Configuring DHCP Snooping

DHCP snooping is a feature on the Cisco Catalyst switches that allows you to configure protection against DHCP spoofing. It uses the concept of trusted ports and untrusted ports. A trusted port can accept DHCP messages that might be received, such as dhcpoffer. An untrusted port is not allowed to receive DHCP messages, and if it receives one, the port is disabled.

To set up DHCP snooping, you must first enable it globally using the following command:

switch(config)# ip dhcp snooping

Next we go back to that concept of trusted and untrusted. Once DHCP snooping is enabled, all ports are untrusted by default. That means you have to configure all of the ports that you want to trust. To configure a port as a trusted port, use the following commands:

switch(config)# int giga 0/4
switch(config-if)# ip dhcp snooping trust

Another type of configuration you might want to consider is setting up DHCP snooping on particular VLANs only. This might come in handy in an office environment. You use the following command to set up DHCP snooping on a single VLAN (in this case it´s VLAN 10):

switch(config)# ip dhcp snooping vlan 10

Last, you might want to set up rate limiting to limit the number of DHCP messages that you receive per second. Why, you ask? Some attackers use DHCP to perform a denial of service attack by exhausting the IP address scope and preventing anyone else from obtaining an IP address, effectively cutting them off the network. In the following example, I limit the number of messages per second
to two.

switch(config)# int giga 0/9
switch(config-if)# ip dhcp snooping limit rate 2


See Also:


[*] ARP Inspection I

[*] ARP Inspection II






biOos