DHCP snooping is a layer 2 security feature that helps networking devices to monitor DHCP messages and block untrusted or rogue DHCP servers.
When you enable DHCP snooping on a switch, it begins monitoring transactions between trusted DHCP servers and DHCP clients and uses the information to build the DHCP snooping binding table. You configure interfaces that connect to DHCP servers as trusted interfaces. All other interfaces are untrusted by default.
The DHCP snooping binding table contains the following information:
Client IP addresses
Client MAC addresses
Interface facing the clients
Client VLAN
Lease time
DHCP binding type – static or dynamic
The switch considers DHCP servers connected to trusted interfaces on the switch as legitimate servers. When a switch receives DHCP server-initiated packets (UDP destination port 67) on an untrusted interface, it drops the packet.
When a switch receives DHCP renew, release, or decline messages from a client, it checks the DHCP snooping binding table for a match. If the information in the DHCP message matches the table, the switch forwards the message to the DHCP server. If the information does not match, the switch interprets the client as an unauthorized client and drops the packet.
The DHCP snooping switch removes a dynamically-learned DHCP snooping binding entry when one of the following occurs:
Lease expiry
DHCP RELEASE packet received from the client
DHCP DECLINE packet received from the client
User actions, such as DHCP clear or disabling DHCP snooping
You can add a static DHCP snooping binding entry using the CLI. If you add a static entry for a client, any dynamic entry that is present for the same client is overwritten. The switch does not remove static entries if it receives DHCP RELEASE or DHCP DECLINE packets.
By default, DHCP snooping is disabled globally and enabled on VLANs. For the DHCP snooping feature to work, enable it globally.
NOTE: If you move a DHCP client from an untrusted interface to another untrusted interface within the VLAN, the DHCP snooping binding database is not updated. The switch drops subsequent packets from the client. However, if you move a DHCP client from an untrusted interface to a trusted interface, there is no impact to the traffic from the client.
Restrictions for DHCP snooping
The management VLAN does not support DHCP snooping.
VxLAN bridges do not support DHCP snooping.
The maximum number of supported DHCP snooping binding entries is 4000.
OS10 does not support multi-hop DHCP snooping.
For the DHCP snooping functionality to work correctly, ensure that the DHCP server supports option 82 (RFC 3046).
Enable option 82 (RFC 3046) on the DHCP server for the DHCP Snooping functionality to work correctly.
Rogue DHCP server detection
In the following topology, a trusted DHCP server, a DHCP client, and a rogue DHCP server are connected to the DHCP snooping switch. The DHCP client and DHCP server are on the same VLAN. The physical interface eth 1/1/2 is a trusted interface. When the rogue DHCP server sends a DHCP packet to the client, the switch analyzes the packet. As the rogue server is connected to the switch to an untrusted eth 1/1/3 interface the switch deems the server as a rogue DHCP server and drops the packet.
DHCP snooping with DHCP relay
In the following topology, the DHCP snooping switch is the DHCP relay agent for DHCP clients on VLAN 100. The DHCP server is reachable on VLAN 200 through eth 1/1/2. The switch forwards the client DHCP messages to the trusted DHCP server. The switch processes DHCP packets from the DHCP server before forwarding them to DHCP clients. As the rogue server is connected to the switch to the eth 1/1/3 interface which is untrusted, the switch drops DHCP packets from that interface.
DHCP snooping in a VLT environment
OS10 supports DHCP snooping in a VLT environment. DHCP snooping switches in a VLT topology synchronize DHCP snooping binding information between them. The system interprets the VLTi link between VLT peers as trusted interfaces. To configure DHCP snooping in a VLT environment:
Enable DHCP snooping on both VLT peers.
Configure the VLT port-channel interfaces facing the DHCP server as trusted interfaces.
