7.13. Configuring DHCP Snooping

Overview

Function Introduction

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers.

The DHCP snooping feature performs the following activities:

Validate DHCP messages received from untrusted sources and filters out invalid messages.
Build and maintain the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Utilize the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. The DHCP snooping feature is implemented in software basis. All DHCP messages are intercepted in the BAY and directed to the CPU for processing.

Principle Description

N/A

Configuration

This figure is the networking topology for testing DHCP snooping functions. We need two Linux boxes and one switch to construct the test bed.

Computer A is used as a DHCP server.
Computer B is used as a DHCP client.
Switch is used as a DHCP Snooping box.

step 1 Enter the configure mode

Switch# configure terminal

step 2 Enter the vlan configure mode and create vlan

Switch(config)# vlan database
Switch(config-vlan)# vlan 12
Switch(config-vlan)# exit

step 3 Enter the interface configure mode, add the interface into the vlan

Switch(config)# interface eth-0-12
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 12
Switch(config-if)# dhcp snooping trust
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface eth-0-11
Switch(config-if)# switchport
Switch(config-if)# switchport access vlan 12
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# interface vlan 12
Switch(config-if)# ip address 12.1.1.1/24
Switch(config-if)# exit

step 4 Set DHCP attributes

Switch(config)# dhcp snooping verify mac-address
Switch(config)# service dhcp enable
Switch(config)# dhcp snooping
Switch(config)# dhcp snooping vlan 12

step 5 Exit the configure mode

Switch(config)# exit

step 6 Validation

Check the interface configuration.

Switch(config)# show running-config interface eth-0-12
 !
interface eth-0-12
dhcp snooping trust
switchport access vlan 12
 !
Switch(config)# show running-config interface eth-0-11
 !
interface eth-0-11
switchport access vlan 12
 !

Check the dhcp service status.

Switch# show services
Networking services configuration:
Service Name Status
 ============================================================
dhcp enable

Print dhcp snooping configuration to check current configuration.

Switch# show dhcp snooping config
dhcp snooping service: enabled
dhcp snooping switch: enabled
Verification of hwaddr field: enabled
Insertion of relay agent information (option 82): disable
Relay agent information (option 82) on untrusted port: not allowed
dhcp snooping vlan 12

Show dhcp snooping statistics.

Switch# show dhcp snooping statistics
DHCP snooping statistics:
 ============================================================
DHCP packets 17
BOOTP packets 0
Packets forwarded 30
Packets invalid 0
Packets MAC address verify failed 0
Packets dropped 0

Show dhcp snooping binding information.

Switch# show dhcp snooping binding all
DHCP snooping binding table:
VLAN MAC Address Interface Lease(s) IP Address
 ============================================================
12 0058.3fa1.7ed9 eth-0-11 691190 12.1.1.65

Application cases

N/A

latest.20241106