Intro
You can use DHCP snooping
to help avoid the Denial of Service attacks that result from unauthorized users
adding a DHCP server to the network that then provides invalid configuration
data to other DHCP clients on the network.
DHCP snooping accomplishes this by allowing you to distinguish between trusted
ports (connected to a DHCP server or switch) and untrusted ports connected to
end-users. DHCP packets are forwarded between trusted ports without inspection.
DHCP packets received on other switch ports are inspected before being
forwarded. Packets from untrusted sources are dropped.
Condition for Dropping a Packet Types
A packet from a DHCP server
received on an untrusted port DHCPOFFER,
DHCPACK, DHCPNACK
If the switch is configured
with a list of authorized DHCP DHCPOFFER,
DHCPACK, DHCPNACK
server addresses and a packet
is received from a DHCP
server on a trusted port with
a source IP address that is not
in the list of authorized DHCP
server addresses.
Unless configured to not
perform this check, a DHCP packet N/A
received on an untrusted port
where the DHCP client
hardware address field does
not match the source MAC
address in the packet
Unless configured to not
perform this check, a DHCP packet N/A
containing DHCP relay
information (option 82) received from
an untrusted port
A broadcast packet that has a
MAC address in the DHCP DHCPRELEASE,
DHCPDECLINE
binding database, but the port
in the DHCP binding database
is different from the port on
which the packet is received
Configuration restrictions and guidelines
When you configure DHCP snooping, follow these
restrictions and guidelines:
· DHCP
snooping operates between the DHCP client and DHCP server, or between the DHCP
client and DHCP relay agent. It does not operate between the DHCP server and
DHCP relay agent.
· The
DHCP snooping enabled device cannot act as a DHCP server or DHCP relay agent.
· The
trusted port and the port connected to the DHCP client must be in the same
VLAN.
· You can
configure Layer 2 Ethernet interfaces and Layer 2 aggregate interface as
trusted interfaces.
· When a
Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping
configuration on the interface does not take effect. After the interface is
removed from the aggregation group, the configuration takes effect.
HPN Procurve Switches
Enable Globally
dhcp-snooping
Enable Per vlan
dhcp-snooping
vlan 1
dhcp-snooping
vlan 10
dhcp-snooping
vlan 40
dhcp-snooping
vlan 50
Designate authorized servers
dhcp-snooping
authorized-server 10.11.12.13
dhcp-snooping
authorized-server 10.15.20.25
dhcp-snooping
authorized-server 10.20.30.40
dhcp-snooping
authorized-server 10.9.8.7
Apply to uplink interface to the Core switch
interface
Trk1
dhcp-snooping trust
exit
To
display the DHCP snooping configuration:
# show dhcp-snooping
DHCP Snooping Information
DHCP Snooping : Yes
Enabled Vlans : 1 10 40 50
Verify MAC : No
Option 82 untrusted policy : drop
Option 82 Insertion : No
Option 82 remote-id : mac
Store lease database : Not configured
Port Trust
----- -----
1 No
2 No
.
.
Trk1
Yes
To
display statistics about the DHCP snooping process:
# show dhcp-snooping stats
Packet type Action Reason Count
----------- ------- ----------------------------
---------
Server forward from trusted port 8
Client forward to trusted port 8
Server drop received on untrusted port
2
Server drop unauthorized server
0
Client drop destination on untrusted port 0
Client drop untrusted option 82 field
0
Client drop bad DHCP release request
0
Client drop failed verify MAC check
0
