Skip to Content

How to configure DHCP Snooping on a Cisco Catalyst switch

Command Line

A question was asked in the Tekcert forums regarding DHCP snooping configuration. After thinking about writing an in depth response, I decided to just write a full blown blog post.

Everything in this post has been tested in a lab environment with a Cisco 3550, Infoblox DHCP servers, a Netgear router as a "rogue" dhcp server, and a MacBook Pro as a client. The 3550 is configured with ip routing and a layer 3 interface on the subnet where the DHCP servers are located (10.0.10.0/24). VLAN 20 has been created on the 3550 with an interface ip address of 10.0.20.254/24. All the DHCP server configuration and helper addresses were tested and working prior to implementing DHCP snooping to eliminate any doubt as to whether the DHCP snooping configuration is working or not. So, let's get started.

For DHCP snooping to work, you have to enable it globally. That is done with the following global configuration command:

Switch(config)#ip dhcp snooping

You also have to tell the switch which VLANs to monitor. In a production environment, this would be the client VLANs, not a transit VLAN that leads to the rest of the network. This is done with the following command:

Switch(config)#ip dhcp snooping vlan 20

At this point DHCP snooping is configured and enabled. There are several default settings that can be modified later, but that can be delt with after we verify things are working. Here is the basic show command to verify DHCP snooping is working (specifically the top few lines):

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:

20
DHCP snooping is operational on following VLANs:

20
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------

Once you verify DHCP snooping is working, you can verify DHCP lease information starts to populate the DHCP snooping binding table on the switch with the following command:

Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
AA:2C:DD:09:D1:CD   10.0.20.28       28781       dhcp-snooping   20    FastEthernet0/13
Total number of bindings: 1

If you have a DHCP server plugged into a switch with DHCP snooping enabled, or if you have a layer 2 LAN port connected to an upstream switch where the DHCP server resides, you'll have to trust that port. To do this, enter the following command in interface configuration mode:

Switch(config-if)#ip dhcp snooping trust

Any DHCP responses that come from an untrusted port (all the other ports) will simply be dropped without any notification. To test this out, after this was all configured and working, I connected a Netgear router with DHCP enabled into another VLAN 20 access port on the 3550. I forced a DHCP request to be sent out by the client and nothing happened. No log messages or warnings, nothing. Just to be sure the rogue DHCP server was working, I disabled snooping and unplugged the 3550 uplink to the production network. The client received a 192.168.1.2 ip address immediately. I released the IP, reconfigured snooping and tested again. The client received an IP from the authorized DHCP server and nothing happened with the fake DHCP server port.

I wish the switch was smart enough to put the switch-port connected to the rogue DHCP server into err-disable mode, but at least it stops the unauthorized DHCP server from actually handing out IP leases.

This concludes the basic DHCP snooping configuration. For additional information regarding DHCP snooping configuration options, check out these links:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea...

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/12ew/conf...

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/na...

Also, for reference, here are the relevant parts of my 3550 lab configuration:

interface FastEthernet0/1
description Layer 3 uplink to production network
 no switchport ip address 10.0.10.253 255.255.255.0 speed 100 duplex full ! interface FastEthernet0/12
description Rogue DHCP server
 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface FastEthernet0/13
description Client
 switchport access vlan 20 switchport mode access spanning-tree portfast ! interface Vlan20 ip address 10.0.20.254 255.255.255.0 ip helper-address 10.0.10.106 ip helper-address 10.0.10.107

One final thought. If you are rolling this out into production, be sure to do so during a change window and test a client DHCP request with ipconfig /release and ipconfig /renew to be sure it can get an IP address and it shows up in the binding table.

Disclaimer: This configuration was tested in a lab environment. If you use this configuration to modify a production environment, you do so at your own risk. The information in this post is provided as an example so you can custom tailor it to your own network. Don't blame me if this information is misused and causes an outage to production systems.

Good Luck!

Your rating: None Average: 4 (1 vote)

Comments

Good post. Great refresher

Good post. Great refresher for my SWITCH test this weekend! :)

Thanks Adam!

Adam's picture

Thanks. Good luck with the

Thanks. Good luck with the test!

Information option

I found out that sometimes you HAVE to disable the insertion of option 82 to get it working.

Not fair - you gave a hint!

That's cheating! You _told_ the switch where the rouge DHCP server was!

interface FastEthernet0/12
description Rogue DHCP server

But seriously - great post! Good that you actually verified it!

What if the Switch it self is the DHCP server?

What if the core switch itself is acting as a DHCP server? So if you have a server on port g0/5 then you can just trust g0/5. But in the case of the switch running DHCP itself.... does anything else need to be done?

Thanks!

IOS version

Thanks for this post.

Which version of IOS are you running on your 3550 ?

I don't have snooping in my 12.1(12c)EA1

switch(config)#ip dhcp ?
conflict DHCP address conflict parameters
database Configure DHCP database agents
excluded-address Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping Specify ping parameters used by DHCP
pool Configure DHCP address pools
relay DHCP relay agent parameters
smart-relay Enable Smart Relay feature

switch#show version
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1)

Thank you Adam! this thing

Thank you Adam! this thing clears the air.

How to disable the access port from sending the DHCP request.

Hi, below is my query. Suppose 5 hosts a,b,c,d &e are connected to L2 switch. DHCP server is also connected to this switch. Now I want to block DHCP request messages sent by host a & b because they have VMs installed on them and while booting they get IP assigned by DHCP. I sont want this to happen. Please suggest if we can achieve this.

Adam's picture

port security

Assuming the layer 2 switch is a Cisco switch that supports port security and each of the hosts (a,b,c,d,e) are plugged into their own ports on the switch (not via a hub connected to a Cisco switch), you can use the Port Security feature to prevent multiple mac addresses from appearing on a port.

I'll see if I can throw together a port-security blog post soon, but here's a quick reference on how to do this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/conf...

Hi Adam, Thanks for your

Hi Adam,

Thanks for your reply. However I dont want to block number of MAC addresses per port. I want to block DHCP request flow from port a & b. i.e. only c,d & e should able to send the DHCP request.

Adam's picture

Here are some options

If you wish to control DHCP Requests being sent from the three hosts, here are three options off the top of my head:

1) If you have control over the hosts, simply disable DHCP Client services. This would prevent the DHCP Request from being sent in the first place.

2) Place the hosts you do not want to receive DHCP addresses in a different VLAN and subnet without any DHCP relay configuration on the VLAN interface.

3. Configure private VLANs and place the hosts you don't want to receive DHCP addresses in isolated ports. This solution may hinder other forms of communication, not just DHCP.

Let me know if this works.



Dr. Radut | blog