DHCP Snooping
- DHCP Snooping inspects DHCP packets to prevent networking problems and attacks from rogue DHCP servers
- Compares addresses on the DHCP Snooping binding table
- The binding table records the Client's MAC address, IP address, IP Lease time, and VLAN to its interface
- DAI also uses the Snooping table in its frame validation
- It identifies ports as Trusted or Untrusted
- Trusted ports forward all DHCP messages without inspection
- Untrusted ports act on all DHCP messages
- Discard DHCP server messages
- Inspect DHCP client messages
- Forwards messages that match its configured information on the DHCP snooping table, and discards messages that don't match
- Discover/Request DHCP Messages
- Check the frame's source MAC and the DHCP message's CHADDR (Client Hardware Address, i.e. the client's MAC address) fields match
- Release/Decline DHCP Messages
- Check the source IP and receiving interface match the entry on the binding table
- Rate Limiting
- Automatically disables interfaces that send more requests than a configured threshold
- Error Disabled interfaces can be manually or automatically returned to service
- DHCP Option 82 (aka
information option)
- Optionally and only sent by DHCP relay agents on messages they forward to the DHCP Server
- Provides information about which relay agent is forwarding the message, the VLAN, interface, etc.
- By default, DHCP Snooping tags all messages from clients with option 82
- However, Layer 2 Switches drop incoming DHCP packets with Option 82 on untrusted ports by default
- Similarly, Cisco Routers acting as DHCP server will drop
- Error message keywords:
inconsistent relay informationrelay information option exists, but giaddr is zero
- It is therefore important to disable option 82 when configuring DHCP Snooping
config# no ip dhcp snooping information option
DHCP Operations
DORA: DHCP Operations Order
- Discover: DHCP Discover (Client, Broadcast)
- Offer: DHCP Offer (Server, Unicast/Broadcast)
- Request: DHCP Request (Client, Broadcast)
- Ack: DHCP Ack (Server, Unicast/Broadcast)
DHCP Server messages
- OFFER
- Initial response to a client request
- ACK
- Provisioning of IP address and DHCP information
- NAK
- Decline's a user's request for provisioning
- Opposite of an ACK
DHCP Client Messages
- DISCOVER
- Initial packet searching for a DHCP server
- REQUEST
- IP address/DHCP information provisioning request
- RELEASE
- Release of leased IP address
- DECLINE
- Decline offered IP address by a server
DHCP Snooping config
- Enable IP DHCP snooping
2. config# ip dhcp snooping
- Assign a VLAN to be snooped
config# ip dhcp snooping vlan <vlan ID>
- Disable IP DHCP snooping information
config# no ip dhcp snooping information option
- Trust the server-facing interface
config-if# ip dhcp snooping trust
- Check DHCP snooping table
#sho ip dhcp snooping binding
- Configure DHCP rate limiting
config-if-range# ip dhcp snooping limit rate <allowed messages per second>
- Configure errdisable recovery
config# errdisable recovery cause dhcp-rate-limit# show errdisable recovery
OSI or TCP/IP Layer
CCNA Exam Topic
Contributors
Sources
Configuring DHCP Snooping - Cisco Systems
