Filter
Top Products
Dynamic Host Configuration Protocol | 323
When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.
The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,
DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is
legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded
to the the server for validation. This check-point prevents an attacker from spoofing a client and declining
or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK,
DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker
from impostering as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, DHCPDECLINE.
Enable DCHP snooping
FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP Snooping was available for Layer 3 only
and dependent on DHCP Relay Agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP
Snooping to Layer 2, and you do not have to enable relay agent to snoop on Layer 2 interfaces.
FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent
encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.2, line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped
VLANs, while these packets are forwarded across non-snooped VLANs. Since DHCP packets are
dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE
packets are allowed so that the DHCP snooping table can decrease in size. Once the table usage falls
below the maximum limit of 4000 entries, new IP address assignments are allowed.
q
FTOS Behavior: In 8.2.1 releases, ip dhcp snooping trust was required on the port-channel interface
as well as on channel members. In subsequent releases, it is no longer necessary nor permitted to
configure port-channel members as trusted; configuring the port-channel interface alone as trusted is
sufficient, and ports must have the default configuration to be a channel members. When upgrading
from 8.2.1 releases, the channel-member configurations are applied first, so when the port-channel is
configured, its membership configuration is rejected, since the member ports no longer have the
default configuration. In this case, you must manually remove ip dhcp snooping trust on the channel
members add the ports to the port-channel.
Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP
snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the
server-connected port.
Step Task Command Syntax Command Mode
1 Enable DHCP Snooping globally.
ip dhcp snooping
CONFIGURATION
2 Specify ports connected to DHCP servers as trusted.
ip dhcp snooping trust
INTERFACE
3 Enable DHCP Snooping on a VLAN.
ip dhcp snooping vlan
CONFIGURATION