Configuring DHCP Snooping

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

What is DHCP Snooping

DHCP snooping is a security feature inteneded to prevent rogue DHCP server from sending malicious DHCP replies.
When DHCP snooping is enabled, the switch intercept all the DHCP requests, and discards DHCP replies coming from “untrusted” ports. The offending switch ports are automatically shut down and put in errdisable state.
DHCP snooping also has a database containing client MAC address, IP address offered, lease
time, and so on for all the completed DHCP bindings.

Configuring DHCP Snooping

Enable DHCP snooping globally on a switch

Switch(config)# ip dhcp snooping

Identify VLANs for DHCP snooping. In this case VLAN 10 to 15

Switch(config)# ip dhcp snooping vlan number 10-15

By default all ports are “untrusted”, so we have to add trusted ports
Here we are adding fa1/1 as trusted port

Switch(config)# interface type fa1/1
Switch(config-if)# ip dhcp snooping trust

(Optional) Rate limiting untrusted port.
Here we are rate limiting interface fa0/1

Switch(config)# interface fa0/1
Switch(config-if)# ip dhcp snooping limit rate 10

The rate can be 1 to 2048 DHCP packets per second.

Verifying Configuration

Show DHCP snooping status

Switch# show ip dhcp snooping

Summary

DHCP snooping is useful for mitigating malicious DHCP replies. However there are times when users connect their own DHCP server (for example wireless Linksys router having its own DHCP). DHCP snooping can be used effectively to remedy these kind of situations.

Cisco, DHCP, IOS

About the author

Multi skilled Cisco network engineer, web programmer and system administrator, lost in different career path :-)

This entry was posted by Arsalan A. Suzuki on September 9, 2010 at 10:34 pm, and is filed under Cisco, IOS, Switching. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Basic Frame Relay Configuration

about 1 year ago - 4461 commentBasic+Frame+Relay+Configuration2011-08-09+16%3A18%3A32Arsalan+A.+Suzuki

This article shows how to configure basic frame relay without using inverse ARP. We’ll be using the above topology for the configuration. The IP addresses of the routers are 192.168.1.X, where X is the router number. Configuration Steps Assign IP address to the serial interface Configure frame relay encapsulation Set frame map for each router…

Ping Multiple Addresses Using TCL Script Part 2

about 1 year ago - 431No comments2011-06-18+06%3A08%3A44Arsalan+A.+Suzuki

Part 1 of this tutorial showed how to ping multiple IP addresses using TCL script. This tutorial will further refine the script which was in Part 1. Instead of foreach loop, we will be using for loop to make the script shorter. TCL Script Here is the sample script for { set i 1 }…

Ping Multiple Addresses Using TCL Script Part 1

about 1 year ago - 4063 comments2011-06-14+00%3A45%3A45Arsalan+A.+Suzuki

There might be situation where you might need to ping multiple IP addresses to check the full connectivity between devices. This tutorial shows you exactly how to do that using TCL script. I’ll be explaining how it works in details so you don’t need to have any programming or scripting experience. TCL Script Below is…

Enable Telnet Access on Cisco Router

about 2 years ago - 3731 commentEnable+Telnet+Access+on+Cisco+Router2011-05-16+19%3A10%3A37Arsalan+A.+Suzuki

This short tutorial shows how to enable telnet access on the router. Configuration Use the following commands to enable telnet access to the router. First check how many virtual terminal router supports. (Depending on the router model, the output might be different) Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line vty…

Cisco ūmi Home Telepresence on Your TV Set

about 2 years ago - 321No comments2010-10-07+08%3A26%3A22Arsalan+A.+Suzuki

Cisco announced Umi, a video conferencing appliance for typical consumers. Umi consists of camera mounted to the top of the screen which can capture Full HD 1080p video at 30 frames per second. The camera is connected to a device which act as a internet gateway for the TV. Umi which is scheduled to be…

Configuring Port Aggregation with EtherChannel

about 2 years ago - 3081 comment2010-10-04+16%3A28%3A50Arsalan+A.+Suzuki

What is EtherChannel? EtherChannel is a link aggregation technology used primarily on Cisco switches. It can bundle two to eight physical port of the same Ethernet media type and speed. All bundled ports must have similar configuration. EtherChannel can be used to increase bandwidth, provide redundancy and load balance traffic EtherChannel Negotiation Protocols Cisco supports…

Configuring VLAN Access Control Lists (VACL)

about 2 years ago - 30211 comments2010-09-27+14%3A10%3A27Arsalan+A.+Suzuki

What is VLAN Access Control Lists (VACL) used for? VLAN Access Control Lists (VACL) can be used to filter traffic within the same vlan Scenario Suppose a host is connected to VLAN 2 and we are required to drop all telnet traffic within VLAN 2. Configuration Make an access list to match telnet traffic Router(config)#access-list…

Cisco IOS Tips: Reload Command Explained

about 2 years ago - 247No comments2010-08-31+10%3A07%3A55Arsalan+A.+Suzuki

I guess the reload command is self explanatory. It reboots the router. Reload command can take two different kind of timer Execute at specific time or date (e.g at 11:00) Execute after certain number of minutes (e.g after 30mins) Note : The router clock must be set before the reload command can work properly. CLI…

Cisco IOS Tips: Display Interface The Smart Way

about 2 years ago - 238No comments2010-08-29+11%3A11%3A29Arsalan+A.+Suzuki

Use the following command to dsplay brief summary of interfaces Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.2 YES manual up up FastEthernet0/1 192.168.10.2 YES manual up up FastEthernet1/0 unassigned YES unset up down FastEthernet1/1 unassigned YES unset up down FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up…

Disable Password Recovery

about 2 years ago - 2153 commentsDisable+Password+Recovery2010-08-26+11%3A08%3A36Arsalan+A.+Suzuki

There are times when you may want to disable password recovery (for example if someone is working in high secure environment). Use the following command to disable password recovery Router(config)#no service password-recovery WARNING: Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery. Are you sure…

Configuring DHCP Snooping

What is DHCP Snooping

Configuring DHCP Snooping

Verifying Configuration

Summary

About the author

No comments yet.

No trackbacks yet.

Basic Frame Relay Configuration

Ping Multiple Addresses Using TCL Script Part 2

Ping Multiple Addresses Using TCL Script Part 1

Enable Telnet Access on Cisco Router

Cisco ūmi Home Telepresence on Your TV Set

Configuring Port Aggregation with EtherChannel

Configuring VLAN Access Control Lists (VACL)

Cisco IOS Tips: Reload Command Explained

Cisco IOS Tips: Display Interface The Smart Way

Disable Password Recovery

Search

About this Blog