DHCP Snooping - secure network against rougue and malicious DHCP servers

 

 

  • Enable dhcp snooping globally

(config)#ip dhcp snooping

 

  • Enable dhcp snooping for particular vlans

(config)#ip dhcp snooping vlan 2,4,5,9,12,150,200

 

  • Set port as a "trust" where your DHCP server is connected,eg. interface Gi0/1

(config)#interface Gi0/1

(config-if)#ip dhcp snooping trust

All ports by default are untrusted.

  • Repeat point above for all interfaces which are connected to other switches,wireless controllers,standalone access-points,etc., by wich dhcp traffic is needed..
  •  Set dhcp option 82 if necessary.

(config)#ip dhcp snooping information option

If your dhcp server does not support this option better to disable it.

  • Set limit for dhcp traffic(packet/sec)

(config-if)#ip dhcp snooping limit rate 20

Limit should be set on "untrast" port only. If you want to set limit also on "trust" interfaces set it higher to avoid blocking valid dhcp traffic.

  • Set file for dhcp snooping database(if you really need it)

(config)#ip dhcp snooping database flash:snoop.txt

You can set method as a ftp, http, tftp, rcp lub flash.

  • Helpfull commands

 

#sh ip dhcp snooping binding

It dispays bindings(ip,mac,interface,etc).It has some subcommand for more details.


#sh ip dhcp snooping statistics

It shows dhcp packets statistics.

#sh ip dhcp snooping database

It shows snooping database information.

 

dzbanek 2011-10-28

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.