In the following VLT topology, AGG1 and AGG2 are VLT peers and have VLT port-channel interfaces connected to the VM server and Core switch. The DHCP server is reachable through the CORE switch. The following describes the functioning of DHCP snooping in a VLT environment:
One of the VLT peers receives a DHCP client packet from a DHCP client on the VM server through the VLT port-channel interface. The switch processes this packet.
The VLT peer forwards the DHCP client packet to the Core switch through the VLT port-channel interface.
The Core switch forwards the DHCP reply packet from the DHCP server to one of the VLT peers, which processes the packet.
If the DHCP reply packet is from a trusted DHCP server, the VLT peer forwards the reply packet to the DHCP client on the VM server.
The VLT peers synchronize the DHCP snooping binding table.
Enable and configure DHCP snooping globally
Enable DHCP snooping globally in CONFIGURATION mode.
ip dhcp snooping
Specify physical or port-channel interfaces that have connections towards DHCP servers as trusted in INTERFACE mode.
ip dhcp snooping trust
Add static DHCP snooping entry in the binding table
Add a static DHCP snooping entry in the binding table in CONFIGURATION mode.
ip dhcp snooping binding mac mac-address vlan vlan-id ip ip-address interface [ethernet slot/port/sub-port | port-channel port-channel-id | VLTi]
Example of adding static DHCP snooping entry
OS10(config)# ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/4
Remove static DHCP snooping entry from the binding table
Remove a static DHCP snooping entry from the binding table in CONFIGURATION mode.
no ip dhcp snooping binding mac mac-address vlan vlan-id interface [ethernet slot/port/sub-port | port-channel port-channel-id]
Example for removing static DHCP snooping entry in the binding table
OS10(config)# no ip dhcp snooping binding mac 00:04:96:70:8a:12 vlan 100 ip 100.1.1.2 interface ethernet 1/1/4
Clear dynamically-learned entries from DHCP snooping binding table
CAUTION: Clearing the DHCP snooping binding table using the
clear ip dhcp snooping binding command also clears the Source Address Validation (SAV) and Dynamic ARP Inspection (DAI) entries on the system. This affects the traffic from clients that are connected to the DHCP snooping-enabled VLANs.
Example for clearing dynamically-learned entries from DHCP snooping binding table
The following example clears all dynamic DHCP snooping binding entries that are associated with the MAC address 04:56:79:86:73:fe
OS10# clear ip dhcp snooping binding mac 04:56:79:86:73:fe
The following example clears all dynamic DHCP snooping binding entries that are associated with VLAN 100:
OS10# clear ip dhcp snooping binding vlan 100
The following example clears all the dynamic DHCP snooping binding entries that are associated with VLAN 100 with MAC address 04:56:79:86:73:fe on port-channel 10:
OS10# clear ip dhcp snooping binding mac 04:56:79:86:73:fe vlan 100 port-channel 10
View contents of DHCP binding table
Use the following command in EXEC mode:
show ip dhcp snooping binding [vlan vlan-name]
Example for viewing contents of DHCP binding table
OS10# show ip dhcp snooping binding
Codes : S - Static D – Dynamic
IPv4 Address MAC Address Expires(Sec) Type VLAN Interface
=========================================================================
10.1.1.22 11:22:11:22:11:22 120331 S 100 ethernet1/1/4
33.1.1.44 11:22:11:22:11:23 120331 S 200 port-channel100
103.1.1.5 11:22:11:22:11:24 120331 D 300 ethernet1/1/5:4
DHCP snooping examples
DHCP snooping in a simple layer 2 network
This example uses a simple topology with a DHCP snooping switch and a DHCP server. A DHCP client is connected to the snooping switch and a rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP server
OS10(config)# interface ethernet 1/1/1
S10(conf-if-eth1/1/1)# no shutdown
OS10(conf-if-eth1/1/1)# no switchport
OS10(conf-if-eth1/1/1)# ip address 10.1.1.1/24
OS10(conf-if-eth1/1/1)# exit
OS10(config)# ip dhcp server
OS10(config-dhcp)# no disable
OS10(config-dhcp)# pool dell_server1
OS10(config-dhcp-dell_server1)# lease 0 1 0
OS10(config-dhcp-dell_server1)# network 10.1.1.0/24
OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.100
OS10(config)# interface ethernet 1/1/4
OS10(conf-if-eth1/1/4)# no switchport
OS10(conf-if-eth1/1/4)# no ip address
OS10(conf-if-eth1/1/4)# ip address dhcp
OS10(conf-if-eth1/1/4)# end
DHCP snooping switch as a relay agent
This example uses a simple topology with a DHCP snooping switch configured as a DHCP relay agent. A DHCP server and a DHCP client are connected to the snooping switch through different VLANs. A rogue DHCP server attempts to pose as a legitimate DHCP server. With a configuration similar to the following, the DHCP snooping switch drops packets from the rogue DHCP server which is connected to an untrusted interface.
