Enable/Configure DHCP Snooping in Cisco Catalyst Switches (IOS)

Enable/Configure DHCP Snooping in Cisco Catalyst Switches (IOS)

Posted on May 15, 2008 under Cisco |

Tags:Cisco denial-of-service DHCP DHCP-Snooping ios Option82 Security

DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted DHCP message is a message that is received from outside the network or firewall causing denial of service attacks.

The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.

DHCP snooping can be enabled on the switch per vlan as it can intercept the DHCP messages at the layer2.

The following is a step by step procedure to enable and configure DHCP snooping in Cisco catalyst switches running Cisco IOS

Enable DHCP Snooping

ciscoswitch(config)# ip dhcp snooping

Enable DHCP Snooping on VLANs

DHCP snooping can be enabled on one or more VLANs or a range of VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 100

The above enables dhcp snooping on VLAN 100

To enable on more VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110

where the DHCP snooping is enabled on VLAN 10-15, 100 and 110

Enable DHCP Option 82

This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046

ciscoswitch(config)# ip dhcp snooping information option

Configure Trust Interface

Interface not explcicitly configured as a trust interface is treated as an untrusted interface.

ciscoswitch(config)# interface fa0/0

ciscoswitch(config-if)# ip dhcp snooping trust

DHCP Snooping Rate limiting (optional)

Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive

ciscoswitch(config-if)# ip dhcp snooping limit rate 202

Where "202" indicates that the interface can receive "202" messages per second

This should configure DHCP Snooping on Cisco IOS switches.

Display DHCP Snooping

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
10-15 100 110
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
——— ——- —————-
FastEthernet2/1 yes 10
FastEthernet2/2 yes none
FastEthernet3/1 no 20

Display DHCP Snooping Binding Table

ciscoswitch# show ip dhcp snooping binding
MacAddress IP Address Lease (seconds) Type VLAN Interface
———– ———– —————- —– —– ————
0000.0100.0201 10.0.0.1 1600 dynamic 100 FastEthernet2/1

Related Posts

• Unable to delete Stale/Obsolete statc routes in Cisco IOS (Jul 03, 2008)
• How to create VLAN Interfaces for InterVLAN Routing in Cisco IOS (Jul 01, 2008)
• High CPU usage when SNMP is enabled in Cisco Routers (Jun 19, 2008)
• Configure MD5 encrypted passwords for users on Cisco IOS (May 20, 2008)
• Allow user view Running/Startup-Config (red-only) in Cisco IOS (May 12, 2008)

2 Comments so far »

1. by Tawfiq, on May 29 2008 @ 1:21 pm

   

   Thanks to him who is written this document -
   -he is describe easily here what is
   dhcp snooping and how to implement this security feature
   its a brilliant do doubt -

2. by Cisco.zephyr, on July 29 2008 @ 10:52 am

   

   This was straight to the point and gave just enough references to follow up for my own reasoning and thoughts.
   Thank you for a (as the other person commented)Brilliant simplistic configuration.