DHCP Snooping

DHCP snooping prevents attacks that use DHCP. It only allows dhcp message on the configured trusted port to communicate to clients. Otherwise, it will drop the packets. When enabling the dhcp snooping on the switch, all ports are as default an untrusted port. Therefore, we need to specify which port connects to the DHCP server to allow DHCP message being forward by the switch.

Also, DHCP snooping builds a table of IP address and port mapping based on legitimate DHCP messages on trusted ports called DHCP snooping binding table. This table will be used by arp inspection and IP source guard feature.

Configuration 

SWICH Configuration

ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping

interface FastEthernet0/1

 switchport access vlan 10

 switchport mode access

 ip dhcp snooping trust

 ip dhcp snooping limit rate 100

interface FastEthernet0/3

 switchport access vlan 10

 switchport mode access

Verify Configuration

Switch#sh ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10

DHCP snooping is operational on following VLANs:

10

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled

   circuit-id format: vlan-mod-port

    remote-id format: MAC

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                            Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet0/1                   yes           100

Switch#show ip dhcp snooping binding

MacAddress               IpAddress        Lease(sec)      Type               VLAN    Interface

------------------      ---------------   ----------     -------------       ----       --------------------

00:14:22:F9:B3:3D      192.168.1.11       69287       dhcp-snooping   10         FastEthernet0/7

Total number of bindings: 1

Switch#