How to configure DHCP Snooping

DHCP snooping is a DHCP security feature which provides protection from DHCP starvation attacks by filtering untrusted DHCP messages.

DHCP snooping feature identifies Switch Ports as "trusted" and "untrusted". DHCP snooping feature can be used to differentiate between untrusted interfaces (where DHCP clients are connected) and trusted interfaces (where a DHCP server or another switches are connected).

Trusted ports (where a DHCP server or other switches are connected) can source all types of DHCP messages, including DHCP OFFER message.

Untrusted ports are the ports where DHCP clients are connected. Untrusted switch ports cannot source DHCP messages like : DHCPOFFER, DHCPACK, DHCPNAK, which are normally generated by a DHCP server. By default, all switch ports are untrusted.

When DHCP snooping is enabled, Cisco switches build a table known as DHCP snooping binding database (known as DHCP snooping binding table).

DHCP snooping binding table is used to identify and filter untrusted DHCP messages from the network. DHCP snooping binding table keeps track of DHCP addresses that are assigned to switch ports. DHCP snooping binding table includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on untrusted switch ports.

When a switch receives a packet on an untrusted switch port where DHCP snooping is enabled, with the help of information stored on DHCP snooping binding table the switch will be permitted or denied.

The packet is denied when

• DHCP server related messages (Example: DHCPOFFER, DHCPACK, DHCPNAK) are received on an untrusted switch port.

• The source MAC address does not match MAC address in the DHCP binding table entry.

How to enable DHCP snooping globally

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to enable DHCP snooping on a specific VLAN

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip dhcp snooping vlan 500
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to configure a switch port as trusted

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip dhcp snooping trust
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to view the DHCP snooping database

OmniSecuSW1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:00:AB:19:C6:00   172.16.10.183    690515      dhcp-snooping   500   Gigabitethernet0/1
00:00:AB:34:CB:00   172.16.10.184    690518      dhcp-snooping   500   Gigabitethernet0/2
00:00:AB:2A:FE:00   172.16.10.182    690512      dhcp-snooping   500   Gigabitethernet0/3
00:00:AB:F7:D0:00   172.16.10.181    690512      dhcp-snooping   500   Gigabitethernet0/4
00:00:AB:93:82:00   172.16.10.185    690518      dhcp-snooping   500   Gigabitethernet0/5
Total number of bindings: 5

How to view the DHCP Snooping configuration

 
OmniSecuSW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
500
DHCP snooping is operational on following VLANs:
500
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.0100 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
Ethernet0/0                yes        yes             unlimited
  Custom circuit-ids:
OmniSecuSW1#

<< DHCP Starvation attacks and DHCP spoofing attacks

ARP Spoofing attack >>

Like us on

Share on

Search