Understanding Basics of DHCP Snooping

As we know that DHCP server provides all the basic information to the clients i.e. IP address, subnet mask, Default gateway and DNS server.DHCP snooping is a layer 2 security technology usually used on the access layer switches in layer 2 switched networks.

If an attacker connects a rogue DHCP server on a machine in same subnet as client machine then all packets from client machine can go to the rogue server if the DHCP offer from the rogue server reaches the client before the offer is received from legitimate DHCP server.

To avoid these the switch ports are divided into two categories:

Trusted: To which the DHCP server will connect

Untrusted: To which the client machines will connect.

If a DHCP reply comes from an untrusted port it is discarded and a log message is generated.DHCP server messages can flow through switch ports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switch port that is not trusted.

 

Diagram:

By default all the switch ports are in untrusted mode.

 

Configurations:

To enable DHCP snooping:

SW1(config)#ip dhcp snooping

To configure a port in trusted mode:

SW1(config-if)#int fa0/0

ip dhcp snooping trust

To configure DHCP snooping for a particular VLAN

SW1(config)#ip dhcp snooping vlan <vlan-id>

We can also limit DHCP request on a port which by default is unlimited.

SW1(config-if)#ip dhcp snooping limit rate

 

Verification:

The show ip dhcp snooping command displays all VLANs (both primary and secondary) that have DHCP snooping enabled.

 

Please follow and like us:

Related Post

Comments

comments

Add a Comment