DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It differentiates between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.
To enable on a switch.
config#ip dhcp snooping
config#ip dhcp snooping vlan {n}
All DHCP servers must be connected to the switch through trusted interfaces. Hence the above config goes hand and hand with
config-if#ip dhcp snooping trust
Once dhcp snooping is enabled on a vlan enabled all ports are treated as untrusted by default.
During the process where a user port acquires an ip address via DHCP the switch builds a database of mac addresses and associated IP. Henceforth when a switch receives a packet on an untrusted interface the switch compares the source MAC address and the address in the DHCP binding database. Normally the addresses match and the switch forwards the packet. Conversely if they dont the switch drops the packet.
N.B. By default a switch inserts and removes DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. Consequently it is necessary to enter the following command on the router
config-if#ip dhcp relay information trusted
No comments:
Post a Comment