Nasser Heidari

2009-02-14

DHCP Snooping

Filed under: Cisco — Nasser Heidari @ 19:47

It may be hard to believe, but something as innocent as DHCP can actually lead to trouble for your network. When a host sends out a DHCPDiscovery packet, it listens for DHCPOffer packets – and accepts the first Offer it gets!

Part of that DHCPOffer is the address to which the host should set its default gateway. What if a DHCP server that does not belong on our network – a rogue DHCP server – is placed on that subnet?

If that host uses the DHCPOffer from the rogue server, the host could end up using the rogue server as its default gateway or DNS server!

We can prevent this with DHCP Snooping. DHCP Snooping classifies interfaces as either trusted or untrusted.

DHCP messages received on trusted interfaces will be permitted to pass through the switch, but DHCP messages received on untrusted interface result in the interface itself being placed into err-disabled state.

DHCP Server Access

The DHCP server can be connected to the switch in one of two ways:

  • The server is directly connected to the same switch as the one connected to the DHCP clients (the hosts, or network devices, that are requesting IP addresses from the server). You must configure the port that connects the server to the switch as a trusted port.
  • The server is directly connected to a switch that is itself directly connected through a trunk port to the switch that the DHCP clients are connected to. The trunk port is configured by default as a trusted port. The switch that the DHCP server is connected to is not configured for DHCP snooping.

By default, the switch considers all ports untrusted – which means we better remember to configure the switch to trust some ports when we enable DHCP Snooping!

First, we need to enable DHCP Snooping on the entire switch:

Blackbox(config)#ip dhcp snooping

To enable DHCP Snooping for a particular VLAN, use the ip dhcp snooping command.

Blackbox(config)#ip dhcp snooping vlan 14

Ports can then be configured as trusted with the ip dhcp snooping trust command.

Blackbox(config-if)#ip dhcp snooping trust

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: