882 Snooping and Inspecting Traffic
DHCP Snooping and VLANs
DHCP snooping forwards valid DHCP client messages received on non-
routing VLANs. The message is forwarded on all trusted interfaces in the
VLAN.
DHCP snooping can be configured on switching VLANs and routing VLANs.
When a DHCP packet is received on a routing VLAN, the DHCP snooping
application applies its filtering rules and updates the bindings database. If a
client message passes filtering rules, the message is placed into the software
forwarding path where it may be processed by the DHCP relay agent, the
local DHCP server, or forwarded as an IP packet.
DHCP Snooping Logging and Rate Limits
The DHCP snooping application processes incoming DHCP messages. For
DHCPRELEASE and DHCPDECLINE messages, the application compares
the receive interface and VLAN with the client interface and VLAN in the
bindings database. If the interfaces do not match, the application logs the
event and drops the message. For valid client messages, DHCP snooping
compares the source MAC address to the DHCP client hardware address.
When there is a mismatch, DHCP snooping drops the packet and generates a
log message if logging of invalid packets is enabled.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are
sent to DHCP relay for further processing.
To prevent DHCP packets from being used as a DoS attack when DHCP
snooping is enabled, the snooping application enforces a rate limit for DHCP
packets received on interfaces. DHCP rate limiting can be configured on both
trused and untrusted interfaces. DHCP snooping monitors the receive rate on
each interface separately. If the receive rate exceeds a configurable limit,
DHCP snooping diagnostically disables the interface. Administrative
intervention is necessary to enable the port, either by using the no shutdown
command in Interface Config mode or on the Switching
→
Ports
→
Port
Configuration page. Use the ip dhcp snooping limit none command to
disable diagnostic disabling of the port due to DHCP snooping.
To Next Page
Loading...
Need help?
General
