Introduction and configuration of DHCP Snooping

Many may know about the DHCP Snooping technology. So many friends still don't know about this part of content. Here we will give a detailed explanation of DHCP Snooping.

1 Introduction

DHCP Snooping is a security feature of DHCP. It filters untrusted DHCP information by creating and maintaining a DHCP Snooping binding table. Such information refers to DHCP information from untrusted areas. The DHCP Snooping binding table contains the user MAC address, IP address, lease period, VLAN-ID interface and other information of untrusted areas.

When DHCP Snooping is enabled, the switch listens to the DHCP packet and can extract and record IP address and MAC address information from the received DHCP Request or DHCP Ack message. In addition, DHCP Snooping allows you to set a physical port to a trusted port or untrusted port. The trusted port can normally receive and forward DHCP Offer packets, but the untrusted port will discard the received DHCP Offer packets. In this way, the vswitch can shield the counterfeit DHCP Server and ensure that the client obtains the IP address from the valid DHCP Server.

Purpose:

1. The main function of DHCP Snooping is to isolate illegal dhcp servers by configuring untrusted ports.

2. Create and maintain a DHCP Snooping binding table. This table is generated through the ip address and mac address in the dhcp ack packet, and can be manually specified. This table is the basis for subsequent DAIdynamic arp inspect) and IP Source Guard. These two similar technologies use this table to determine whether the ip address or mac address is valid and restrict the user from connecting to the network.

2 Configuration

Switchconfig) # ip dhcp snooping

Switchconfig) # ip dhcp snooping vlan 10

Switchconfig-if) # ip dhcp snooping limit rate 10

/* The forwarding rate of the dhcp packet. If it exceeds the forwarding rate, the interface will be shut down, which is not limited by default.

Switchconfig-if) # ip dhcp snooping trust

/* In this way, the port becomes a trusted port. The trusted port can normally receive and forward DHCP Offer packets without recording the binding of ip addresses and mac addresses. The default port is a non-trusted port"

Switch # ip dhcp snooping binding 0009.3452.3ea4 vlan 7 192.168.10.5 interface gi1/0/10

/* You can bind a static IP address to a mac address;

Switchconfig) # ip dhcp snooping database tftp: // 10.1.1.1/dhcp_table

/* After power loss, the bound table disappears, so you need to select a storage location, ftp, tftp, and flash. In this example, dhcp_table is a file name, not a folder, and the file name must be manually created