Configuring DHCP Snooping
Summary: Networking › Switching › Edge › Synapse
Overview of DHCP Snooping
DHCP snooping (Dynamic Host Configuration Protocol) is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. When DHCP snooping is enabled on a VLAN, the system examines DHCP messages sent from untrusted hosts associated with the VLAN and extracts their IP addresses and lease information. This information is used to build and maintain the DHCP snooping database. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
Trusted Sources
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server. The default trust state of all interfaces is untrusted.
DHCP Snooping Limit Rate
Configure the number of DHCP packets per second that an interface can receive, to reduce or eliminate the impact of DHCP packet attack from this interface.
MAC Address Verification
With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet. Option-82 Insertion DHCP Option82 option is also called DHCP relay agent information option, one of many dhcp options. The Option82 option is a DHCP option proposed to enhance the security of the DHCP server and improve the IP address allocation strategy. The addition and stripping of options are implemented by the relay component.
DHCP Database
The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces. When the ip verify source function is enabled on the interface, database entrys act as valid users on the interface.
Configuring
- Enable DHCP Snooping Globally
SWITCH(config)#ip dhcp snoopingSWITCH(config)#no ip dhcp snoopingEnables DHCP snooping globally.
SWITCH(config)#ip dhcp snooping vlan VIDSWITCH(config)#no ip dhcp snooping vlan VIIDEnables DHCP snooping on a VLAN or VLAN range, For example: Ip dhcp snooping vlan 3-10. By default, DHCP Snooping is enabled on all VLANs.
SWITCH (config-if)#ip dhcp snooping trustSWITCH (config-if)#no ip dhcp snooping trustConfigures the interface as trusted. By default, All interfaces are untrusted.
SWITCH (config)#ip dhcp snooping verify mac-addressSWITCH (config)#no ip dhcp snooping verify mac-addressEnables DHCP snooping MAC address verification. By default is disabled.
SWITCH (config-if)#ip dhcp snooping rate-limit PPSSWITCH (config-if)#no ip dhcp snooping rate-limitConfigures DHCP packet rate limiting. PPS range from 0 to 128. If PPS is set to 0, this interface will drop all Incoming DHCP packets.
Note
✦ Due to hardware limitations, for DHCP rate limit, when the limit value is not 0, the software rate limit is used, and when the limit value is 0, the hardware rate limit is used. Software rate limit will consume CPU resources.
- Enabling Option-82 Data Insertion
SWITCH (config)#ip dhcp snooping information option-82SWITCH (config)#no ip dhcp snooping information option-82Enables DHCP option-82 data insertion.
SWITCH (config-if)#ip dhcp snooping information option-82 circuit-id WORDSWITCH (config-if)#no ip dhcp snooping information option-82 circuit-idConfigure circuit-id customization content. Default vlan+port information. WORD: String information, valid length 3-63 characters.
SWITCH (config-if)#ip dhcp snooping information option-82 remote-id WORDSWITCH (config-if)#no ip dhcp snooping information option-82 remote-idConfigure remote-id custom content. Default device MAC address information. WORD: String information, valid length 1-63 characters.
SWITCH (config)#ip dhcp snooping database write-delay SECONDSSWITCH (config-if)#no ip dhcp snooping database write-delayConfiguring DHCP Snooping data to be written to flash at regular intervals
SECONDS range from 600 to 86400 by unit second.
- Trigger DHCP Snooping Database Write-flash
SWITCH (config)#ip dhcp snooping database write-flashTrigger DHCP Snooping database write-flash.
SWITCH(config)#ip dhcp snooping database renewTrigger DHCP Snooping database renew from flash.
SWITCH#clear ip dhcp snooping database (vlan VLANID | interface IFNAME | mac-address XXXX.XXXX.XXXX | ip-address A.B.C.D | flash)Clear DHCP Snooping database based on port, vlan, MAC address, or IP address. Support to clear database in flash.
Examples
Example 1:This is an example of DHCP Snooping typical application. The interface of gigabitEthernet0/8 is connected to DHCP server; USER-A obtains IP address by dynamic; There are other DHCP servers in the LAN, which will affect the IP address assignment of USER-A. Diagram as show in the Figure 1-1 below. Figure 1-1 Typical application of DHCP Snooping Diagram
- Enable DHCP Snooping Globally.
SWITCH#configure terminalSWITCH(config)#ip dhcp snoopingSWITCH(config)#interface gigabitEthernet0/8SWITCH(config-if)#ip dhcp snooping trustDisplay Information
- Display DHCP Snooping Information
SWITCH#show ip dhcp snoopingIp dhcp snooping : Enabled No ip dhcp snooping vlan : 2-5 Verify mac-address : Disabled Information option-82 : No database write-delay : 0 seconds Interface Trusted Rate limit (pps) ———————————————————- gigabitEthernet0/16 yes unlimited
