Pages

Thursday, March 3, 2011

DHCP Snooping

DHCP snooping prevents attacks that use DHCP. It only allows dhcp message on the configured trusted port to communicate to clients. Otherwise, it will drop the packets. When enabling the dhcp snooping on the switch, all ports are as default an untrusted port. Therefore, we need to specify which port connects to the DHCP server to allow DHCP message being forward by the switch.

Also, DHCP snooping builds a table of IP address and port mapping based on legitimate DHCP messages on trusted ports called DHCP snooping binding table. This table will be used by arp inspection and IP source guard feature.

Configuration 

SWICH Configuration

ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping

interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 ip dhcp snooping trust
 ip dhcp snooping limit rate 100

interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access

Verify Configuration


Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                            Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1                   yes           100


Switch#show ip dhcp snooping binding
MacAddress               IpAddress        Lease(sec)      Type               VLAN    Interface
------------------      ---------------   ----------     -------------       ----       --------------------
00:14:22:F9:B3:3D      192.168.1.11       69287       dhcp-snooping   10         FastEthernet0/7
Total number of bindings: 1

Switch#







No comments:

Post a Comment