Configuring DHCP Snooping

Information About DHCP Snooping

Dynamic Host Control Protocol (DHCP) Snooping feature provides security by filtering untrusted DHCP messages. An untrusted message is a message that is received from outside the network and that can cause traffic attacks within the network. DHCP Snooping acts a firewall between untrusted hosts and the DHCP server. It helps the devices in the network to track DHCP client IP address and verify the source of the traffic that is received by the devices.

DHCP Snooping function specifies a port to be trusted or untrusted. Trusted ports connect to DHCP servers or ports of other devices in the network. Untrusted ports connect to DHCP clients or other networks. When DHCP Snooping is enabled on your device, it monitors and validates the DHCP packets that it receives. Untrusted ports drop the DHCP-ACK and DHCP-OFFER packets that are received from DHCP servers. Trusted ports forward the received DHCP packets to DHCP clients.

Overview of IP Source Guard

IP Source Guard feature filters the source IP address on a Layer 2 port to prevent a malicious host from impersonating a legitimate host. It permits the IP traffic only when the IP address and the MAC address of each packet matches one of the two sources of IP and MAC address bindings:

  • Entries in the DHCP Snooping Binding table

  • Static IP source binding that you configure

You can enable the IP Source Guard feature only on untrusted ports. For IP Source Guard to function, enable DHCP Snooping.

How to Configure DHCP Snooping

The following sections provide information about Configuring DHCP Snooping:

Configuring DHCP Snooping

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable 

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal 

Enters global configuration mode.

Step 3

dhcp-snooping

Example:

Device(config)#dhcp-snooping 

Enables DHCP snooping on the device.

Step 4

interface ethernet port/slot

Example:

Device(config)#interface ethernet 1/1 

Enters interface configuration mode.

Step 5

dhcp-snooping trust

Example:

Device(config-if)#dhcp-snooping trust 

Specifies the port that is connected to the DHCP server as a trusted port.

Configuring Link-Down Operation

DHCP Snooping builds and maintains a binding database using the information that it extracts from intercepting the DHCP messages. Each entry in the database holds an IP address, VLAN, MAC address, lease time, and the interface associated with a binding.

When a link in the network goes down, you can configure the device to remove the corresponding entry in the binding database.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable 

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal 

Enters global configuration mode.

Step 3

dhcp-snooping port-down-action fast-remove

Example:

Device(config)#dhcp-snooping port-down-action fast-remove 

(Optional) Configures the link-down operation on the port.

Configuring IP Source Guard

Before you begin

Enable the IP Source Guard feature only on untrusted ports. Before you begin to configure IP Source Guard, ensure that DHCP Snooping is enabled.

Procedure

  Command or Action Purpose
Step 1

enable

Example:

Device> enable 

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device#configure terminal 

Enters global configuration mode.

Step 3

ip-source-guard bind ip A.B.C.D[ mac mac-address interface ethernet interface-id vlan vlanID ]

Example:

Device(config)#ip-source-guard bind ip 10.2.3.4 

(Optional) Configures a static IP binding on the port.

Step 4

ip-source-guard vlan vlanList

Example:

Device(config)#ip-source-guard vlan 10 20 

(Optional) Configures IP Source Guard on the listed VLANs.

Step 5

ip-source-guard permit igmp

Example:

Device(config)#ip-source-guard permit igmp 

(Optional) Configures IP Source Guard to allow IGMP packets to pass through.

Step 6

interface ethernet device/slot/port

Example:

Device(config)#interface ethernet 0/1/1 

Enters interface configuration mode.

Step 7

ip-source-guard [ ip | ip-mac | ip-mac-vlan ]

Example:

Device(config-if)#ip-source-guard ip-mac 

Enables IP Source Guard feature on the untrusted port and specifies the port filtering mode.

Port filtering mode is of three types:

  • ip: The port filters packets based on the source IP address of the IP packet, regardless of the source MAC address and the VLAN ID.

  • ip-mac: The port filters packets based on the source IP address of the IP packet and the MAC address, regardless of the VLAN ID.

  • ip-mac-vlan: The port filters packets based on source IP address, MAC address, and VLAN ID.

If you don't specify the port filtering mode, the port filters packets based on the source IP, MAC address, and VLAN ID.

Displaying DHCP Snooping and IP Source Guard Information

Use the following commands to display and perform maintenance operation on DHCP Snooping:

Command

Purpose

show dhcp-snooping clients

Displays the binding between the IP address and MAC address, which the DHCP Snooping records.

Execute this command in any mode.

show dhcp-snooping interface [port-list]

Displays the DHCP Snooping enabled state, information on th trusted port, the number of DHCP clients allowed on the physical port, and the number of currently connected DHCP clients.

show ip-source-guard

Displays the status of the IP Source Guard function.

show ip-source-guard bind [ ip ip-address]

Displays the source IP Binding table of IP Source Guard.

show ip-source-guard vlan

Displays the IP Source Guard information for the VLAN.

show ip-source-guard permit igmp

Displays if IP Source Guard allows IGMP packets to pass through.

Configuration Example for DHCP Snooping

This example shows how to configure DHCP Snooping on a switch whose ethernet 1/1 interface is connected to the DHCP Server and ethernet 1/2 interface is connected to the DHCP client. It sets ethernet 1/1 port as a trusted port.

Device#configure terminal
Device(config)#dhcp-snooping

Device(config)#interface ethernet 1/1
Device(config-if-ethernet-1/1)#dhcp-snooping trust