Chapter 9
| General Security Measures
DHCPv4 Snooping
– 339 –
ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the
default setting.
Syntax
[no] ip dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
â—† Network traffic may be disrupted when malicious DHCP messages are received
from an outside source. DHCP snooping is used to filter DHCP messages
received on an unsecure interface from outside the network or fire wall. When
DHCP snooping is enabled globally by this command, and enabled on a VLAN
interface by the ip dhcp snooping vlan command, DHCP messages received on
an untrusted interface (as specified by the no ip dhcp snooping trust
command) from a device not listed in the DHCP snooping table will be
dropped.
â—† When enabled, DHCP messages entering an untrusted interface are filtered
based upon dynamic entries learned via DHCP snooping.
â—† Table entries are only learned for trusted interfaces. Each entry includes a MAC
address, IP address, lease time, VLAN identifier, and port identifier.
â—† When DHCP snooping is enabled, the rate limit for the number of DHCP
messages that can be processed by the switch is 100 packets per second. Any
DHCP packets in excess of this limit are dropped.
â—† Filtering rules are implemented as follows:
â–
If global DHCP snooping is disabled, all DHCP packets are forwarded.
â–
If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, all DHCP packets are forwarded for a trusted
port. If the received packet is a DHCP ACK message, a dynamic DHCP
snooping entry is also added to the binding table.
â–
If DHCP snooping is enabled globally, and also enabled on the VLAN where
the DHCP packet is received, but the port is not trusted, it is processed as
follows:
â–
If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
To Next Page
Loading...
Need help?
General