Filter
Top Products
45-2
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 45 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
About DHCP Snooping
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type,
VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch;
it does not contain information regarding hosts interconnected with a trusted interface. An untrusted
interface is an interface that is configured to receive messages from outside the network or firewall. A
trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts such as a firewall between untrusted hosts and DHCP servers. It also gives you a
way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces
connected to the DHCP server or another switch.
Note In order to enable DHCP snooping on a VLAN, you must enable DHCP snooping on the switch.
You can configure DHCP snooping for switches and VLANs. When you enable DHCP snooping on a
switch, the interface acts as a Layer 2 bridge, intercepting and safeguarding DHCP messages going to a
Layer 2 VLAN. When you enable DHCP snooping on a VLAN, the switch acts as a Layer 2 bridge
within a VLAN domain.
This section includes these topics:
• Trusted and Untrusted Sources, page 45-2
• About the DHCP Snooping Database Agent, page 45-2
• Option 82 Data Insertion, page 45-4
Trusted and Untrusted Sources
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted
source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping
feature filters messages and rate-limits traffic from untrusted sources.
In an enterprise network, devices under your administrative control are trusted sources. These devices
include the switches, routers and servers in your network. Any device beyond the firewall or outside your
network is an untrusted source. Host ports are generally treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted
source (such as a customer switch). Host ports are untrusted sources.
In the Catalyst 4500 series switch, you indicate that a source is trusted by configuring the trust state of
its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as
trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or
routers) inside your network. You usually do not configure host port interfaces as trusted.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces, as untrusted DHCP messages will be forwarded only to trusted interfaces.
About the DHCP Snooping Database Agent
To retain the bindings across switch reloads, you must use the DHCP snooping database agent. Without
this agent, the bindings established by DHCP snooping are lost upon switch reload. Connectivity is lost
as well.