DHCP snooping switch
OS10# configure terminal
OS10(config)# ip dhcp snooping
OS10(config)# end
OS10# configure terminal
OS10(config)# interface vlan 100
OS10(conf-if-vl-100)# no shutdown
OS10(conf-if-vl-100)# ip address 10.1.1.1/24
OS10(conf-if-vl-100)# ip helper-address 10.2.1.2
OS10(conf-if-vl-100)# exit
OS10(config)# interface vlan 200
OS10(conf-if-vl-200)# no shutdown
OS10(conf-if-vl-200)# ip address 10.2.1.1/24
OS10(conf-if-vl-200)# exit
OS10(config)# interface ethernet 1/1/2
OS10(conf-if-eth1/1/2)# no shutdown
OS10(conf-if-eth1/1/2)# switchport access vlan 200
OS10(conf-if-eth1/1/2)# ip dhcp snooping trust
OS10(conf-if-eth1/1/2)# exit
OS10(config)# interface ethernet 1/1/4
OS10(conf-if-eth1/1/4)# no shutdown
OS10(conf-if-eth1/1/4)# switchport access vlan 100
OS10(conf-if-eth1/1/4)# exit
OS10(config)# interface ethernet 1/1/3
OS10(conf-if-eth1/1/3)# no shutdown
OS10(conf-if-eth1/1/3)# switchport access vlan 100
OS10(conf-if-eth1/1/3)# end
DHCP server
OS10# configure terminal
OS10(config)# ip dhcp server
OS10(config-dhcp)# no disable
OS10(config-dhcp)# pool dell_1
OS10(config-dhcp-dell_1)# network 10.1.1.0/24
OS10(config-dhcp-dell_1)# range 10.1.1.2 10.1.1.250
OS10(config-dhcp-dell_1)# exit
OS10(config-dhcp)# pool dell_2
OS10(config-dhcp-dell_2)# network 10.2.1.0/24
OS10(config-dhcp-dell_2)# exit
OS10(config-dhcp)# exit
OS10(config)# interface ethernet 1/1/1
OS10(conf-if-eth1/1/1)# no shutdown
OS10(conf-if-eth1/1/1)# no switchport
OS10(conf-if-eth1/1/1)# ip address 10.2.1.2/24
DHCP client
OS10(config)# interface ethernet 1/1/4
OS10(conf-if-eth1/1/4)# no switchport
OS10(conf-if-eth1/1/4)# no ip address
OS10(conf-if-eth1/1/4)# ip address dhcp
OS10(conf-if-eth1/1/4)# end
DHCP snooping in a Layer 2 VLT setup
In this layer 2 VLT setup, DHCP clients on the virtual machine are connected to SW1 and SW2 and acquire IP addresses from the DHCP server.
SW 1
DHCP snooping configuration
Enable DHCP snooping globally.
OS10(config)# ip dhcp snooping
VLAN configuration
Create a VLAN.
OS10# configure terminal
OS10(config)# interface vlan 100
OS10(conf-if-vl-100)# no shutdown
VLT configuration
Create a VLT domain and configure VLTi.
