database, but the interface information in the binding
database does not match the interface on which the message was received.
·
A DHCP relay agent forwards a
DHCP packet, which includes a relay-agent IP address that is not 0.0.0.0, or
the relay agent forwards a packet that includes option-82 information to an
untrusted port.
Refer to DHCP Snooping Configuration Guidelines for the
guidelines on how to configure DHCP snooping.Note: For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
Note: In a switch stack with Catalyst 3750 Switches, DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping bindings associated with the switch age out.
Note: In order to ensure that the lease time in the database is accurate, Cisco recommends that you enable and configure NTP. If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.
Rogue DHCP servers can be mitigated by DHCP snooping features. The ip dhcp snooping command is issued in order to enable DHCP globally on the switch. When configured with DHCP snooping, all ports in the VLAN are untrusted for DHCP replies. Here, only the FastEthernet interface 1/0/3 connected to the DHCP server is configured as trusted.
DHCP Snooping
|
Cat3750#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Cat3750(config)#ip dhcp snooping
!--- Enables DHCP snooping on the switch.
Cat3750(config)#ip dhcp snooping vlan 1
!--- DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
Cat3750(config)#no ip dhcp snooping information option
!--- Disable the insertion and removal of the option-82 field, if the
!--- DHCP clients and the DHCP server reside on the same IP network or subnet.
Cat3750(config)#interface fastEthernet 1/0/3
Cat3750(config-if)#ip dhcp snooping trust
!--- Configures the interface connected to the DHCP server as trusted.
Cat3750#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet1/0/3 yes unlimited
!--- Displays the DHCP snooping configuration for the switch.
Cat3750#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:11:85:A5:7B:F5 10.0.0.2 86391 dhcp-snooping 1 FastEtheret1/0/1
00:11:85:8D:9A:F9 10.0.0.3 86313 dhcp-snooping 1 FastEtheret1/0/2
Total number of bindings: 2
!--- Displays the DHCP snooping binding entries for the switch.
Cat3750#
!--- DHCP server(s) connected to the untrusted port will not be able
!--- to assign IP addresses to the clients.
|
