«

»

Aug 21

DHCP Snooping on Cisco Catalyst Switch

Categories:

Cisco Catalyst, Switch

by admin

dhcpsnooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

• Validates DHCP messages received from untrusted sources and filters out invalid messages.

• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.


DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Note: For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces.


Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

Configuration example:

conf t
ip dhcp snooping vlan 661
ip dhcp snooping database flash:/dhcp-snooping.db
ip dhcp snooping
interface FastEthernet0/1
 switchport access vlan 10
 switchport mode access
 ip dhcp snooping trust
end
wr mem



To verify DHCP Snooping use following commands:

show ip dhcp snooping
show ip dhcp snooping binding



You can remove entries from the binding database by using:

clear ip dhcp snooping binding



More information about DHCP snooping configuration can be found here:

Follow me!

This post has no tag

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>