The Configuration of DHCP Snooping

By Anthony Sequeira on December 28th, 2011

9 out of 10 network administrators agree – Rogue DHCP Servers suck! Stop them with this powerful, straightforward capability on Cisco Catalyst switches. This post assumes you understand the theory behind this security feature as taught in Cisco CCNP curriculums. Need a refresher – click right here.

Let us examine the configuration on a Cat 3560. First, enable the feature globally:

Cat4(config)#ip dhcp snooping

Next, configure the feature on the VLAN you are interested in protecting:

Cat2(config)#ip dhcp snooping vlan 10

In order to instruct the DHCP snooping feature that you have a legitimate DHCP server out of the Fa0/23 interface, mark the port as trusted:

Cat2(config)#int fa0/23
Cat2(config-if)#ip dhcp snooping trust

Verification? It could not be easier! How about:

Cat2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/23             yes         unlimited

Here we are ensuring that the feature is enabled, configured for the appropriate VLAN, and that the feature is operational on the correct VLAN. Finally, ensure the correct interface is trusted.

Are you called upon to do something outside the scope of this basic configuration in your lab exam? Well then it is time to hit the documentation on this feature. Follow this path to acquire it:

Cisco.com – Support – Switches – 3560 – Configuration Guides - Catalyst 3560 Software Configuration Guide, Release 12.2(58)SE – Configuring DHCP Features and IP Source Guard

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

The Configuration of DHCP Snooping, 4.3 out of 5 based on 4 ratings
Be Sociable, Share!

    Tags: CCIE, dhcp, layer 2, practice, snooping

    2 Responses to “The Configuration of DHCP Snooping”

    1. Edson Soares says:

      Straight to the point.
      Thank you.

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
    2. Dendriel says:

      Thanks for the explanation!

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

    Leave a Reply