CHAPTER
33-1
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
33
Configuring DHCP Snooping and IP Source Guard
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and IP
source guard on the Catalyst 6500 series switches.
This chapter consists of these sections:
• Understanding How DHCP Snooping Works, page 33-1
• Configuring DHCP Snooping on a VLAN, page 33-2
• Specifying the DHCP-Snooping Binding Limit on a Per-Port Basis, page 33-11
• Specifying the DHCP-Snooping IP Address-to-MAC Address Binding on a Per-Port Basis,
page 33-12
• Displaying DHCP-Snooping Information, page 33-12
• Storing DHCP-Snooping Binding Entries to a Flash Device, page 33-15
• Understanding How IP Source Guard Works, page 33-16
• Enabling IP Source Guard on a Port, page 33-17
• Displaying the IP Source Guard Information, page 33-18
Note For complete syntax and usage information for the switch commands that are used in this chapter, refer
to the Catalyst 6500 Series Switch Command Reference and related publications at
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/command/reference/cmd_ref.ht
ml
Understanding How DHCP Snooping Works
DHCP snooping provides the security against the Denial-Of-Service (DoS) attacks that are launched
using the DHCP messages by filtering the DHCP packets and building and maintaining a
DHCP-snooping binding table. DHCP snooping uses both trusted and untrusted ports.
The DHCP packets that are received from a trusted port are forwarded without validation. Typically, the
trusted ports are used to reach a DHCP server or relay agent. When the switch receives the DHCP packets
from an untrusted port, DHCP snooping validates that only the DHCP packets from the clients are
allowed and verifies that no spoofing of information is occurring.
To Next Page
Loading...
Need help?
General