9 out of 10 network administrators agree – Rogue DHCP Servers suck! Stop them with this powerful, straightforward capability on Cisco Catalyst switches. This post assumes you understand the theory behind this security feature as taught in Cisco CCNP curriculums. Need a refresher – click right here.
Let us examine the configuration on a Cat 3560. First, enable the feature globally:
Cat4(config)#ip dhcp snooping
Next, configure the feature on the VLAN you are interested in protecting:
Cat2(config)#ip dhcp snooping vlan 10
In order to instruct the DHCP snooping feature that you have a legitimate DHCP server out of the Fa0/23 interface, mark the port as trusted:
Cat2(config)#int fa0/23 Cat2(config-if)#ip dhcp snooping trust
Verification? It could not be easier! How about:
Cat2#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MAC Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled Verification of giaddr field is enabled DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Rate limit (pps) ------------------------ ------- ---------------- FastEthernet0/23 yes unlimited
Here we are ensuring that the feature is enabled, configured for the appropriate VLAN, and that the feature is operational on the correct VLAN. Finally, ensure the correct interface is trusted.
Are you called upon to do something outside the scope of this basic configuration in your lab exam? Well then it is time to hit the documentation on this feature. Follow this path to acquire it:
Cisco.com – Support – Switches – 3560 – Configuration Guides - Catalyst 3560 Software Configuration Guide, Release 12.2(58)SE – Configuring DHCP Features and IP Source Guard
Anthony Sequeira CCIE, CCSI