--> DHCP Snooping is a security feature used to prevent unauthorized or rogue DHCP Servers in the network.
--> Basically DHCP Snooping works based on the concept of Trusted or UnTrusted ports.
---> Trusted Port is the port where DHCP server is connected
---> Untrusted Ports are the remaining ports. DHCP Snooping filter all the messages which are received from Untrusted ports.
--> By default all the ports in the switch are untrusted ports.
---> DHCP snooping works based on per-VLAN basis. If you enable DHCP Snooping Globally, all the VLANs will be in an inactive mode for DHCP Snooping.
--> Once you configure DHCP Snooping, the switch is going to create DHCP Snooping Table or it is also known as the DHCP Binding table. This table will be created based upon information received from DHCP messages.
--> The database contains an entry for each untrusted host with a MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
--> All this information only available if the DHCP Snooping is enabled on the VLAN where the host is connected.
--> The DHCP snooping database table is updated when the switch receives specific DHCP messages. For example, the DHCP snooping feature adds an entry to the database when the switch receives a DHCPACK message from the server.
--> The DHCP snooping feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
--> The database does not contain entries for hosts connected through trusted interfaces.
--> Whenever a switch receives a packet on an untrusted interface with the source MAC address and the DHCP client hardware address does not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
--> DHCP Snooping Enabled Switch will drop DHCP such as DHCPACK, DHCPNAK, DHCPOFFER coming from a DHCP server that is connected to an untrusted port.
--> Trusted Ports should be configured on the Port where DHCP Server is configured if we are using only one switch.
--> If you are using more than one switch then trusted ports are configured on trunk ports as well as on the port where DHCP Server is connected.
--> If you are using the DHCP relay agent in the network, then a trusted port should also be configured on the port where the Relay agent is configured.
--> DHCP binding table is stored locally on the flash memory of the switch, if the switch reboots or loses its power then clients won't get any network connectivity as Snooping Database has been lost from the switch.
--> Client gets network connectivity only when they reboot the machines or perform DHCP release/ renew on their machines.
--> In order to solve this problem, we need to store the DHCP binding database in the centralized location using TFTP Server.
--> DHCP Snooping table is used by DAI( dynamic arp inspection) to prevent arp spoofing and IP Source Guard for preventing IP Spoofing.
Step1: Configure DHCP Snooping Globally on the Switch
SW1(config)# ip dhcp snooping
SW2(config)# ip dhcp snooping
Step 2: Enable DHCP Snooping Per VLAN.
SW1(config)# ip dhcp snooping vlan 10,20
SW2(config)# ip dhcp snooping vlan 10,20
Step3: Configure Trusted Ports on the interface
SW1(config) # interface G0/2
SW1(config-if)# ip dhcp snooping trust
SW2(config)# interface range g0/2-3
SW2(config-if)# ip dhcp snooping trust
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
--> Basically DHCP Snooping works based on the concept of Trusted or UnTrusted ports.
---> Trusted Port is the port where DHCP server is connected
---> Untrusted Ports are the remaining ports. DHCP Snooping filter all the messages which are received from Untrusted ports.
--> By default all the ports in the switch are untrusted ports.
---> DHCP snooping works based on per-VLAN basis. If you enable DHCP Snooping Globally, all the VLANs will be in an inactive mode for DHCP Snooping.
--> Once you configure DHCP Snooping, the switch is going to create DHCP Snooping Table or it is also known as the DHCP Binding table. This table will be created based upon information received from DHCP messages.
--> The database contains an entry for each untrusted host with a MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
--> All this information only available if the DHCP Snooping is enabled on the VLAN where the host is connected.
--> The DHCP snooping database table is updated when the switch receives specific DHCP messages. For example, the DHCP snooping feature adds an entry to the database when the switch receives a DHCPACK message from the server.
--> The DHCP snooping feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
--> The database does not contain entries for hosts connected through trusted interfaces.
--> Whenever a switch receives a packet on an untrusted interface with the source MAC address and the DHCP client hardware address does not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
--> DHCP Snooping Enabled Switch will drop DHCP such as DHCPACK, DHCPNAK, DHCPOFFER coming from a DHCP server that is connected to an untrusted port.
--> Trusted Ports should be configured on the Port where DHCP Server is configured if we are using only one switch.
--> If you are using more than one switch then trusted ports are configured on trunk ports as well as on the port where DHCP Server is connected.
--> If you are using the DHCP relay agent in the network, then a trusted port should also be configured on the port where the Relay agent is configured.
--> DHCP binding table is stored locally on the flash memory of the switch, if the switch reboots or loses its power then clients won't get any network connectivity as Snooping Database has been lost from the switch.
--> Client gets network connectivity only when they reboot the machines or perform DHCP release/ renew on their machines.
--> In order to solve this problem, we need to store the DHCP binding database in the centralized location using TFTP Server.
--> DHCP Snooping table is used by DAI( dynamic arp inspection) to prevent arp spoofing and IP Source Guard for preventing IP Spoofing.
Step1: Configure DHCP Snooping Globally on the Switch
SW1(config)# ip dhcp snooping
SW2(config)# ip dhcp snooping
Step 2: Enable DHCP Snooping Per VLAN.
SW1(config)# ip dhcp snooping vlan 10,20
SW2(config)# ip dhcp snooping vlan 10,20
Step3: Configure Trusted Ports on the interface
SW1(config) # interface G0/2
SW1(config-if)# ip dhcp snooping trust
SW2(config)# interface range g0/2-3
SW2(config-if)# ip dhcp snooping trust
Ref: Cisco.com
Md.Kareemoddin
CCIE # 54759
step 3: Configure Trusted Ports
ReplyDeleteswitch(config-if)#ip dhcp snooping trust