OS10(config)# interface range ethernet 1/1/4-1/1/5
OS10(conf-range-eth1/1/4-1/1/5)# no switchport
OS10(conf-range-eth1/1/4-1/1/5)# exit
OS10(config)# vlt-domain 1
OS10(conf-vlt-1)# discovery-interface ethernet 1/1/4-1/1/5
Configure a VLT MAC address.
OS10(conf-vlt-1)# vlt-mac 12:5e:23:2d:76:3e
Specify the management IP address of the VLT peer as a backup link.
OS10(config)# interface vlan 100
OS10((conf-if-vl-100)# ip address 10.1.1.1/24
OS10((conf-if-vl-100)# exit
OS10(config)# ip dhcp server
OS10(config-dhcp)# no disable
OS10(config-dhcp)# pool dell_server1
OS10(config-dhcp-dell_server1)# lease 0 1 0
OS10(config-dhcp-dell_server1)# network 10.1.1.0/24
OS10(config-dhcp-dell_server1)# range 10.1.1.2 10.1.1.100
Verify DHCP snooping on both VLT peers
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages. The interface column displays the local VLT port channel number.
OS10# show ip dhcp snooping binding
Number of entries : 1
Codes : S - Static D - Dynamic
IPv4 Address MAC Address Expires(Sec) Type Interface VLAN
=======================================================================================
10.1.1.2 14:18:77:0d:05:e9 3600 D port-channel10 vlan100
DHCP snooping with DHCP relay agent in a VLT setup
In this VLT setup, DHCP clients on the virtual machine are connected to SW1 and SW2 and acquire IP addresses from the DHCP server. The VLAN of both the client and the DHCP server is in the default VRF on SW 1 and SW 2.
SW 1
DHCP snooping configuration
Enable DHCP snooping globally.
OS10(config)# ip dhcp snooping
VLAN configuration
Create a VLAN and assign an IP address to it which acts as the gateway for the VMs.
OS10# configure terminal
OS10(config)# interface vlan 100
OS10(conf-if-vl-100)# no shutdown
OS10(conf-if-vl-100)# ip address 10.1.1.1/24
OS10(conf-if-vl-100)# exit
Create another VLAN and assign an IP address to it which can communicate with the DHCP server.
OS10# configure terminal
OS10(config)# interface vlan 200
OS10(conf-if-vl-200)# no shutdown
OS10(conf-if-vl-200)# ip address 10.2.1.1/24
OS10(conf-if-vl-200)# exit
Configure SW 1 as the DHCP relay agent for the clients in the VM. The IP address that you specify here is the IP address of the DHCP server
OS10(config)# ip dhcp server
OS10(config-dhcp)# no disable
OS10(config-dhcp)# pool dell_server1
OS10(config-dhcp-dell_server1)# network 10.1.1.0/24
OS10(config-dhcp-dell_server1)# range 10.1.1.3 10.1.1.250
OS10(config-dhcp-dell_server1)# lease 0 1 0
OS10(config-dhcp-dell_server1)# default-router 10.1.1.1
OS10(config-dhcp)# pool dell_2
OS10(config-dhcp-dell_2)# network 10.2.1.0/24
OS10(config-dhcp-dell_2)# range 10.2.1.4 10.2.1.100
OS10(config-dhcp-dell_2)# lease 0 1 0
Route to reach VLAN 100
OS10(config)#ip route 10.1.1.0/24 10.2.1.1
Verify DHCP snooping on both VLT peers
The following output shows that the DHCP snooping switches (VLT peers) snooped DHCP messages.
OS10# show ip dhcp snooping binding
Number of entries : 1
Codes : S - Static D - Dynamic
IPv4 Address MAC Address Expires(Sec) Type Interface VLAN
=======================================================================================
10.1.1.3 14:18:77:0d:05:e9 3600 D port-channel10 100
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\