Dynamic Host Agreement Protocol (DHCP) Snooping
The DHCP Concern affection provides arrangement aegis from rogue DHCP servers. It creates a analytic firewall
between untrusted hosts and DHCP servers. The about-face builds and maintains a DHCP concern table (also called
DHCP bounden database), apparent in Figure 4-4a. In addition, the about-face uses this table to analyze and filter
untrusted letters from the network. The about-face maintains a DHCP bounden database that keeps clue of DHCP
addresses that are assigned to ports, as able-bodied as clarification DHCP letters from untrusted ports. For incoming
packets accustomed on untrusted ports, packets are alone if the antecedent MAC abode does not bout MAC in the
binding table entry.
Figure 4-4a. DHCP Concern Table
Figure 4-4b illustrates the DHCP Concern affection in action, assuming how the burglar is blocked on the
untrusted anchorage back it tries to arbitrate by injecting a artificial DHCP acknowledgment packet to a legitimate
conversation amid the DHCP applicant and server.
Figure 4-4b. DHCP Concern in Action
The DHCP Concern affection can be configured for switches and VLANs. Back enabled on a switch, the interface
acts as a Layer 2 bridge, intercepting and attention DHCP letters activity to a Layer 2 VLAN. Back enabled
on a VLAN, the about-face acts as a Layer 2 arch aural a VLAN domain.
For DHCP Concern to action correctly, all DHCP servers affiliated to the about-face charge be configured as
trusted interfaces. A trusted interface can be configured by application the ip dhcp concern assurance interface
configuration command. All added DHCP audience affiliated to the about-face and added ports accepting cartage from
outside the arrangement or firewall should be configured as untrusted by application the no ip dhcp concern trust
interface agreement command.
To configure the DHCP Concern feature, aboriginal accredit DHCP Concern on a accurate VLAN by application the ip dhcp
snooping vlan [vlan-id] command in all-around agreement mode. (Repeat this command for assorted VLANs.)
Next, accredit DHCP Concern globally by application the ip dhcp concern command from the all-around configuration
mode. Both options charge be set to accredit DHCP snooping.
In Example 4-8, the DHCP server is affiliated to the FastEthernet0/1 interface and is configured as a trusted
port with a amount absolute of 100 packets per second. The amount absolute command ensures that a DHCP flood will not
overwhelm the DHCP server. DHCP Concern is enabled on VLAN 5 and globally activated.
Example 4-8. DHCP Concern Agreement Example
Switch(config)# interface Fastethernet0/1
Switch(config-if)# ip dhcp concern trust
Switch(config-if)# ip dhcp concern absolute amount 100
Switch(config-if)# exit
Switch(config)# ip dhcp concern vlan 5
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp concern advice option
Use the appearance ip dhcp concern command to affectation DHCP concern settings. Use the appearance ip dhcp
snooping bounden command to affectation bounden entries agnate to untrusted ports.